🌐impacket-scripts

Impacket and Impacket-scripts are open-source Python tools used for network protocol interaction, security testing, and penetration testing.

Impacket and Impacket-scripts are two widely used security tools in the realm of cybersecurity. These tools are open-source and provide a variety of functions that can be used for penetration testing, network reconnaissance, and other security assessments.

Impacket is a collection of Python classes that can be used to interact with network protocols. This tool is used by security professionals to develop and test exploits, create network tools, and interact with various network services. Impacket is capable of supporting a wide range of protocols, including SMB, LDAP, MSRPC, and Kerberos.

Impacket-scripts, on the other hand, is a collection of scripts built on top of Impacket. These scripts provide a higher level of functionality that can be used for various tasks such as password cracking, network sniffing, and reconnaissance. The toolset provided by Impacket-scripts is extensive and includes scripts for SMB attacks, LDAP enumeration, and Kerberos attacks, among others.

One of the key benefits of Impacket and Impacket-scripts is their simplicity and ease of use. Both tools are written in Python, which makes them highly flexible and customizable. The tools are also designed to be modular, meaning that they can be easily extended to support new protocols or functionality.

Another major advantage of Impacket and Impacket-scripts is that they are actively maintained and updated by a community of developers. This means that any bugs or vulnerabilities are quickly identified and fixed, making the tools more reliable and secure.

However, it's important to note that Impacket and Impacket-scripts are powerful tools that can be used for both legitimate security assessments and malicious purposes. As such, their usage should be limited to ethical hacking, security testing, and other lawful activities. Additionally, users should always obtain proper authorization before using these tools on any network or system.

In conclusion, Impacket and Impacket-scripts are highly versatile and powerful tools that are widely used in the cybersecurity industry. They provide a variety of functions that can be used for penetration testing, network reconnaissance, and other security assessments. While their power and flexibility are undeniable, they should always be used ethically and with proper authorization.

Packages and Binaries:

impacket-scripts

This package contains links to useful impacket scripts. It’s a separate package to keep impacket package from Debian and have the useful scripts in the path for Kali.

Installed size: 60 KB How to install: sudo apt install impacket-scripts

Dependencies:
  • python3-dsinternals

  • python3-impacket

  • python3-ldap3

  • python3-ldapdomaindump

  • python3-pcapy

impacket-Get-GPPPassword

:~# impacket-Get-GPPPassword -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: Get-GPPPassword.py [-h] [-xmlfile XMLFILE] [-share SHARE]
                          [-base-dir BASE_DIR] [-ts] [-debug]
                          [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                          [-aesKey hex key] [-dc-ip ip address]
                          [-target-ip ip address] [-port [destination port]]
                          target

Group Policy Preferences passwords finder and decryptor

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)

options:
  -h, --help            show this help message and exit
  -xmlfile XMLFILE      Group Policy Preferences XML files to parse
  -share SHARE          SMB Share
  -base-dir BASE_DIR    Directory to search in (Default: /)
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it
                        will use the domain part (FQDN) specified in the
                        target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it
  -port [destination port]
                        Destination port to connect to SMB Server

impacket-GetADUsers

:~# impacket-GetADUsers -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: GetADUsers.py [-h] [-user username] [-all] [-ts] [-debug]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address]
                     target

Queries target domain for users data

positional arguments:
  target                domain/username[:password]

options:
  -h, --help            show this help message and exit
  -user username        Requests data for specific user
  -all                  Return all users, including those with no email
                        addresses and disabled accounts. When used with -user
                        it will return user's info even if the account is
                        disabled
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

impacket-GetNPUsers

:~# impacket-GetNPUsers -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE]
                     [-format {hashcat,john}] [-usersfile USERSFILE] [-ts]
                     [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                     [-aesKey hex key] [-dc-ip ip address]
                     target

Queries target domain for users with 'Do not require Kerberos
preauthentication' set and export their TGTs for cracking

positional arguments:
  target                domain/username[:password]

options:
  -h, --help            show this help message and exit
  -request              Requests TGT for users and output them in JtR/hashcat
                        format (default False)
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -format {hashcat,john}
                        format to save the AS_REQ of users without pre-
                        authentication. Default is hashcat
  -usersfile USERSFILE  File with user per line to test
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

impacket-GetUserSPNs

:~# impacket-GetUserSPNs -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN]
                      [-usersfile USERSFILE] [-request]
                      [-request-user username] [-save]
                      [-outputfile OUTPUTFILE] [-debug]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-ip ip address]
                      target

