Impacket Cheat Sheet
Last updated
Last updated
provides functionality similar to PSEXEC, utilizing RemComSvc.
smbexec.py is another approach to PSEXEC, yet it does not require RemComSvc. It creates a local smb server to collect commands.
wmiexec.py offers a semi-interactive shell used through Windows Management Instrumentation (WMI).
dcomexec.py offers a semi-interactive shell akin to wmiexec.py but employs different DCOM endpoints.
GetTGT.py enables you to request a Ticket Granting Ticket (TGT) and save it as ccache, given a password, hash, or aesKey.
GetST.py is designed to request a Service Ticket (ST) and save it as ccache given a password, hash, aesKey, or TGT in ccache. -impersonate to request the ticket on behalf of another user.
GetPac.py uses a mix of [MS-SFU]’s S4USelf + User to User Kerberos Authentication to acquire the PAC (Privilege Attribute Certificate) structure of a target user by having normal authenticated user credentials.
GetUserSPNs.py finds and fetches Service Principal Names (SPNs) associated with normal user accounts
SecretsDump.py is a potent script that allows for the dumping of password hashes, LSA secrets, cached credentials, and other sensitive information from a Windows system.
Kerbrute.py is a very handy tool for brute-forcing user/password combinations against Kerberos. This can be quite helpful in enumerating valid users or discovering weak passwords within a given domain.
karmaSMB.py allows for the execution of an SMB relay attack. This is where authentication attempts from a client are intercepted and relayed to a third-party target, potentially allowing for unauthorized access.
karmaTFTP.py performs a similar function to karmaSMB.py, but operates over TFTP instead. The usage of this script is pretty similar:
For SAM and LSA Secrets, including cached credentials, the script attempts to read as much data as possible from the registry.
Mimikatz.py is a mini-shell that controls a remote mimikatz RPC server. Can also perform pass-the-hash, pass-the-ticket, or build Golden tickets.
general-purpose SMB client that lets you list shares and files, rename, upload and download files
MSSQL client, supporting both SQL and Windows Authentications (including hashes). -windows-auth is very important!
retrieves the MSSQL instance names from the target host. This script can be useful in various reconnaissance and penetration testing scenarios.
Ntlmrelayx.py executes NTLM Relay Attacks by setting up an SMB, HTTP, WCF, and RAW Server and relaying credentials to multiple protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be activated when a connection is relayed (for example, creating a user through LDAP), or it can be run in SOCKS mode. In SOCKS mode, for every connection relayed, it becomes available to be used multiple times later through a SOCKS proxy. Here’s an example of this command:
KarmaSMB.py is an SMB Server that responds with specific file contents, regardless of the SMB share and pathname specified. It is a part of MiTM attacks, where authentication attempts from a client are intercepted and relayed to a third-party target, potentially allowing unauthorized access. Here’s an example of how to use this script:
GoldenPac.py is an exploit script for MS14-068. It saves the golden ticket and also launches a PSEXEC session at the target. This could be useful in situations where elevation of privilege is required, as the golden ticket provides access as a domain administrator. An example command for using this script is:
SambaPipe.py is a script designed to exploit CVE-2017-7494. It uploads and executes the shared library specified by the user through the -so parameter. This could be useful in situations where the target system is vulnerable and code execution is desired. Here’s an example of using this script:
Smbrelayx.py is an exploit script for CVE-2015-0005 that uses an SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will attempt to gather the SMB session key through NETLOGON. This can potentially provide unauthorized access. An example of how to use this script is:
FindDelegation.py is a simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an Active Directory environment. This can be useful in assessing delegation configurations within a domain. Here’s an example of using this script:
GetADUsers.py gathers data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. This script can provide valuable data in user enumeration scenarios. Here’s an example of how to use this script:
Get-GPPPassword.py extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline. This script can be valuable for discovering potentially insecure GPP configurations. Here’s an example of how to use this script:
Mqtt_check.py is a simple MQTT example aimed at playing with different login options. It can be converted into an account/password brute forcer quite easily. This script can be useful in testing MQTT protocol security. Here’s an example of using this script:
Rdp_check.py provides a partial implementation of [MS-RDPBCGR] and [MS-CREDSSP] just to reach CredSSP auth. This example tests whether an account is valid on the target host. This script can help in testing RDP configurations and user account validity. Here’s an example of using this script:
Sniff.py is a simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface. This script can be useful in network analysis or troubleshooting. Here’s an example of how to use this script:
Sniffer.py is a simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols. This script can be valuable in network analysis or troubleshooting. Here’s an example of how to use this script:
Ping.py is a simple ICMP ping script that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet. This script can be useful for basic network testing and troubleshooting. Here’s an example of how to use this script:
Ping6.py is a simple IPv6 ICMP ping script that uses the ICMP echo and echo-reply packets to check the status of a host.
SMBserver.py is a Python implementation of an SMB server. It allows for the quick setup of shares and user accounts. This tool can be useful in various scenarios including file sharing, systems management, and . Here’s an example of how to use this script: