Add commands

Author: SimonSchubert

assets/commands/impacket-addcomputer.md

@@ -0,0 +1,78 @@
+# TLDR
+
+**Add a computer account** to the domain using default credentials
+
+```impacket-addcomputer -computer-name '[NEWPC$]' -computer-pass '[Password123]' '[domain]/[user]:[password]'```
+
+**Add a computer account** specifying the domain controller IP
+
+```impacket-addcomputer -computer-name '[NEWPC$]' -dc-ip [192.168.1.100] '[domain]/[user]:[password]'```
+
+**Add a computer** using LDAPS (secure connection)
+
+```impacket-addcomputer -computer-name '[NEWPC$]' -use-ldaps '[domain]/[user]:[password]'```
+
+**Add a computer** using Kerberos authentication with a ticket
+
+```impacket-addcomputer -computer-name '[NEWPC$]' -k -no-pass '[domain]/[user]'```
+
+**Delete a computer account** from the domain
+
+```impacket-addcomputer -computer-name '[TARGETPC$]' -delete '[domain]/[user]:[password]'```
+
+# SYNOPSIS
+
+**impacket-addcomputer** [_-h_] [_-computer-name NAME_] [_-computer-pass PASSWORD_] [_-no-add_] [_-delete_] [_-dc-ip IP_] [_-dc-host HOSTNAME_] [_-use-ldaps_] [_-hashes LMHASH:NTHASH_] [_-no-pass_] [_-k_] [_-aesKey KEY_] _target_
+
+# PARAMETERS
+
+**-computer-name** _NAME_
+> Name of the computer account to add (should end with $)
+
+**-computer-pass** _PASSWORD_
+> Password for the new computer account
+
+**-delete**
+> Delete the specified computer account instead of adding
+
+**-no-add**
+> Don't add a computer, only set its password (requires existing account)
+
+**-dc-ip** _IP_
+> IP address of the domain controller
+
+**-dc-host** _HOSTNAME_
+> Hostname of the domain controller
+
+**-use-ldaps**
+> Use LDAPS instead of LDAP
+
+**-hashes** _LMHASH:NTHASH_
+> Use NTLM hashes for authentication instead of password
+
+**-no-pass**
+> Don't ask for password (useful with -k)
+
+**-k**
+> Use Kerberos authentication from ccache file
+
+**-aesKey** _KEY_
+> AES key to use for Kerberos authentication
+
+# DESCRIPTION
+
+**impacket-addcomputer** is a tool from the Impacket library that allows adding or removing computer accounts in an Active Directory domain. By default, domain users can add up to 10 computer accounts (controlled by the ms-DS-MachineAccountQuota attribute), making this useful for penetration testing scenarios.
+
+The tool communicates with the domain controller via LDAP or SAMR protocols to create machine accounts. Created computer accounts can then be used for various attack techniques including resource-based constrained delegation attacks.
+
+# CAVEATS
+
+Requires valid domain credentials with permissions to create computer accounts. The default ms-DS-MachineAccountQuota may be set to 0 in hardened environments. Computer names should follow NetBIOS naming conventions and typically end with a dollar sign ($).
+
+# HISTORY
+
+Impacket was created by **SecureAuth** (formerly Core Security) as a collection of Python classes for working with network protocols. The addcomputer script was added to support Active Directory penetration testing workflows, particularly after research into resource-based constrained delegation attacks became prominent around **2018-2019**.
+
+# SEE ALSO
+
+[impacket-getadusers](/man/impacket-getadusers)(1), [impacket-secretsdump](/man/impacket-secretsdump)(1), [ldapsearch](/man/ldapsearch)(1), [net](/man/net)(1)

