Impacket Tools

Play this article

What is Impacket?

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Remote Execution

psexec.pyPSEXEC like functionality example using RemComSvc (
smbexec.pyA similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
atexec.pyThis example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
wmiexec.pyA semi-interactive shell, used through Windows Management Instrumentation. It does not require installing any service/agent at the target server. Runs as Administrator. Highly stealthy.
dcomexec.pyA semi-interactive shell similar to, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows, and ShellBrowserWindow objects.


GetTGT.pyGiven a password, hash or aesKey, this script will request a TGT and save it as ccache.
GetST.pyGiven a password, hash, aesKey, or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf of another user.
GetPac.pyThis script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having normal authenticated user credentials. It does so using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
GetUserSPNs.pyThis example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.
GetNPUsers.pyThis example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos pre-authentication set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
ticketConverter.pyThis script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.
ticketer.pyThis script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
raiseChild.pyThis script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids.

Windows Secrets

secretsdump.pyPerforms various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available), and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are unavailable (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to their original state.
mimikatz.pyMini shell to control a remote mimikatz RPC server developed by @gentilkiwi.

Server Tools/MiTM Attacks

ntlmrelayx.pyThis script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.
karmaSMB.pyAn SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
smbserver.pyA Python implementation of an SMB server. Allows to quickly set up shares and user accounts.


wmiquery.pyIt allows to issue of WQL queries and getting descriptions of WMI objects at the target system (e.g. select name from win32_account).
wmipersist.pyThis script creates/removes a WMI Event Consumer/Filter and links between both to execute Visual Basic based on the WQL filter or timer specified.

Known Vulnerabilities

goldenPac.pyExploit for MS14-068. Saves the golden ticket and also launches a PSEXEC session at the target.
sambaPipe.pyThis script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
smbrelayx.pyExploit for CVE-2015-0005 using an SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON.


smbclient.pyA generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket smb in action.
addcomputer.pyAllows to add a computer to a domain using LDAP or SAMR (SMB).
getArch.pyThis script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
ifmap.pyThis script will bind to the target's MGMT interface to get a list of interface IDs. It will use that list on the top of another list of interface UUIDs seen in the wild trying to bind to each interface and report whether the interface is listed and/or listening.
lookupsid.pyA Windows SID brute-forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
netview.pyGets a list of the sessions opened at the remote hosts and keeps track of them looping over the hosts found and keeping track of who logged in/out from remote servers
opdump.pyThis binds to the given hostname, port, and MSRPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
reg.pyRemote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.
rpcdump.pyThis script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.
samrdump.pyAn application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares, and other sensitive information exported through this service.
services.pyThis script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.


mssqlinstance.pyRetrieves the MSSQL instances names from the target host.
mssqlclient.pyAn MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.

File Formats

esentutl.pyAn Extensible Storage Engine format implementation. Allows dumping catalog, pages, and tables of ESE databases (e.g. NTDS.dit)
ntfs-read.pyNTFS format implementation. This script provides a mini shell for browsing and extracting an NTFS volume, including hidden/locked contents.
registry-read.pyA Windows Registry file format implementation. It allows parsing offline registry hives.


findDelegation.pyA simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.
GetADUsers.pyThis script will gather data about the domain's users and their corresponding email addresses. It will also include some extra information about the last logon and last password set attributes.
mqtt_check.pySimple MQTT example aimed at playing with different login options. It can be converted into an account/password brute-forcer quite easily.[MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example tests whether an account is valid on the target host.
sniff.pySimple packet sniffer that uses the pcapy library to listen for packets in # transit over the specified interface.
sniffer.pySimple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.
ping.pySimple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.
ping6.pySimple IPv6 ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host.