psexec.py

Spawn an interactive shell on a remote target

$ psexec.py [domain]/[username]:[password]@[target]

$ psexec.py [domain]/[username]:[password]@[target] [command]

$ psexec.py -c [filename] [domain]/[username]:[password]@[target] [command]

$ psexec.py -path [path] [domain]/[username]:[password]@[target] [command]

$ psexec.py -hashes [LM_Hash]:[NT_Hash] [domain]/[username]@[target]

$ psexec.py -k -no-pass [domain]/[username]@[target]

$ psexec.py -dc-ip [domain_controller_ip] [domain]/[username]:[password]@[target]

psexec.py [[domain/]username[:password]@] [command]

-h, --help
    Shows the help message and exits.

-k, -no-pass
    Do not ask for a password. Use a blank password or Kerberos (ticket cache) for authentication.

-s, -hashes LMHASH:NTHASH
    NTLM hashes for authentication (LMHASH:NTHASH format). Provide ':' for a blank LM hash.

-aesKey hexKey
    AES key for Kerberos authentication (128 or 256 bits) in hexadecimal format.

-dc-ip IP address
    IP address of the domain controller to use for Kerberos authentication.

-debug
    Turns on debug output for troubleshooting.

-ip IP address
    IP address of the target machine. If not specified, the targetName is resolved.

-port port number
    SMB port to connect to (default: 445).

-rpc-port port number
    RPC port to connect to for service creation/management (default: 445).

-share SHARE_NAME
    Share to connect to on the target for file transfer (default: C$). Typical shares are ADMIN$ or C$.

-codec codec
    Sets the target system's locale codec for output decoding (e.g., 'latin-1', 'cp850').

-shell-type shell
    Specifies the shell type to use: 'cmd', 'powershell', or 'wmi'. Default is 'cmd'.

-outputfile filename
    Redirects the command's output to a specified file instead of stdout.

-full-gen-out
    Return the output without decoding to the system's locale codec, providing raw output.

-wmi-timeout seconds
    WMI connection timeout in seconds (default: 5).

-delay milliseconds
    Delay in milliseconds after starting the remote service (default: 0).

-silent
    Do not show progress messages during execution.

-console
    Connect to the console session for interactive shells.

-no-shell
    Do not create an interactive shell; just run the specified command and exit.

-c command
    Specify a command string to execute (instead of entering an interactive shell).

-x
    Run a local command. Only works if -c is also used; executes a local command after remote execution.

-r
    Delete the temporary file and service created on the target after execution.


    The target hostname or IP address of the remote Windows system.

[command]
    The command string to execute on the remote host. If not provided, an interactive shell is attempted.

psexec.py is a Python script from the Impacket toolkit that allows executing commands on remote Windows systems. It mimics the functionality of Microsoft's PsExec utility by leveraging the Server Message Block (SMB) protocol.

It typically works by creating a temporary service on the target machine, executing the specified command through that service, and then removing the service. This tool is widely used by penetration testers and security professionals for lateral movement, remote administration, and post-exploitation activities in Windows environments. It supports various authentication methods, including password-based, NTLM hashes, and Kerberos. Its primary advantage is its ability to operate without installing any client software on the target, relying solely on built-in Windows services.

• Requires administrative privileges on the target Windows system.
• The target system must have the Server service running, SMB port 445 accessible, and remote administration enabled.
• Can be detected by Antivirus (AV) and Endpoint Detection and Response (EDR) solutions due to its service creation and remote execution methods.
• Firewall rules on the target or network can prevent successful connections.
• User Account Control (UAC) on the target can interfere, especially for non-built-in administrator accounts.

To execute `dir C:\` on a remote host `192.168.1.100` using user `administrator` with password `Password123!`:
`psexec.py administrator:Password123!@192.168.1.100 "cmd.exe /c dir C:\"`

To get an interactive shell with NTLM hashes (LMHASH:NTHASH), assuming an NTHASH of 31d6cfe0d16ae931b73c59d7e0c089c0 for user 'guest' and a blank LM hash:
`psexec.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 guest@192.168.1.100`

psexec.py typically uploads a small executable (or uses built-in features for WMI/PowerShell shells) to the target's `ADMIN$` or `C$` share. It then creates a temporary Windows service configured to execute this payload. After the command runs and its output is captured, the tool cleans up by deleting the temporary service and the executable. This transient nature makes it powerful for remote operations without leaving persistent traces.

psexec.py is a key component of the Impacket library, which was developed by Core Security Technologies (now Fortra) and later became an open-source project. Impacket is a collection of Python classes that focus on providing programmatic access to network protocols, particularly those used in Microsoft Windows environments (SMB, MSRPC, Kerberos, etc.). psexec.py specifically emerged as a Python-based alternative to Microsoft's original PsExec utility, offering cross-platform compatibility and greater flexibility for security professionals to script and automate tasks, especially in penetration testing and red teaming scenarios. Its development has mirrored the increasing need for reliable remote execution capabilities in environments where traditional tools might be blocked or less versatile.

smbclient(1), rpcclient(1), wmiexec.py(1), smbexec.py(1), winexe