impacket-dumpntlminfo

impacket-dumpntlminfo [-debug] [-ts] [-target-ip IP] [-port PORT] [-protocol {SMB,RPC}] target

impacket-dumpntlminfo performs NTLM authentication against a remote host and extracts information from the NTLM challenge response, without requiring any credentials. By initiating an SMB or RPC connection, the tool triggers an NTLM authentication handshake and parses the server's response to reveal details such as the hostname, domain name, DNS information, OS version, and timestamp.This is useful for reconnaissance during penetration testing, as it provides network and host information without authentication.

-debug

Turn DEBUG output on.

Add timestamp to every logging output.

IP address of the target machine. Useful when target is a NetBIOS name that cannot be resolved.

Destination port to connect to the SMB/RPC server. Default is 445.

Protocol to use. Default is SMB. Port 135 normally uses RPC.

Only works against hosts with SMB or RPC services exposed. Firewalls or security policies may block unauthenticated NTLM negotiation. The amount of information returned depends on the target's SMB/RPC configuration and Windows version.

Part of the Impacket library, originally developed by SecureAuth (now Fortra). Impacket is a collection of Python classes for working with network protocols, widely used in penetration testing and security research. The tool leverages the NTLM authentication handshake to extract server metadata without credentials.

impacket-psexec(1), impacket-smbclient(1), impacket-rpcdump(1)