Impacket Deep Dives Vol. 1: Command Execution

Shelling a lab machine with Impacket’s Psexec.py

Impacket is a collection of tools built by Secure Auth Corp, for “working with networking protocols”. This is true, but it’s so much more than that. Impacket contains dozens of amazing tools for interacting with windows systems and applications, many of which are ideal for attacking Windows and Active Directory.

In this article, I’m going to cover the various utilities that Impacket offers for executing commands and getting shells on remote hosts. While many people may have used psexec.py, you might be surprised to read that Impacket offers nearly a half-dozen ways of executing commands on remote hosts! In this article, I’m going to cover all of them.

Note: if you’re using password-based authentication, the format for your command-line argument to all of the Impacket remote access tools is going to be DOMAIN/USERNAME:PASSWORD@HOST . It’s important to note that if any of these fields have special characters (e.g. the password field), then you need to use quotes around it, and escape as necessary.

In this article, I will not be covering authentication with hashes and Kerberos tickets, but keep an eye out for an article on that in the near future!

Psexec.py

How it works

Using Psexec.py

Using psexec.py to get a SYSTEM shell on a Windows host with credentials

Once you’re done, make sure to exit with the exit command instead of Ctrl+C , and the tool will clean up the executable and service that it created!

Other cool features

Uploading Invoke-Mimikatz.ps1 with Psexec.py

Since Psexec is a relatively commonly used tool and since it’s easy to detect, it will often get caught by antivirus. Fortunately, Impacket has a couple of other remote access tools, some of which fly a little lower under the radar.

It’s worth noting that Psexec.py is pretty easy to detect, and is often caught by defender. Some of the other methods below tend to bypass AV more easily.

Dcomexec.py

How it works

Using Dcomexec.py

Smbexec.py

How it works

Using Smbexec.py

Getting a semi-interactive NT AUTHORITY/SYSTEM shell with Smbexec.py

Unlike Psexec.py, smbexec.py does not have the same built-in utilities for uploading and downloading files. Additionally, since it’s not an interactive shell, it’s important to be careful what commands you run and how you run them. If you have to run PowerShell commands then you should build one-liners, otherwise smbexec.py will hang.

Wmiexec.py

How it works

Using wmiexec.py

Running a command with Wmiexec.py

Atexec.py

How it works

Using atexec.py

Using Atexec.py to execute a command

Bonus: Mssqlclient.py and xp_cmdshell

The xp_cmdshell

sp_start_job

Using xp_cmdshell and sp_start_job

mssqlclient.py SQL_USER:SQL_PASS@RHOST
SQL> enable_xp_cmdshell
SQL> disable_xp_cmdshell
SQL> xp_cmdshell SOMECOMMAND
SQL> sp_start_job SOMECOMMAND

It’s really pretty self-explanatory.

Conclusion

It’s worth noting some of these tools will almost certainly be caught by Windows Defender or other antivirus solutions depending on the vendor and how up-to-date the program is. If one tool gets caught, I recommend trying another until you find one that works (depending on if you’re trying to be stealthy :) ). In my experience, I’ve had Wmiexec.py or Smbexec.py slip past Windows Defender where Psexec.py has gotten caught.

Did you enjoy this article? Let me know what you think below!

Student, hacker, OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store