Queries target domain for SPNs that are running under a user account

positional arguments:
  target                domain/username[:password]

options:
  -h, --help            show this help message and exit
  -target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain
                        of the user. Allows for Kerberoasting across trusts.
  -usersfile USERSFILE  File with user per line to test
  -request              Requests TGS for users and output them in JtR/hashcat
                        format (default False)
  -request-user username
                        Requests TGS for the SPN associated to the user
                        specified (just the username, no domain needed)
  -save                 Saves TGS requested to disk. Format is
                        <username>.ccache. Auto selects -request
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter. Ignoredif -target-domain is specified.

impacket-addcomputer

:~# impacket-addcomputer -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: addcomputer.py [-h] [-domain-netbios NETBIOSNAME]
                      [-computer-name COMPUTER-NAME$]
                      [-computer-pass password] [-no-add] [-delete] [-debug]
                      [-method {SAMR,LDAPS}] [-port {139,445,636}]
                      [-baseDN DC=test,DC=local]
                      [-computer-group CN=Computers,DC=test,DC=local]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-host hostname] [-dc-ip ip]
                      [domain/]username[:password]

Adds a computer account to domain

positional arguments:
  [domain/]username[:password]
                        Account used to authenticate to DC.

options:
  -h, --help            show this help message and exit
  -domain-netbios NETBIOSNAME
                        Domain NetBIOS name. Required if the DC has multiple
                        domains.
  -computer-name COMPUTER-NAME$
                        Name of computer to add.If omitted, a random
                        DESKTOP-[A-Z0-9]{8} will be used.
  -computer-pass password
                        Password to set to computerIf omitted, a random
                        [A-Za-z0-9]{32} will be used.
  -no-add               Don't add a computer, only set password on existing
                        one.
  -delete               Delete an existing computer.
  -debug                Turn DEBUG output ON
  -method {SAMR,LDAPS}  Method of adding the computer.SAMR works over
                        SMB.LDAPS has some certificate requirementsand isn't
                        always available.
  -port {139,445,636}   Destination port to connect to. SAMR defaults to 445,
                        LDAPS to 636.

LDAP:
  -baseDN DC=test,DC=local
                        Set baseDN for LDAP.If ommited, the domain part (FQDN)
                        specified in the account parameter will be used.
  -computer-group CN=Computers,DC=test,DC=local
                        Group to which the account will be added.If omitted,
                        CN=Computers will be used,

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on account parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-host hostname     Hostname of the domain controller to use. If ommited,
                        the domain part (FQDN) specified in the account
                        parameter will be used
  -dc-ip ip             IP of the domain controller to use. Useful if you
                        can't translate the FQDN.specified in the account
                        parameter will be used

impacket-atexec

:~# impacket-atexec -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: atexec.py [-h] [-session-id SESSION_ID] [-ts] [-silentcommand] [-debug]
                 [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                 [-aesKey hex key] [-dc-ip ip address] [-keytab KEYTAB]
                 target [command ...]

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  command               command to execute at the target

options:
  -h, --help            show this help message and exit
  -session-id SESSION_ID
                        an existed logon session to use (no output, no
                        cmd.exe)
  -ts                   adds timestamp to every logging output
  -silentcommand        does not execute cmd.exe to run given command (no
                        output)
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output
                        (default "utf-8"). If errors are detected, run
                        chcp.com at the target, map the result with https://do
                        cs.python.org/3/library/codecs.html#standard-encodings
                        and then execute wmiexec.py again with -codec and the
                        corresponding codec

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If omitted it
                        will use the domain part (FQDN) specified in the
                        target parameter
  -keytab KEYTAB        Read keys for SPN from keytab file

impacket-dcomexec

:~# impacket-dcomexec -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug]
                   [-codec CODEC]
                   [-object [{ShellWindows,ShellBrowserWindow,MMC20}]]
                   [-com-version MAJOR_VERSION:MINOR_VERSION]
                   [-shell-type {cmd,powershell}] [-silentcommand]
                   [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                   [-dc-ip ip address] [-A authfile] [-keytab KEYTAB]
                   target [command ...]

