This chapter covers the Impacket suite, a collection of Python scripts designed for interacting with Windows network protocols. Impacket is a critical tool for penetration testers, especially on the PT0-002 exam, as it enables exploitation of Windows services, lateral movement, and privilege escalation. Expect approximately 5-10% of exam questions to involve Impacket tools, their usage, and their underlying mechanisms. Mastering Impacket is essential for the Tools and Scripts domain (Objective 5.1).
Jump to a section
Impacket is like a locksmith's master key set for a large office building with many rooms, each with its own lock. The building represents a Windows network domain, and each room is a computer or service. A normal user has a key that opens only their own office. A domain administrator has a master key that opens every room. Impacket provides a collection of specialized tools that act like lockpicks and skeleton keys, allowing a penetration tester to open any room without having the master key. For example, secretsdump.py is like a tool that extracts the lock combination from the building's security office, giving you the ability to create keys for any room. psexec.py is like a tool that lets you remotely unlock and enter a room, execute tasks, and lock it back. smbexec.py works similarly but uses a different method to avoid setting off alarms. The key point is that Impacket tools interact with Windows protocols (like SMB, Kerberos, LDAP) in a way that mimics legitimate administrative tools, but with the flexibility to use stolen credentials or hashes. This allows testers to move laterally and gain privileges without needing the original passwords, much like a locksmith who can create a new key from a lock impression.
What is Impacket?
Impacket is a collection of Python classes and scripts developed by SecureAuth (originally by Core Security) for working with network protocols. It provides low-level programmatic access to protocols like SMB, MSRPC, LDAP, Kerberos, and NTLM. For penetration testers, Impacket includes ready-to-use scripts that perform tasks such as dumping password hashes, executing commands remotely, and performing pass-the-hash attacks. The suite is open-source and widely used in red team operations.
Why Impacket Exists
Windows networks rely on complex authentication and remote management protocols. Native tools like PsExec (from Sysinternals) require administrative credentials and are often detected by antivirus. Impacket scripts are written in Python, making them cross-platform and easily modifiable. They also support advanced techniques like pass-the-hash (PtH) and pass-the-ticket (PtT), allowing testers to authenticate using only the NTLM hash or Kerberos ticket without needing the plaintext password. This is crucial for lateral movement after initial compromise.
How Impacket Works Internally
Impacket implements the protocol layers from scratch. For example, the SMB implementation handles SMB dialects (v1, v2, v3), session setup, tree connect, and named pipe operations. The MSRPC implementation allows interaction with remote procedure calls (RPC) endpoints like the Windows Task Scheduler or Service Control Manager. The Kerberos implementation can perform AS-REQ, TGS-REQ, and even Kerberos delegation attacks (e.g., RBCD, S4U2Self).
When you run a script like psexec.py, it performs the following steps:
Connect to the target via SMB using the supplied credentials (username, password, hash, or ticket).
Open a named pipe to the Service Control Manager (SCM) via MSRPC (\pipe\svcctl).
Create a service on the remote system with a random name, pointing to a binary that executes a command (e.g., cmd.exe /c whoami).
Start the service, which executes the command.
Capture the output via a temporary SMB share or named pipe.
Delete the service to clean up.
Other scripts follow similar patterns but target different RPC endpoints or use different mechanisms.
Key Components and Defaults
- Impacket Version: The latest stable version (as of 2025) is 0.11.0. The exam may reference scripts from earlier versions.
- Common Scripts:
- psexec.py: Remotely execute commands via SMB and SCM. Requires admin credentials.
- smbexec.py: Similar to PsExec but uses a different method (creates a service but reads output via SMB shares). More stealthy.
- wmiexec.py: Uses WMI (Windows Management Instrumentation) to execute commands. No service creation, but requires WMI access.
- secretsdump.py: Dumps SAM, LSA secrets, and NTDS.dit (domain controller) hashes. Requires admin or SYSTEM privileges.
- mimikatz.py: A Python port of Mimikatz (limited functionality).
- ticketer.py: Creates golden/silver Kerberos tickets.
- GetUserSPNs.py: Queries for Service Principal Names (SPNs) for Kerberoasting.
- GetNPUsers.py: Queries for users without Kerberos pre-authentication (AS-REP Roasting).
- rpcdump.py: Enumerates RPC endpoints.
- samrdump.py: Dumps SAM via RPC.
- Default Ports: SMB uses TCP 445 (or 139 for NetBIOS), MSRPC uses TCP 135 and dynamic high ports (but Impacket often uses SMB named pipes to avoid dynamic ports).
