impacket-psexec

View documentation for the original command

$ tldr psexec.py

impacket-psexec [options] <domain/user[:password]@target> [command]

-debug
    Enable verbose DEBUG output

-hashes LMHASH:NTHASH
    Use NTLM hash for authentication

-no-pass
    Skip password prompt (with -hashes or tickets)

-k
    Use Kerberos authentication from ccache

-aesKey hexkey
    Kerberos AES256/128 key in hex

-dc-ip IP
    Domain controller IP for Kerberos

-target-ip IP
    Force target IP (bypass DNS)

-target-port PORT
    SMB target port (default 445)

-file FILE
    Custom executable file to upload/execute

-copy-method METHOD
    Copy method: copy/smb/rpcdump (default copy)

-spawn
    Spawn interactive shell (no command)

-service-name NAME
    Service name (default PSEXESVC)

-log FILE
    Write output to log file

-timeout SECONDS
    Service response timeout (default 30)

Impacket-psexec is a tool from the Impacket suite, a collection of Python modules for manipulating network protocols. It replicates the functionality of Sysinternals' PsExec, allowing execution of commands on remote Windows machines with SYSTEM privileges. The process involves authenticating via SMB (port 445), uploading a service binary (embedded psexec.exe or custom), creating a temporary Windows service via RPC (ports 135/139), starting it to run the command, capturing STDOUT/STDERR, stopping the service, and cleaning up.

Supports authentication with cleartext passwords, NTLM/LM hashes, Kerberos tickets (-k), and AES keys. Ideal for penetration testing, red teaming, and admin tasks like lateral movement in Active Directory environments. Output is redirected locally. Handles single commands or interactive shells (-spawn). Targets require administrative access, remote registry/service control enabled, and often UAC bypass for non-local admins.

Common pitfalls include antivirus detection of the uploaded binary and firewall blocks. Experimental SMB2 support available.

Requires admin creds and SMB access. Triggers Windows event logs/AV. UAC remote restrictions may block. Not for untrusted networks; cleanup may fail on errors.

impacket-psexec user:pass@target whoami
impacket-psexec -hashes :nthash@target -spawn

Impacket installed (pip install impacket). Python 3+. Windows target: Admin rights, Server service running.

Part of Impacket, initiated by SecureAuth in 2012 for pentesting. PSEXEC example evolved from early protocol implementations; actively maintained on GitHub with SMB2/WinRM enhancements.

winexe(1), psexec(1)