Executes a semi-interactive shell using the ShellBrowserWindow DCOM object.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  command               command to execute at the target. If empty it will
                        launch a semi-interactive shell

options:
  -h, --help            show this help message and exit
  -share SHARE          share where the output will be grabbed from (default
                        ADMIN$)
  -nooutput             whether or not to print the output (no SMB connection
                        created)
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output
                        (default "utf-8"). If errors are detected, run
                        chcp.com at the target, map the result with https://do
                        cs.python.org/3/library/codecs.html#standard-encodings
                        and then execute wmiexec.py again with -codec and the
                        corresponding codec
  -object [{ShellWindows,ShellBrowserWindow,MMC20}]
                        DCOM object to be used to execute the shell command
                        (default=ShellWindows)
  -com-version MAJOR_VERSION:MINOR_VERSION
                        DCOM version, format is MAJOR_VERSION:MINOR_VERSION
                        e.g. 5.7
  -shell-type {cmd,powershell}
                        choose a command processor for the semi-interactive
                        shell
  -silentcommand        does not execute cmd.exe to run given command (no
                        output, cannot run dir/cd/etc.)

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -A authfile           smbclient/mount.cifs-style authentication file. See
                        smbclient man page's -A option.
  -keytab KEYTAB        Read keys for SPN from keytab file

impacket-dpapi

:~# impacket-dpapi -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: dpapi.py [-h] [-debug]
                {backupkeys,masterkey,credential,vault,unprotect} ...

Example for using the DPAPI/Vault structures to unlock Windows Secrets.

positional arguments:
  {backupkeys,masterkey,credential,vault,unprotect}
                        actions
    backupkeys          domain backup key related functions
    masterkey           masterkey related functions
    credential          credential related functions
    vault               vault credential related functions
    unprotect           Provides CryptUnprotectData functionality

options:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON

impacket-esentutl

:~# impacket-esentutl -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: esentutl.py [-h] [-debug] [-page PAGE]
                   databaseFile {dump,info,export} ...

Extensive Storage Engine utility. Allows dumping catalog, pages and tables.

positional arguments:
  databaseFile        ESE to open
  {dump,info,export}  actions
    dump              dumps an specific page
    info              dumps the catalog info for the DB
    export            dumps the catalog info for the DB

options:
  -h, --help          show this help message and exit
  -debug              Turn DEBUG output ON
  -page PAGE          page to open

impacket-exchanger

:~# impacket-exchanger -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: exchanger.py [-h] [-debug] [-rpc-hostname RPC_HOSTNAME]
                    [-hashes LMHASH:NTHASH]
                    target {nspi} ...

A tool to abuse Exchange services

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  {nspi}                A module name
    nspi                Attack NSPI interface

options:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG and EXTENDED output ON
  -rpc-hostname RPC_HOSTNAME
                        A name of the server in GUID (preferred) or NetBIOS
                        name format (see description in the beggining of this
                        file)

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

impacket-findDelegation

:~# impacket-findDelegation -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: findDelegation.py [-h] [-target-domain TARGET_DOMAIN] [-debug]
                         [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                         [-aesKey hex key] [-dc-ip ip address]
                         target

Queries target domain for delegation relationships

positional arguments:
  target                domain/username[:password]

options:
  -h, --help            show this help message and exit
  -target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain
                        of the user. Allows for retrieving delegation info
                        across trusts.
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter. Ignoredif -target-domain is specified.

impacket-getArch

:~# impacket-getArch -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: getArch.py [-h] [-target TARGET] [-targets TARGETS] [-timeout TIMEOUT]
                  [-debug]

