smbexec.py

smbexec.py can be used to execute commands on a remote Windows target by creating and running a temporary service over SMB. It provides a semi-interactive shell similar to wmiexec.py and dcomexec.py, but the execution mechanism relies on the Windows Service Control Manager (SCM).

Commons

It has the following generic command line arguments, similar to other Impacket tools:

• required positional argument: [[domain/]username[:password]@]<targetName or address> Examples:

  • domain.local/user@dc01

  • domain/user:[email protected]

• -hashes: the LM and/or NT hash to use for a pass-the-hash. Format: [LMhash]:NThash (LM optional, NT must be prefixed with :).

• -aesKey: AES128/256 key for pass-the-key authentication (Kerberos).

• -k: use Kerberos authentication (via a Ccache if KRB5CCNAME is set).

• -no-pass: required when no password is provided or when using -k.

• -dc-ip: IP address of the domain controller to use instead of DNS.

• -debug: enables verbose debugging output.

Specificities

smbexec.py introduces some options specific to the service-based execution model:

• -codec: sets the Windows output encoding (default: latin-1). Useful for Unicode output on non-English systems.

• -service-name: specify a custom service name instead of a random one.

• -shell-type: either cmd (default) or powershell.

• -keytab: authenticate using Kerberos keys from a KEYTAB file.

• -share: share where the output will be grabbed from (default C$)

• -mode: controls how command output is retrieved.

  • SHARE (default): use the existing share specified with -share on the target (e.g. C$, ADMIN$) to store and read command output.

  • SERVER: start a local SMB server on the attacking host and have the target connect back to it to deliver command output.