impacket-psexec

View documentation for the original command

$ tldr psexec.py

impacket-psexec [options] [[domain/]username[:password]@]<target> [command]

[[domain/]username[:password]@]<target>
    Specifies the authentication credentials and target. domain is optional; password can be omitted if not required or if using `-no-pass`. <target> is the IP address or hostname of the remote Windows system.

-h, --help
    Show the program's help message and exit.

-debug
    Turn on debug output.

-codec
    Sets the codec to decode the data. Common examples: latin-1, utf-8.

-target-ip
    IP Address of the target machine. If this parameter is specified, the target name will be resolved to this IP instead of through DNS.

-port
    SMB port to connect to (default: 445).

-no-pass
    Don't ask for a password. Useful when authentication is handled by other means (e.g., Kerberos tickets).

-k
    Use Kerberos authentication instead of NTLM. You must have a valid Kerberos ticket (TGT) in your ticket cache.

-A
    Use AES256-CTS-HMAC-SHA1-96 in Kerberos.

-dc-ip
    IP address of the Domain Controller. If omitted, the tool will try to resolve it via DNS.

-hashes
    Use NTLM hashes for authentication instead of a password. Format is LMHASH:NTHASH (e.g., aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0).

-share
    Share name to connect to for file operations (default: ADMIN$).

-c
    Do not delete the service (for debugging purposes).

-x
    Run command through cmd.exe /C. This is useful for single commands that do not require an interactive shell.

-s
    Run the command as SYSTEM user. Requires local administrator privileges to elevate.

-r
    Remote file path where the temporary executable will be stored (default: C:\Windows\Temp).

impacket-psexec is a Python script that is part of the extensive Impacket library, a collection of Python classes for working with network protocols. It reimplements the functionality of PsExec from Sysinternals, allowing users to execute commands or obtain an interactive shell on remote Windows systems.

The tool primarily leverages the Server Message Block (SMB) and Distributed Computing Environment / Remote Procedure Call (DCE/RPC) protocols, specifically interacting with the Service Control Manager (SCM) on the target machine. It works by uploading a temporary service executable (or script) to the `ADMIN$` share, creating and starting a service on the remote machine that executes the desired command or shell, and then deleting the service and the temporary file upon completion.

While impacket-psexec is valuable for system administrators requiring cross-platform remote management capabilities, it is also widely utilized in cybersecurity for penetration testing and red teaming exercises, particularly for lateral movement within a Windows domain. Its ability to authenticate using various methods, including passwords, NTLM hashes, and Kerberos tickets, makes it a versatile tool in different network environments.

Administrative Privileges Required:
To successfully execute commands or gain a shell, the provided credentials must have local administrator privileges on the target Windows system.
Security Detection:
The method of creating and deleting temporary services is often monitored by Endpoint Detection and Response (EDR) solutions and Antivirus (AV) software, potentially leading to detection or blocking.
Firewall Considerations:
The target system's firewall must allow inbound connections on TCP port 445 (SMB).
Network Latency:
High network latency can impact the responsiveness of the interactive shell.
User Context:
Commands are typically executed in the context of the user whose credentials are provided, unless the `-s` flag is used to elevate to SYSTEM.

`impacket-psexec` supports several authentication methods. The most common are password-based, NTLM hash-based (using the `-hashes` flag), and Kerberos authentication (using the `-k` flag, often combined with `-dc-ip` for domain environments). This flexibility allows it to operate effectively in various network security configurations, including scenarios where cleartext passwords are not available.

Upon execution, `impacket-psexec` connects to the target's SMB share (typically ADMIN$). It then uploads a temporary executable (often named randomly like B70E.tmp) to the target's C:\Windows\Temp directory. Next, it interacts with the Service Control Manager via RPC to create a new service configured to run this temporary executable. Once the service starts and executes the command or shell, the output is redirected back to the client. Finally, the service is stopped, deleted, and the temporary executable file is removed from the target system (unless the `-c` flag is used).

When no command is provided after the target, `impacket-psexec` will attempt to provide an interactive command prompt on the remote system, allowing for continuous command execution. If a command is specified, the tool will execute that single command and then terminate, returning its output. For single commands, using the `-x` flag often ensures cleaner execution without an interactive shell setup.

The `impacket-psexec` script is an integral part of the Impacket library, an open-source project initiated by SecureAuth (now Fortra / Core Security). Impacket was developed to provide Python classes for programmatic access to network protocols, primarily focusing on Microsoft's authentication and network protocols.

The original PsExec utility was created by Mark Russinovich as part of his Sysinternals suite, which was later acquired by Microsoft. PsExec gained widespread adoption among Windows administrators for its ability to execute processes on remote systems.

`impacket-psexec` emerged as a cross-platform (primarily Linux/macOS) alternative, allowing users to leverage PsExec-like functionality without relying on Windows binaries. Its development has continuously evolved with new authentication methods and features, making it a staple in network administration and cybersecurity toolkits for its robust remote execution capabilities.

impacket-wmiexec(1): Another Impacket tool for remote command execution using WMI., impacket-smbclient(1): Impacket's SMB client for interacting with SMB shares., smbclient(1): A traditional Linux client for interacting with SMB/CIFS shares., crackmapexec(1): A powerful tool for pentesting Windows networks, often incorporating PsExec-like functionality., msfconsole(1): The Metasploit Framework console, which includes various PsExec modules.