Impacket Deep Dives Vol. 1: Command Execution

Shelling a lab machine with Impacket’s

Impacket is a collection of tools built by Secure Auth Corp, for “working with networking protocols”. This is true, but it’s so much more than that. Impacket contains dozens of amazing tools for interacting with windows systems and applications, many of which are ideal for attacking Windows and Active Directory.

In this article, I’m going to cover the various utilities that Impacket offers for executing commands and getting shells on remote hosts. While many people may have used, you might be surprised to read that Impacket offers nearly a half-dozen ways of executing commands on remote hosts! In this article, I’m going to cover all of them.

Note: if you’re using password-based authentication, the format for your command-line argument to all of the Impacket remote access tools is going to be DOMAIN/USERNAME:PASSWORD@HOST . It’s important to note that if any of these fields have special characters (e.g. the password field), then you need to use quotes around it, and escape as necessary.

In this article, I will not be covering authentication with hashes and Kerberos tickets, but keep an eye out for an article on that in the near future!

How it works


Using to get a SYSTEM shell on a Windows host with credentials

Once you’re done, make sure to exit with the exit command instead of Ctrl+C , and the tool will clean up the executable and service that it created!

Other cool features

Uploading Invoke-Mimikatz.ps1 with

Since Psexec is a relatively commonly used tool and since it’s easy to detect, it will often get caught by antivirus. Fortunately, Impacket has a couple of other remote access tools, some of which fly a little lower under the radar.

It’s worth noting that is pretty easy to detect, and is often caught by defender. Some of the other methods below tend to bypass AV more easily.

How it works


How it works


Getting a semi-interactive NT AUTHORITY/SYSTEM shell with

Unlike, does not have the same built-in utilities for uploading and downloading files. Additionally, since it’s not an interactive shell, it’s important to be careful what commands you run and how you run them. If you have to run PowerShell commands then you should build one-liners, otherwise will hang.

How it works


Running a command with

How it works


Using to execute a command

Bonus: and xp_cmdshell

The xp_cmdshell


Using xp_cmdshell and sp_start_job SQL_USER:SQL_PASS@RHOST
SQL> enable_xp_cmdshell
SQL> disable_xp_cmdshell
SQL> xp_cmdshell SOMECOMMAND
SQL> sp_start_job SOMECOMMAND

It’s really pretty self-explanatory.


It’s worth noting some of these tools will almost certainly be caught by Windows Defender or other antivirus solutions depending on the vendor and how up-to-date the program is. If one tool gets caught, I recommend trying another until you find one that works (depending on if you’re trying to be stealthy :) ). In my experience, I’ve had or slip past Windows Defender where has gotten caught.

Did you enjoy this article? Let me know what you think below!

Student, hacker, OSCP. My other computer is your computer.