assets/commands/impacket-getadusers.md

@@ -0,0 +1,69 @@
+# TLDR
+
+**Enumerate all domain users** with their details
+
+```impacket-getadusers -all '[domain]/[user]:[password]'```
+
+**Query users** specifying the domain controller IP
+
+```impacket-getadusers -all -dc-ip [192.168.1.100] '[domain]/[user]:[password]'```
+
+**Get users using NTLM hash** authentication
+
+```impacket-getadusers -all -hashes ':[nthash]' '[domain]/[user]'```
+
+**Enumerate users via Kerberos** authentication
+
+```impacket-getadusers -all -k -no-pass '[domain]/[user]'```
+
+**Output user information** in a specific format
+
+```impacket-getadusers -all -dc-ip [192.168.1.100] '[domain]/[user]:[password]' 2>/dev/null```
+
+# SYNOPSIS
+
+**impacket-getadusers** [_-h_] [_-user USERNAME_] [_-all_] [_-dc-ip IP_] [_-dc-host HOSTNAME_] [_-hashes LMHASH:NTHASH_] [_-no-pass_] [_-k_] [_-aesKey KEY_] _target_
+
+# PARAMETERS
+
+**-all**
+> Return all users in the domain
+
+**-user** _USERNAME_
+> Query information for a specific user only
+
+**-dc-ip** _IP_
+> IP address of the domain controller
+
+**-dc-host** _HOSTNAME_
+> Hostname of the domain controller (used for Kerberos)
+
+**-hashes** _LMHASH:NTHASH_
+> Use NTLM hashes for authentication instead of password
+
+**-no-pass**
+> Don't ask for password (useful with -k or -hashes)
+
+**-k**
+> Use Kerberos authentication from ccache file
+
+**-aesKey** _KEY_
+> AES key to use for Kerberos authentication
+
+# DESCRIPTION
+
+**impacket-getadusers** queries Active Directory via LDAP to enumerate user accounts and their attributes. It retrieves information such as usernames, last logon times, password last set dates, and account status flags.
+
+The tool is useful for reconnaissance during penetration tests to identify potential targets, find accounts with old passwords, or discover service accounts. Output includes the SAM account name, badPwdCount, and other relevant security attributes.
+
+# CAVEATS
+
+Requires valid domain credentials. Output may be verbose; consider redirecting stderr to /dev/null for cleaner output. The -all flag is typically required to see results for more than just the authenticated user.
+
+# HISTORY
+
+Part of the **Impacket** library developed by SecureAuth. The tool leverages LDAP queries against Active Directory, implementing Microsoft's directory service protocols in Python for cross-platform compatibility.
+
+# SEE ALSO
+
+[impacket-addcomputer](/man/impacket-addcomputer)(1), [impacket-secretsdump](/man/impacket-secretsdump)(1), [ldapsearch](/man/ldapsearch)(1), [net](/man/net)(1)

assets/commands/impacket-getarch.md

@@ -0,0 +1,46 @@
+# TLDR
+
+**Detect the architecture** of a remote Windows system
+
+```impacket-getarch -target [192.168.1.100]```
+
+**Check architecture** of multiple targets from a file
+
+```impacket-getarch -targets [targets.txt]```
+
+**Detect architecture** specifying a port
+
+```impacket-getarch -target [192.168.1.100] -port [445]```
+
+# SYNOPSIS
+
+**impacket-getarch** [_-h_] [_-target IP_] [_-targets FILE_] [_-port PORT_]
+
+# PARAMETERS
+
+**-target** _IP_
+> IP address of the target system to probe
+
+**-targets** _FILE_
+> File containing a list of target IP addresses (one per line)
+
+**-port** _PORT_
+> Port to connect to (default: 445)
+
+# DESCRIPTION
+
+**impacket-getarch** is a reconnaissance tool that determines whether a remote Windows system is running a 32-bit or 64-bit operating system. It works by connecting to the target's SMB service and analyzing the response to identify the system architecture.
+
+This information is valuable during penetration testing when preparing architecture-specific payloads or exploits. The tool requires no authentication and works against systems with SMB exposed.
+
+# CAVEATS
+
+Requires network access to the target's SMB port (typically 445). Results depend on SMB being accessible and not blocked by firewalls. Does not work against non-Windows systems.
+
+# HISTORY
+
+Part of the **Impacket** library by SecureAuth. The tool exploits differences in how 32-bit and 64-bit Windows systems respond to certain SMB requests to fingerprint the architecture without authentication.
+
+# SEE ALSO
+
+[impacket-getadusers](/man/impacket-getadusers)(1), [nmap](/man/nmap)(1), [smbclient](/man/smbclient)(1)

