impacket-getarch

View documentation for the original command

$ tldr getArch.py

impacket-getarch [options] target

The target argument specifies the host and optionally credentials in the format: [[domain/]username[:password]@]<targetName or address>

-h, --help
    Displays the help message and exits.

-debug
    Enables detailed debug output for troubleshooting.

-no-pass
    Prevents the tool from prompting for a password when authentication is required (useful with Kerberos).

-k
    Forces the use of Kerberos authentication for the target.

-no-k
    Explicitly disables Kerberos authentication (default behavior).

-dc-ip ip address
    Specifies the IP address of the domain controller for Kerberos authentication. If omitted, it attempts to resolve the domain from the target name.

-rpc-auth
    Enables RPC authentication, primarily for Windows 2008 and newer systems.

-hashes LMHASH:NTHASH
    Provides NTLM hashes for authentication instead of a plaintext password.

-aesKey hex key
    Specifies the AES key (128 or 256 bits) to use for Kerberos authentication.

-port [destination port]
    Sets the destination port to connect to. Defaults to 445 (SMB) or 3389 (RDP).

target
    The required positional argument specifying the target host, optionally including domain, username, and password.

The impacket-getarch command, part of the widely-used Impacket toolkit, is a specialized utility designed to identify the CPU architecture (32-bit or 64-bit) of a remote Windows target. It primarily achieves this by probing the Server Message Block (SMB) service on TCP port 445, and in some contexts, can infer information from RDP (Remote Desktop Protocol) on TCP port 3389.

This tool is particularly critical in exploit development and penetration testing, especially for vulnerabilities like EternalBlue (MS17-010) or BlueKeep (CVE-2019-0708). These exploits often require architecture-specific payloads to succeed, making accurate prior identification of the target's bitness essential. By sending carefully crafted packets and analyzing the target's responses, impacket-getarch provides quick and reliable architectural insights, facilitating the selection of the correct exploit payload.

The command requires direct network access to the target host's SMB (TCP 445) and/or RDP (TCP 3389) ports. Firewalls or network restrictions can prevent it from functioning.
While generally reliable, certain network configurations or patched systems might lead to inaccurate results or prevent detection.
As a component of a penetration testing toolkit, impacket-getarch should only be used in authorized environments for legitimate security assessments.

To detect the architecture of a remote host without credentials:
impacket-getarch 192.168.1.100

To detect the architecture using a username and password:
impacket-getarch domain/username:password@target_hostname

To specify NTLM hashes for authentication:
impacket-getarch -hashes :0a0b0c0d0e0f10111213141516171819 username@192.168.1.101

The command typically outputs a concise message indicating the detected architecture, such as:
Architecture: x64
or
Architecture: x86

If detection fails or the host is unreachable, it will report an error or 'Unknown'.

impacket-getarch is an integral part of the Impacket framework, an open-source collection of Python classes developed by SecureAuth (now Fortra) for programmatic access to network protocols. Impacket's development began with a focus on Windows network protocols like SMB, MSRPC, and DCERPC, making it a staple in offensive security.

The getarch.py script (the underlying component of impacket-getarch) gained significant prominence, particularly in the mid to late 2010s, due to its crucial role in the successful exploitation of vulnerabilities like EternalBlue. Before deploying architecture-specific exploits, accurately determining the target's bitness became a mandatory preliminary step, and getarch.py provided a reliable means to achieve this, solidifying its place as a key reconnaissance tool.

nmap(1): A powerful network scanner that can also identify OS and service versions, indirectly providing architecture clues.