- Authentication: Supports NTLM, Kerberos, and plaintext passwords. Can also use LM/NT hashes directly.
Configuration and Verification Commands
To install Impacket: pip install impacket
To verify installation: impacket-scripts --help or list scripts: python -c "import impacket; print(impacket.__version__)"
Example usage:
# Dump SAM hashes from a local machine (requires admin)
secretsdump.py -sam /path/to/SYSTEM -sam /path/to/SAM LOCAL
# Dump hashes from a remote system using credentials
secretsdump.py DOMAIN/User:Password@TargetIP
# Execute command via PsExec
psexec.py DOMAIN/User:Password@TargetIP cmd.exe
# Pass-the-hash with psexec
psexec.py -hashes LMHash:NTHash DOMAIN/User@TargetIP cmd.exe
# Kerberoasting
GetUserSPNs.py DOMAIN/User:Password -outputfile hashes.txt
# AS-REP Roasting
GetNPUsers.py DOMAIN/User:Password -request -format hashcatInteraction with Related Technologies
Impacket often works alongside other tools:
- Metasploit: Impacket scripts can be used to deliver payloads or gather credentials that Metasploit modules can use.
- Responder: Responder captures NTLM hashes, which Impacket can then use for PtH.
- CrackMapExec (CME): CME uses Impacket internally for many operations (e.g., cme smb uses psexec and secretsdump).
- BloodHound: Impacket scripts like GetUserSPNs.py provide data for BloodHound to map attack paths.
Key Details for the Exam
Pass-the-Hash: Impacket allows PtH with -hashes flag. The hash format is LMHash:NTHash. If LM hash is not available, use aad3b435b51404eeaad3b435b51404ee (empty LM hash).
Local vs Domain: secretsdump.py can dump local SAM hashes (requires SYSTEM or admin) or domain hashes from a DC (requires admin on DC).
Service Creation: psexec.py creates a service, which is logged in the Windows Event Log (Event ID 4697 or 7045). smbexec.py also creates a service but uses a different technique to hide the command. wmiexec.py does not create a service, making it more stealthy.
Detection: Antivirus and EDR often flag Impacket scripts. Using modified versions or obfuscation may be necessary.
Python Version: Impacket requires Python 3.6+ (some older scripts need Python 2.7).
Summary of Important Scripts for PT0-002
psexec.py: For remote command execution. Creates a service.
smbexec.py: For remote command execution via SMB. More stealthy.
wmiexec.py: For remote command execution via WMI. No service creation.
secretsdump.py: For dumping password hashes from SAM, LSA, or NTDS.dit.
GetUserSPNs.py: For Kerberoasting.
GetNPUsers.py: For AS-REP Roasting.
ticketer.py: For forging Kerberos tickets.
rpcdump.py: For enumerating RPC interfaces.
samrdump.py: For dumping SAM via RPC.
Understanding these scripts and their underlying protocols is essential for the exam.
Install Impacket via pip
Run `pip install impacket` to install the latest version. Verify with `impacket-scripts --help` or by importing in Python. Ensure Python 3.6+ is installed. If using older tools, Python 2.7 may be needed but is deprecated. For the exam, know that Impacket is Python-based and cross-platform.
Gather credentials or hashes
Impacket requires credentials: username, password, NTLM hash, or Kerberos ticket. Often obtained via phishing, keylogging, or dumping from a compromised host. Use `secretsdump.py` to dump hashes from a local or remote system. For pass-the-hash, use the `-hashes` flag with LM:NTLM format.
Execute remote command using psexec
Run `psexec.py DOMAIN/User:Password@TargetIP cmd.exe`. This connects to the target via SMB, creates a service, executes cmd.exe, and returns output. The service is created with a random name and deleted after. This logs Event ID 4697 (service creation) and 7045 (service start) on the target.
Use smbexec for stealthier execution
Run `smbexec.py DOMAIN/User:Password@TargetIP`. It also creates a service but uses a different technique to read output via SMB shares, making it slightly harder to detect. The command is embedded in the service binary path, which may be truncated in logs. Preferred over psexec for stealth.
Use wmiexec for no-service execution
Run `wmiexec.py DOMAIN/User:Password@TargetIP`. It uses WMI to execute commands, which does not create a service. It spawns a process via WMI (e.g., cmd.exe) and captures output via a temporary file shared over SMB. This is more stealthy but requires WMI access (admin rights and DCOM enabled).
