impacket-ntfs-read

Read remote NTFS file contents

TLDR

View documentation for the original command

$ tldr ntfs-read.py

SYNOPSIS

impacket-ntfs-read [options] <smbserver> <share> [<outputfile>]

-h, --help
    Show help message and exit.

-debug
    Turn DEBUG output ON for verbose logging.

-hashes <LMHASH:NTHASH>
    Use NTLM hashes for authentication instead of password.

-no-pass
    Don't prompt for password (uses NTLM anonymously or from context).

-k
    Use Kerberos authentication from ccache (KRB5CCNAME).

-aesKey <hex key>
    AES key (128/256 bits) for Kerberos AES encryption.

-dc-ip <ipaddress>
    IP of domain controller (overrides FQDN resolution).

-target-ip <ipaddress>
    IP of target host (useful if NetBIOS name unresolvable).

DESCRIPTION

impacket-ntfs-read is a tool from the Impacket suite designed to extract files from NTFS filesystems shared via SMB/CIFS on Windows targets. It bypasses common restrictions such as file locks (e.g., pagefile.sys, hiberfil.sys) and some ACL denials by directly accessing raw NTFS data streams using SMB2/3 FSCTL operations. This makes it invaluable for penetration testing, red teaming, and digital forensics when physical access is unavailable.

The tool authenticates to the target using NTLM or Kerberos, mounts the share, and reads the specified file or directory contents. If no output file is provided, it dumps to stdout. It excels at retrieving system files that are otherwise inaccessible remotely, like registry hives ($SYSTEM), SAM databases, or memory dumps.

Usage typically involves domain credentials: DOMAIN/USER:PASSWORD@TARGET_IP. It supports pass-the-hash and Kerberos tickets, aligning with Impacket's protocol implementation focus.

impacket-ntfs-read

Read remote NTFS file contents

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

USAGE EXAMPLE

TARGET FORMAT

SEE ALSO