assets/commands/impacket-gettgt.md

@@ -0,0 +1,50 @@
+# TLDR
+
+**Request a TGT** for a domain user with password
+
+```impacket-gettgt '[domain]/[user]:[password]'```
+
+**Request TGT** and save to a specific file
+
+```impacket-gettgt -dc-ip [192.168.1.100] '[domain]/[user]:[password]'```
+
+**Request TGT using NTLM hash**
+
+```impacket-gettgt -hashes ':[nthash]' '[domain]/[user]'```
+
+**Request TGT using AES key**
+
+```impacket-gettgt -aesKey '[aes256key]' '[domain]/[user]'```
+
+# SYNOPSIS
+
+**impacket-gettgt** [_-h_] [_-dc-ip IP_] [_-hashes LMHASH:NTHASH_] [_-aesKey KEY_] _target_
+
+# PARAMETERS
+
+**-dc-ip** _IP_
+> IP address of the domain controller (KDC)
+
+**-hashes** _LMHASH:NTHASH_
+> Use NTLM hashes for authentication instead of password
+
+**-aesKey** _KEY_
+> AES key to use for Kerberos authentication (128 or 256 bit)
+
+# DESCRIPTION
+
+**impacket-gettgt** requests a Kerberos Ticket Granting Ticket (TGT) from an Active Directory domain controller. The TGT is saved to a ccache file that can be used for subsequent Kerberos authentication with other tools.
+
+This tool is useful for obtaining Kerberos tickets when you have valid credentials (password, hash, or AES key) and need to authenticate to Kerberos-enabled services. The resulting ccache file can be exported via the KRB5CCNAME environment variable.
+
+# CAVEATS
+
+Requires valid domain credentials in some form (password, NTLM hash, or AES key). The domain controller must be reachable and Kerberos ports (88/tcp) must be accessible. Time synchronization between client and KDC is critical for Kerberos to function.
+
+# HISTORY
+
+Part of the **Impacket** library by SecureAuth, implementing the Kerberos protocol for penetration testing. TGT retrieval is a fundamental operation in Kerberos-based attacks and authentication workflows.
+
+# SEE ALSO
+
+[impacket-getst](/man/impacket-getst)(1), [kinit](/man/kinit)(1), [klist](/man/klist)(1), [impacket-secretsdump](/man/impacket-secretsdump)(1)

assets/commands/impacket-mqtt_check.md

@@ -0,0 +1,46 @@
+# TLDR
+
+**Check MQTT broker** for anonymous access
+
+```impacket-mqtt_check [192.168.1.100]```
+
+**Check MQTT on a specific port**
+
+```impacket-mqtt_check [192.168.1.100] -port [1883]```
+
+**Check MQTT with credentials**
+
+```impacket-mqtt_check [192.168.1.100] -user [username] -password [password]```
+
+# SYNOPSIS
+
+**impacket-mqtt_check** [_-h_] [_-port PORT_] [_-user USERNAME_] [_-password PASSWORD_] _target_
+
+# PARAMETERS
+
+**-port** _PORT_
+> MQTT broker port (default: 1883)
+
+**-user** _USERNAME_
+> Username for MQTT authentication
+
+**-password** _PASSWORD_
+> Password for MQTT authentication
+
+# DESCRIPTION
+
+**impacket-mqtt_check** is a simple tool that checks if an MQTT (Message Queuing Telemetry Transport) broker allows connections, optionally testing for anonymous access. MQTT is a lightweight messaging protocol commonly used in IoT devices and applications.
+
+The tool attempts to connect to the specified broker and reports whether the connection succeeds, helping identify misconfigured brokers that allow unauthenticated access.
+
+# CAVEATS
+
+Only tests connection capability, does not enumerate topics or messages. MQTT over TLS (port 8883) may require additional configuration. Some brokers may allow connection but restrict actions based on ACLs.
+
+# HISTORY
+
+Part of the **Impacket** library by SecureAuth. Added to address the growing security concerns around IoT protocols, particularly MQTT brokers exposed to the internet without proper authentication.
+
+# SEE ALSO
+
+[mosquitto_sub](/man/mosquitto_sub)(1), [mosquitto_pub](/man/mosquitto_pub)(1), [nmap](/man/nmap)(1)

