Post Exploitationnetwork protocolspython3smbkerberosrpcntlmsecrets dump

Impacket

Impacket is a Python3 module for crafting and decoding network packets. It supports low-level protocols like IP, UDP, TCP and higher-level ones like NMB and SMB.

Description

Impacket provides Python3 developers with classes to easily build and dissect network protocols. It enables crafting packets from scratch or parsing raw data, making it highly effective with packet capture utilities like Pcapy. The object-oriented API simplifies handling deep protocol hierarchies.

Use cases include network protocol analysis, penetration testing, and post-exploitation tasks such as dumping credentials or executing remote commands. Tools like impacket-secretsdump extract secrets from remote machines without agents, while impacket-wmiexec provides semi-interactive shells via WMI.

Impacket integrates authentication methods like NTLM hashes, Kerberos, and AES keys, supporting domain and target-specific operations.

How It Works

Impacket uses Python3 classes to construct and parse network packets at various layers, from IP/UDP/TCP to SMB/NMB. It leverages SMB, RPC, WMI, and Kerberos for remote interactions, dumping endpoints via epmapper, extracting SAM/NTDS data, or executing commands. Authentication supports hashes, tickets from ccache, keytabs, and direct credentials.

Installation

bash

sudo apt install python3-impacket

Flags

-user USERFilter output by this user

-targets TARGETSinput file with targets system to query info from (one per line). If not specified script will run in domain mode.

-hashes LMHASH:NTHASHNTLM hashes, format is LMHASH:NTHASH

-no-passdon't ask for password (useful for -k)

-kUse Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.

-aesKey hex keyAES key to use for Kerberos Authentication (128 or 256

-target-ip ip addressIP Address of the target machine. If ommited it will use whatever was specified as target.

-port [destination port]Destination port to connect to RPC Endpoint Mapper

-csvTurn CSV output

-system SYSTEMSYSTEM hive to parse (only binary REGF, as .reg text file lacks the metadata to compute the bootkey)

-share SHAREshare where the output will be grabbed from (default ADMIN$)

-nooutputwhether or not to print the output (no SMB connection created)

Examples

Shows help for netview, which queries domain or target info

impacket-netview -h

Shows help for rpcdump, which dumps remote RPC endpoints via epmapper

impacket-rpcdump -h

Shows help for samrdump, which downloads list of users from target system

impacket-samrdump -h

Shows help for secretsdump, which dumps secrets from remote machine without executing agents

impacket-secretsdump -h

Shows help for wmiexec, which executes semi-interactive shell using WMI

impacket-wmiexec -h

Runs netview with identity for domain or target enumeration

impacket-netview [domain/]username[:password]

Dumps RPC endpoints from specified target

impacket-rpcdump [[domain/]username[:password]@]<targetName or address>

Updated 2026-04-16kali.org ↗