LinuxCommandLibrary

impacket-sambapipe

Interact with SMB named pipes

TLDR

View documentation for the original command

$ tldr sambaPipe.py
copy

SYNOPSIS

impacket-sambapipe [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip IP] [-target-ip IP] [-port PORT] <target>

PARAMETERS


    [[domain/]username[:password]@]targetName or address

-debug
    Turn DEBUG output ON

-hashes
    NTLM hashes for pass-the-hash auth

-no-pass
    Skip password prompt (use with -k)

-k
    Use Kerberos auth from ccache file

-aesKey
    AES key for Kerberos (128/256 bits)

-dc-ip
    Domain Controller IP address

-target-ip
    Target machine IP (overrides hostname)

-port
    SMB port (default 445)

DESCRIPTION

impacket-sambapipe is a specialized tool from the Impacket suite for security testing. It connects to a Windows target over SMB (port 445), authenticates using provided credentials, and interacts with the SAMR named pipe (\PIPE\samr) to enumerate security identifiers (SIDs), domains, groups, and users. Most importantly, it extracts NTLM and LM hashes from the SAM database for offline cracking.

The tool supports multiple auth methods: clear-text passwords, NTLM pass-the-hash (-hashes), Kerberos tickets (-k), or AES keys. It works against domain or local accounts if the user has sufficient rights (often Domain Admin or equivalent for full dumps). Output lists users with RIDs, attributes, and hashes like Administrator NT:31d6cfe0d16ae931b73c59d7e0c089c0.

Ideal for lateral movement in pentests after obtaining creds, but ineffective on patched systems restricting SAMR (e.g., via GPO). Always use ethically.

CAVEATS

Needs SAMR access rights on target (often admin-level). SMB signing/enforced may block. Ineffective vs. modern Windows with SAMR restrictions. Pentesting only; illegal without authorization.

EXAMPLE USAGE

impacket-sambapipe WORKGROUP/Administrator:Pass123@192.168.1.100
[*] Connecting to SAMR pipe...
User: Guest NT:31d6cfe0d16ae931b73c59d7e0c089c0:31d6cfe0d16ae931b73c59d7e0c089c0:::

INSTALLATION

pip3 install impacket
Or git clone https://github.com/fortra/impacket

OUTPUT PARSING

Hashes crackable with hashcat or john. Focus on high-value users like Administrator.

HISTORY

Part of Impacket by SecureAuth/Fox-IT (now CoreSecurity), introduced ~2016 for SMB/SAMR enumeration. Evolved with Windows auth changes (Kerberos, signing bypasses); actively maintained on GitHub.

SEE ALSO

impacket-secretsdump, smbclient(1), rpcclient(1)

Copied to clipboard