Impacket
Python network protocol library for Windows/Active Directory protocols — implements SMB, Kerberos, LDAP, NTLM, DCE/RPC for security testing. Impacket features: SMBConnection for file shares and lateral movement, Kerberos AS-REP roasting and Kerberoasting, LDAP queries via ldap3, secretsdump for extracting NTLM hashes, GetNPUsers (AS-REP roasting), GetUserSPNs (Kerberoasting), psexec/smbexec/wmiexec for remote code execution, DCE/RPC endpoint scanning, NTLMv1/NTLMv2 relay, DCOM execution, and smbclient. Primary Python toolkit for Active Directory security assessment and Windows network penetration testing.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
CRITICAL: Dual-use offensive security tool requiring explicit written authorization. Handles credential material (NTLM hashes, Kerberos tickets) — store in encrypted secure storage, never log. Agent security automation must validate authorization scope before every operation. Audit trail of all Impacket operations required for responsible disclosure.
⚡ Reliability
Best When
Authorized penetration testing or red team exercises targeting Windows/Active Directory environments — Impacket provides the most comprehensive Python implementation of Windows authentication protocols for agent security assessment automation.
Avoid When
You don't have explicit written authorization for the target systems. Impacket is dual-use security tooling requiring clear authorization context.
Use Cases
- • Agent LDAP enumeration — from impacket.ldap import ldap; conn = ldap.LDAPConnection(ldap://dc01.corp.local, baseDN='dc=corp,dc=local'); conn.login(user, password); results = conn.search(searchFilter='(objectClass=user)') — enumerate AD users; agent collects org chart for security assessment
- • Agent SMB share enumeration — from impacket.smbconnection import SMBConnection; smb = SMBConnection(target_ip, target_ip); smb.login(user, password, domain); shares = smb.listShares() — discover accessible SMB shares; agent maps accessible network resources during pentesting
- • Agent Kerberoasting — GetUserSPNs.py corp.local/user:pass -dc-ip 10.0.0.1 -outputfile hashes.txt — extract Kerberos service ticket hashes for offline cracking; agent security assessment identifies misconfigured service accounts with weak passwords
- • Agent secret dumping — secretsdump.py corp/admin:pass@dc01 -just-dc-ntlm — extract NTLM hashes from domain controller; red team agent extracts credential material for analysis; requires Domain Admin privileges
- • Agent remote execution — psexec.py corp/admin:pass@target — remote command execution via SMB; agent lateral movement simulation in authorized red team exercise; wmiexec.py for WMI-based execution without service creation
Not For
- • Production application networking — Impacket is for security testing; for legitimate SMB/LDAP access in production use python-ldap or smbprotocol
- • Unauthorized systems — Impacket requires explicit authorization; using on systems without permission is illegal
- • Defensive monitoring — for detecting these attacks use SIEM/EDR; Impacket is offensive tooling
Interface
Authentication
Windows authentication: password, NTLM hash (pass-the-hash), Kerberos ticket (pass-the-ticket), or certificate. All auth methods for Windows AD environments. Credentials must be for authorized target systems.
Pricing
Impacket is Apache 2.0 licensed by Fortra (formerly SecureAuth). Free for authorized security testing use.
Agent Metadata
Known Gotchas
- ⚠ Impacket requires explicit written authorization — using Impacket on systems without authorization violates Computer Fraud and Abuse Act (US) and equivalent laws globally; agent security automation must validate target scope against authorized IP ranges before any Impacket operation; include authorization scope check as first step in all agent security workflows
- ⚠ pip install impacket installs outdated version — PyPI impacket may lag GitHub by months; agent security tooling should install from GitHub: pip install git+https://github.com/fortra/impacket.git; some critical vulnerability discoveries require latest commit not PyPI release
- ⚠ Kerberoasting leaves audit trail — GetUserSPNs.py generates Windows Security Event 4769 (Kerberos service ticket request) for each SPN; defender agent EDR detects unusual ticket requests; red team agent must coordinate with blue team on detection vs stealth requirements
- ⚠ NTLM hash pass-the-hash requires NTLM auth — many modern environments disable NTLM in favor of Kerberos; impacket psexec with hash fails on Kerberos-only systems; agent must check authentication method supported before attempting pass-the-hash
- ⚠ secretsdump requires elevated privileges — secretsdump Domain Admin on DC, or local admin + SeDebugPrivilege on workstation; agent running secretsdump with insufficient privileges gets 'Access denied'; always verify privilege level before attempting credential extraction
- ⚠ SMBConnection target_ip must be IP not hostname for NTLM — SMBConnection('hostname', 'hostname') triggers Kerberos; SMBConnection('10.0.0.1', '10.0.0.1') forces NTLM; agent code requiring NTLM authentication must pass IP not hostname to avoid Kerberos negotiation failures
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Impacket.
Scores are editorial opinions as of 2026-03-06.