Skip to main content
Impacket includes a powerful collection of example scripts and tools for working with network protocols, particularly focused on Windows network security testing and research.

Tool Categories

The examples are organized into functional categories:

Remote Execution

Execute commands on remote systems via various protocols

Credential Dumping

Extract credentials from remote and local systems

Kerberos Attacks

Kerberoasting, AS-REP roasting, and ticket manipulation

LDAP Operations

Active Directory enumeration and manipulation

SMB Operations

File sharing, registry access, and SMB enumeration

Common Authentication Options

Most tools support multiple authentication methods: 
tool.py DOMAIN/username:password@target

Installation & Usage

After installing Impacket, all example scripts are available as command-line tools: 
# Install Impacket
pip install impacket

# Or from source
git clone https://github.com/fortra/impacket
cd impacket
pip install .

# Run examples
psexec.py --help
secretsdump.py --help

Quick Reference

Remote Execution Tools

ToolProtocolExecution ContextStealth
psexec.pySMB + Service ControlSYSTEMLow (Event logs)
smbexec.pySMB + Service ControlSYSTEMLow (Event logs)
wmiexec.pyDCOM/WMIAdmin userMedium
dcomexec.pyDCOM ObjectsAdmin userMedium
atexec.pyTask SchedulerSYSTEMMedium

Credential Dumping Tools

ToolTargetMethodRequires
secretsdump.pySAM, NTDS, LSARemote registry/DCSyncAdmin/DC Replication
Get-GPPPassword.pyGPP passwordsSYSVOL parsingDomain user
GetLAPSPassword.pyLAPS passwordsLDAP queriesDelegated permissions

Kerberos Attack Tools

ToolAttack TypeOutput FormatUsage
GetUserSPNs.pyKerberoastingJtR/HashcatRequest TGS for cracking
GetNPUsers.pyAS-REP RoastingJtR/HashcatFind users without pre-auth
ticketer.pyGolden/Silver Ticket.ccacheForge Kerberos tickets
getTGT.pyTGT Request.ccacheRequest TGT with credentials

Output Formats

Many tools support multiple output formats: 
GetUserSPNs.py -request domain/user:pass@dc -outputfile hashes.txt
john --wordlist=rockyou.txt hashes.txt

Common Parameters

Enable verbose debug output to troubleshoot connection issues
Specify Domain Controller IP address (required for Kerberos)
Target machine IP when using NetBIOS names
Specify custom port (default: 445 for SMB, 88 for Kerberos)
Use Kerberos authentication instead of NTLM
Don’t prompt for password (use with -k and KRB5CCNAME)
Add timestamps to logging output

Security Considerations

These tools are designed for authorized security testing and research only. Unauthorized access to computer systems is illegal.

Best Practices

  • Always obtain proper authorization before testing
  • Use dedicated test environments when learning
  • Monitor for detection - understand what logs are generated
  • Use encrypted channels when possible (Kerberos, LDAPS)
  • Clean up artifacts - remove created accounts, services, files

Troubleshooting

# Test SMB connectivity
smbclient.py domain/user@target

# Check with debug output
tool.py domain/user@target -debug

# Verify port access
nc -zv target 445
nc -zv target 135  # For WMI/DCOM

Next Steps

Remote Execution

Learn how to execute commands remotely

Credential Dumping

Extract and dump credentials

Kerberos Attacks

Perform Kerberos-based attacks

API Reference

Use Impacket in your own tools

Build docs developers (and LLMs) love

Get started for freeTalk to us