Gets the target system's OS architecture version

options:
  -h, --help        show this help message and exit
  -target TARGET    <targetName or address>
  -targets TARGETS  input file with targets system to query Arch from (one per
                    line).
  -timeout TIMEOUT  socket timeout out when connecting to the target (default
                    2 sec)
  -debug            Turn DEBUG output ON

impacket-getPac

:~# impacket-getPac -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: getPac.py [-h] -targetUser TARGETUSER [-debug] [-hashes LMHASH:NTHASH]
                 credentials

positional arguments:
  credentials           domain/username[:password]. Valid domain credentials
                        to use for grabbing targetUser's PAC

options:
  -h, --help            show this help message and exit
  -targetUser TARGETUSER
                        the target user to retrieve the PAC of
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

impacket-getST

:~# impacket-getST -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: getST.py [-h] -spn SPN [-impersonate IMPERSONATE]
                [-additional-ticket ticket.ccache] [-ts] [-debug]
                [-force-forwardable] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                [-aesKey hex key] [-dc-ip ip address]
                identity

Given a password, hash or aesKey, it will request a Service Ticket and save it
as ccache

positional arguments:
  identity              [domain/]username[:password]

options:
  -h, --help            show this help message and exit
  -spn SPN              SPN (service/server) of the target service the service
                        ticket will be generated for
  -impersonate IMPERSONATE
                        target username that will be impersonated (thru
                        S4U2Self) for quering the ST. Keep in mind this will
                        only work if the identity provided in this scripts is
                        allowed for delegation to the SPN specified
  -additional-ticket ticket.ccache
                        include a forwardable service ticket in a S4U2Proxy
                        request for RBCD + KCD Kerberos only
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -force-forwardable    Force the service ticket obtained through S4U2Self to
                        be forwardable. For best results, the -hashes and
                        -aesKey values for the specified -identity should be
                        provided. This allows impresonation of protected users
                        and bypass of "Kerberos-only" constrained delegation
                        restrictions. See CVE-2020-17049

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

impacket-getTGT

:~# impacket-getTGT -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: getTGT.py [-h] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                 [-aesKey hex key] [-dc-ip ip address]
                 identity

Given a password, hash or aesKey, it will request a TGT and save it as ccache

positional arguments:
  identity              [domain/]username[:password]

options:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

impacket-goldenPac

:~# impacket-goldenPac -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: goldenPac.py [-h] [-ts] [-debug] [-c pathname] [-w pathname]
                    [-dc-ip ip address] [-target-ip ip address]
                    [-hashes LMHASH:NTHASH]
                    target [command ...]

MS14-068 Exploit. It establishes a SMBConnection and PSEXEcs the target or
saves the TGT for later use.

positional arguments:
  target                [[domain/]username[:password]@]<targetName>
  command               command (or arguments if -c is used) to execute at the
                        target (w/o path). Defaults to cmd.exe. 'None' will
                        not execute PSEXEC (handy if you just want to save the
                        ticket)

options:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -c pathname           uploads the filename for later execution, arguments
                        are passed in the command option
  -w pathname           writes the golden ticket in CCache format into the
                        <pathname> file
  -dc-ip ip address     IP Address of the domain controller (needed to get the
                        users SID). If omitted it will use the domain part
                        (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target host you want to attack. If
                        omitted it will use the targetName parameter

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

impacket-karmaSMB

:~# impacket-karmaSMB --help
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: karmaSMB.py [--help] [-config pathname] [-smb2support] pathname

For every file request received, this module will return the pathname contents

positional arguments:
  pathname          Pathname's contents to deliver to SMB clients

options:
  --help            show this help message and exit
  -config pathname  config file name to map extensions to files to deliver.
                    For those extensions not present, pathname will be
                    delivered
  -smb2support      SMB2 Support (experimental!)

impacket-keylistattack

:~# impacket-keylistattack -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: keylistattack.py [-h] [-rodcNo RODCNO] [-rodcKey RODCKEY] [-full]
                        [-debug] [-domain DOMAIN] [-kdc KDC] [-t T] [-tf TF]
                        [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                        [-aesKey hex key] [-dc-ip ip address]
                        [-target-ip ip address]
                        target

Performs the KERB-KEY-LIST-REQ attack to dump secrets from the remote machine
without executing any agent there.

positional arguments:
  target                [[domain/]username[:password]@]<KDC HostName or IP
                        address> (Use this credential to authenticate to SMB
                        and list domain users (low-privilege account) or LIST
                        (if you want to parse a target file)

options:
  -h, --help            show this help message and exit
  -rodcNo RODCNO        Number of the RODC krbtgt account
  -rodcKey RODCKEY      AES key of the Read Only Domain Controller
  -full                 Run the attack against all domain users. Noisy! It
                        could lead to more TGS requests being rejected
  -debug                Turn DEBUG output ON