Dump hashes with secretsdump
Run `secretsdump.py -sam -system -security LOCAL` to dump local SAM hashes. For remote: `secretsdump.py DOMAIN/User:Password@TargetIP`. It reads the SAM, SYSTEM, and SECURITY registry hives via remote registry (requires admin). On a DC, it dumps NTDS.dit via DRSUAPI (replication). Output includes LM and NTLM hashes.
In enterprise environments, Impacket is used by penetration testers to simulate lateral movement and privilege escalation after an initial foothold. Common scenarios include:
Post-Exploitation Hash Dumping: After compromising a user workstation, a tester uses secretsdump.py to dump local SAM hashes. If the user is a local admin on other machines, those hashes can be used with psexec.py to move laterally. For example, a tester with a foothold on a helpdesk computer dumps hashes and finds the local administrator hash, which is reused on several servers due to poor password hygiene. Using psexec.py -hashes, the tester gains access to a file server containing sensitive data.
Domain Compromise via Kerberoasting: A tester with a domain user account runs GetUserSPNs.py to enumerate service accounts with SPNs. The script returns a list of users and their TGS tickets. The tester then cracks the tickets offline to obtain the service account passwords. If a service account has local admin on a server, the tester can escalate privileges. This is a common attack path during internal penetration tests.
Stealthy Command Execution: In a heavily monitored environment, a tester uses wmiexec.py instead of psexec.py to avoid creating services, which are often flagged by SIEM. The tester executes commands to enumerate domain controllers and then uses secretsdump.py with DRSUAPI to dump all domain hashes without writing to disk. This approach minimizes artifacts and evades EDR solutions that monitor for service creation.
Performance Considerations: Impacket scripts can be slow over high-latency links due to protocol overhead. Using -nooutput or -no-bind flags may speed up certain operations. Also, some scripts (like secretsdump) can generate significant network traffic when dumping a large NTDS.dit file.
Common Misconfigurations: Firewalls blocking SMB (port 445) or RPC (port 135) can prevent Impacket from working. Testers often need to find alternative routes or use HTTP tunnels. Additionally, if the target has SMB signing enabled, pass-the-hash may fail unless the script supports signing (Impacket does). However, if SMB signing is required but not supported by the script, the connection fails.
The PT0-002 exam tests Impacket under Objective 5.1 (Tools and Scripts) and also in the Context of Attacks (Objective 4.2). Specific areas include:
Identifying which Impacket script to use for a given task: For example, the exam may ask: 'Which Impacket script would you use to dump password hashes from a domain controller?' The correct answer is secretsdump.py. Common wrong answer: psexec.py (which executes commands, not dumps hashes) or mimikatz.py (which is not a core Impacket script but a separate tool).
Pass-the-Hash syntax: The exam may present a scenario and ask for the correct command to perform pass-the-hash. The flag is -hashes and the format is LMHash:NTHash. A common mistake is using -hash or providing only the NTLM hash without the colon.
Stealth considerations: Questions may compare psexec.py, smbexec.py, and wmiexec.py. The wrong answer often states that psexec.py is the most stealthy, when in fact wmiexec.py is more stealthy because it does not create a service.
Kerberoasting vs AS-REP Roasting: The exam may ask which script to use for each. GetUserSPNs.py for Kerberoasting (requires valid credentials), GetNPUsers.py for AS-REP Roasting (targets users without pre-auth). A common trap: using GetNPUsers.py with a password when the user does require pre-auth, resulting in no output.
Local vs Domain dumping: secretsdump.py can dump local SAM with -sam -system -security LOCAL or remote domain hashes with just credentials. The exam may ask about the required privileges: admin on the target for local, admin on DC for domain.
Default ports: SMB uses TCP 445 (or 139). MSRPC uses 135. The exam may test that Impacket uses SMB (445) for most operations.
Detection: The exam may mention that service creation (psexec) generates Event ID 4697 or 7045. Knowing this helps in forensic analysis questions.
Edge Cases:
If the target has SMB signing enforced, Impacket may still work because it supports signing, but if the script version is old, it may fail.
If the target is not part of a domain, use the local account syntax: ./User:Password@Target or User@Target (with dot for local).
Impacket scripts can be used with a Kerberos ticket via the -k flag and KRB5CCNAME environment variable.
Eliminating Wrong Answers: Always identify the primary function of the script (execution, dumping, enumeration) and the required privileges. If a question asks about dumping hashes, eliminate any script that does not perform dumping (e.g., psexec.py, wmiexec.py). If asked about pass-the-hash, ensure the command includes -hashes and the correct hash format.
Impacket is a Python suite for interacting with Windows protocols (SMB, MSRPC, Kerberos, etc.).
Key scripts: psexec.py (remote exec via service), smbexec.py (remote exec via SMB), wmiexec.py (remote exec via WMI), secretsdump.py (hash dumping).
Pass-the-hash uses the -hashes flag with format LMHash:NTHash.
secretsdump.py can dump local SAM (requires admin) or domain NTDS.dit (requires admin on DC).
Kerberoasting uses GetUserSPNs.py; AS-REP Roasting uses GetNPUsers.py.
psexec creates a service (logged as Event ID 4697/7045); wmiexec is stealthier.
Impacket requires Python 3.6+ and pip install impacket.
Default SMB port is TCP 445; MSRPC uses TCP 135.
Impacket supports NTLM and Kerberos authentication.
For local accounts, use ./User or User@Target (with dot for local).
These come up on the exam all the time. Here's how to tell them apart.
psexec.py
Creates a service on the target for execution.
Generates Event ID 4697 (service creation) and 7045 (service start).
Requires admin privileges and SMB access (port 445).
Output is captured via named pipe or SMB share.
More likely to be detected by EDR due to service creation.
wmiexec.py
Uses WMI to execute commands, no service creation.
Generates WMI activity (Event ID 5861) but no service events.
Requires admin privileges and WMI access (DCOM, port 135).
Output is written to a temporary file and shared via SMB.
More stealthy, but may be blocked if WMI is disabled.
Mistake
Impacket is a single tool for all Windows exploitation.
Correct
Impacket is a suite of many Python scripts, each with a specific purpose (e.g., psexec.py for remote execution, secretsdump.py for hash dumping). Candidates must know which script to use for a given task.
Mistake
psexec.py is the most stealthy remote execution method.
Correct
psexec.py creates a service, which is logged. wmiexec.py does not create a service and is more stealthy. smbexec.py also creates a service but is slightly more stealthy than psexec due to different output handling.
Mistake
Pass-the-hash requires the plaintext password.
Correct
Pass-the-hash uses the NTLM hash directly, not the password. The `-hashes` flag accepts the LM and NTLM hashes in format LMHash:NTHash. No plaintext password is needed.
Mistake
secretsdump.py only works on domain controllers.
Correct
secretsdump.py can dump local SAM hashes from any Windows machine (with admin privileges) using the `-sam -system -security LOCAL` options. It can also dump domain hashes from a DC via DRSUAPI.
Mistake
Impacket scripts only work on Windows.
Correct
Impacket is written in Python and runs on any OS with Python installed (Linux, macOS, Windows). The scripts target Windows machines, but the attacker's machine can be non-Windows.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use pip: `pip install impacket`. Ensure Python 3.6+ is installed. For older versions, you may need to clone the Git repository and run `python setup.py install`. Verify with `impacket-scripts --help`.
Both create a service on the target, but smbexec.py reads command output via an SMB share rather than a named pipe, making it slightly more stealthy. psexec.py creates a service with a random name and deletes it after execution. Both generate service creation events.
Yes, if you have administrative privileges on the domain controller. Use `psexec.py -hashes LMHash:NTHash DOMAIN/User@DCIP cmd.exe`. However, many DCs have SMB signing enabled and may require Kerberos. You can also use `secretsdump.py` with hashes to dump NTDS.dit.
It dumps password hashes from the SAM database (local), LSA secrets, and cached domain credentials. On a domain controller, it can dump the entire NTDS.dit file via DRSUAPI replication. It requires SYSTEM or administrative privileges.
Use `GetUserSPNs.py DOMAIN/User:Password -outputfile hashes.txt`. This queries the domain for Service Principal Names (SPNs) and requests TGS tickets for those services. The tickets are saved to a file for offline cracking.
Yes, many AV/EDR solutions detect Impacket scripts because they use known malicious patterns. To evade, you can modify the source code, use obfuscation, or execute in memory. For the exam, know that detection is possible and that wmiexec.py is less likely to trigger alerts than psexec.py.
Most scripts use SMB over TCP 445 (or 139 for NetBIOS). WMI uses DCOM over TCP 135 and dynamic high ports. MSRPC uses TCP 135. Kerberos uses UDP/TCP 88. Ensure these ports are accessible from the attacker machine.
You've just covered Impacket Suite for Windows Exploitation — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?