assets/commands/impacket-ntfs-read.md

@@ -0,0 +1,52 @@
+# TLDR
+
+**Read a file from a remote NTFS share**
+
+```impacket-ntfs-read '[domain]/[user]:[password]@[192.168.1.100]' '[C$\Windows\System32\config\SAM]'```
+
+**Read file using NTLM hash** authentication
+
+```impacket-ntfs-read -hashes ':[nthash]' '[domain]/[user]@[192.168.1.100]' '[share\path\to\file]'```
+
+**Read file using Kerberos** authentication
+
+```impacket-ntfs-read -k -no-pass '[domain]/[user]@[target]' '[C$\path\to\file]'```
+
+# SYNOPSIS
+
+**impacket-ntfs-read** [_-h_] [_-hashes LMHASH:NTHASH_] [_-no-pass_] [_-k_] [_-aesKey KEY_] [_-dc-ip IP_] _target_ _path_
+
+# PARAMETERS
+
+**-hashes** _LMHASH:NTHASH_
+> Use NTLM hashes for authentication instead of password
+
+**-no-pass**
+> Don't ask for password (useful with -k)
+
+**-k**
+> Use Kerberos authentication from ccache file
+
+**-aesKey** _KEY_
+> AES key to use for Kerberos authentication
+
+**-dc-ip** _IP_
+> IP address of the domain controller (for Kerberos)
+
+# DESCRIPTION
+
+**impacket-ntfs-read** reads files from remote Windows systems via SMB by directly parsing the NTFS file system structures. This allows reading files that might be locked by the operating system, such as registry hives or other system files.
+
+The tool connects to administrative shares (C$, ADMIN$) and reads files at the raw NTFS level, bypassing Windows file locking mechanisms. This is particularly useful for extracting sensitive files during penetration tests.
+
+# CAVEATS
+
+Requires administrative access to the target system (access to C$ or ADMIN$ shares). Some files may still be inaccessible due to NTFS permissions. The path should use backslashes and reference the share name.
+
+# HISTORY
+
+Part of the **Impacket** library by SecureAuth. The tool implements NTFS parsing over SMB to enable reading locked files, a technique commonly used in credential extraction workflows.
+
+# SEE ALSO
+
+[impacket-secretsdump](/man/impacket-secretsdump)(1), [smbclient](/man/smbclient)(1), [impacket-smbclient](/man/impacket-smbclient)(1)

assets/commands/impacket-ping.md

@@ -0,0 +1,36 @@
+# TLDR
+
+**Send ICMP echo requests** to a target
+
+```impacket-ping [192.168.1.100]```
+
+**Ping with a specific source IP**
+
+```impacket-ping -src [192.168.1.50] [192.168.1.100]```
+
+# SYNOPSIS
+
+**impacket-ping** [_-h_] [_-src IP_] _target_
+
+# PARAMETERS
+
+**-src** _IP_
+> Source IP address to use for the ping packets
+
+# DESCRIPTION
+
+**impacket-ping** is a simple ICMP ping implementation using raw sockets via the Impacket library. It sends ICMP echo request packets to the specified target and reports responses.
+
+Unlike the standard ping utility, this implementation uses Impacket's raw socket capabilities, which can be useful in environments where the standard ping may be restricted or when integration with other Impacket tools is desired.
+
+# CAVEATS
+
+Requires root/administrator privileges to create raw sockets. May be blocked by firewalls that filter ICMP traffic. For most use cases, the standard **ping** command is more feature-rich.
+
+# HISTORY
+
+Part of the **Impacket** library by SecureAuth. Included as a basic example of using Impacket's network protocol implementations for raw socket operations.
+
+# SEE ALSO
+
+[ping](/man/ping)(1), [impacket-ping6](/man/impacket-ping6)(1), [nmap](/man/nmap)(1)