LIST option:
  -domain DOMAIN        The fully qualified domain name (only works with LIST)
  -kdc KDC              KDC HostName or FQDN (only works with LIST)
  -t T                  Attack only the username specified (only works with
                        LIST)
  -tf TF                File that contains a list of target usernames (only
                        works with LIST)

authentication:
  -hashes LMHASH:NTHASH
                        Use NTLM hashes to authenticate to SMB and list domain
                        users.
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos to authenticate to SMB and list domain
                        users. Grabs credentials from ccache file (KRB5CCNAME)
                        based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the
                        command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

impacket-kintercept

:~# impacket-kintercept -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: kintercept.py [-h] [--server-port SERVER_PORT]
                     [--listen-port LISTEN_PORT] [--listen-addr LISTEN_ADDR]
                     [--request-handler HANDLER:ARG]
                     [--reply-handler HANDLER:ARG]
                     server

Intercept TCP streams

positional arguments:
  server                Target server address

options:
  -h, --help            show this help message and exit
  --server-port SERVER_PORT
                        Target server port
  --listen-port LISTEN_PORT
                        Port to listen on
  --listen-addr LISTEN_ADDR
                        Address to listen on
  --request-handler HANDLER:ARG
                        Example: s4u2else:user
  --reply-handler HANDLER:ARG
                        Example: tgs-rep-user:user

impacket-lookupsid

:~# impacket-lookupsid -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: lookupsid.py [-h] [-ts] [-target-ip ip address]
                    [-port [destination port]] [-domain-sids]
                    [-hashes LMHASH:NTHASH] [-no-pass]
                    target [maxRid]

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  maxRid                max Rid to check (default 4000)

options:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it
  -port [destination port]
                        Destination port to connect to SMB Server
  -domain-sids          Enumerate Domain SIDs (will likely forward requests to
                        the DC)

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful when proxying through
                        smbrelayx)

impacket-machine_role

:~# impacket-machine_role -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: machine_role.py [-h] [-ts] [-debug] [-dc-ip ip address]
                       [-target-ip ip address] [-port [destination port]]
                       [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                       [-aesKey hex key]
                       target

Retrieve a host's role along with its primary domain details.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If ommited it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it
  -port [destination port]
                        Destination port to connect to SMB Server

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

impacket-mimikatz

:~# impacket-mimikatz -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: mimikatz.py [-h] [-file FILE] [-debug] [-hashes LMHASH:NTHASH]
                   [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]
                   [-target-ip ip address]
                   target

SMB client implementation.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -file FILE            input file with commands to execute in the mini shell
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it
                        will use the domain part (FQDN) specified in the
                        target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

impacket-mqtt_check

:~# impacket-mqtt_check --help
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: mqtt_check.py [--help] [-client-id CLIENT_ID] [-ssl] [-port PORT]
                     [-debug]
                     target

MQTT login check

positional arguments:
  target                [[domain/]username[:password]@]<targetName>

options:
  --help                show this help message and exit
  -client-id CLIENT_ID  Client ID used when authenticating (default random)
  -ssl                  turn SSL on
  -port PORT            port to connect to (default 1883)
  -debug                Turn DEBUG output ON

impacket-mssqlclient

:~# impacket-mssqlclient -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug]
                      [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-ip ip address]
                      target

TDS client implementation (SSL supported).

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -port PORT            target MSSQL port (default 1433)
  -db DB                MSSQL database instance (default None)
  -windows-auth         whether or not to use Windows Authentication (default
                        False)
  -debug                Turn DEBUG output ON
  -file FILE            input file with commands to execute in the SQL shell

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

impacket-mssqlinstance

:~# impacket-mssqlinstance -h
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

usage: mssqlinstance.py [-h] [-timeout TIMEOUT] host

Asks the remote host for its running MSSQL Instances.

positional arguments:
  host              target host

options:
  -h, --help        show this help message and exit
  -timeout TIMEOUT  timeout to wait for an answer

impacket-nmapAnswerMachine