Impacket

Resources

• By kylemistele : https://kylemistele.medium.com/impacket-deep-dives-vol-1-command-execution-abb0144a351d • By misthis0s : https://misthi0s.dev/posts/2023-03-08-hunting-impacket-rce-tools/ • By u0041 : https://u0041.co/posts/articals/smbexec-analysis/ // https://u0041.co/posts/articals/atexec-analysis/ • By snapattack : https://www.snapattack.com/hunting-impacket-part-1/ // https://www.snapattack.com/hunting-impacket-part-2/ • By synacktiv : https://www.synacktiv.com/en/publications/traces-of-windows-remote-command-execution • By habr : https://habr.com/en/companies/rvision/articles/728838/ // https://habr.com/en/companies/rvision/articles/738518/ • By hackingarticles : https://www.hackingarticles.in/impacket-guide-smb-msrpc/ • By misthis0s : https://web.archive.org/web/20240612162248/https://misthi0s.dev/posts/2023-03-08-hunting-impacket-rce-tools/ • By 0xdf : https://0xdf.gitlab.io/2020/01/26/digging-into-psexec-with-htb-nest.html • By sensepost : https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/ • By bloggingforlogging : https://www.bloggingforlogging.com/2018/03/12/introducing-psexec-for-python/ • By neil-fox : https://neil-fox.github.io/Impacket-usage-&-detection/

Cheat sheet

• By shentoushi : https://book.shentoushi.top/Intranet_Penetration/impacket.html • By haax : https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/

Extentions

• Psexecsvc : https://github.com/sensepost/susinternals

Notes

impacket-psexec

• creates a remote service by uploading a randomly-named executable to the hidden Windows ADMIN$ share

• registering a service via RPC and the Windows Service Control Manager

• and then communicating over named a named pipe.

• Psexec requires credentials for a user with local administrator privileges or higher since reading/writing to the ADMIN$ share is required.

• once you successfully authenticate, it will drop you into a NT AUTHORITY\SYSTEM shell.

• Since Psexec is a relatively commonly used tool and since it’s easy to detect, it will often get caught by antivirus.

• PsExec eliminates the double-hop problem because credentials are passed with the command and generates an interactive logon session (Type 2). [!info]- impacket-dcomexec

• Decomexec executes a semi-interactive shell with DCOM.

• Dcomexec.py uses the Distributed Component Object Model (DCOM) to execute commands. → https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0

• Dcomexec uses the MMC20 Application (which is accessible over the network with authentication) and its ExecuteShellCommand method to execute arbitrary commands.

impacket-smbexec

• Smbexec does not give you an interactive shell.
• smbexec creates a batch file for each command that you run, then creates a service to run the file using cmd.exe.
• It redirects STDOUT and STDERR to a temporary file on a readable SMB share (or creates a share on your attacking host, if the remote one doesn’t have one), and then pulls the contents of that file into your smbexec “shell”. This will generate a lot of windows event logs since you’re creating and deleting a lot of services, but it still tends to be detected less frequently than psexec
• Executable Path : C:\windows\temp\execute.bat
• Result Path : C:__output

impacket-wmiexec

• Wmiexec doesn’t give you an interactive shell, but it tends to fly lower under the radar since it doesn’t generate lots of windows event logs about services being created.
• Wmiexec runs commands as the authenticated local administrator, rather than NT AUTHORITY\SYSTEM .
• Wmiexec uses the Windows Management Instrumentation and DCOM to create a windows process to run commands.
• Like some of the above methods, it writes the output out to a temp file in an SMB share ( ADMIN$ by default) and then retrieves the output and deletes the file.

impacket-atexec

• atexec doesn’t give you a shell at all. Rather, it allows you to execute some command or one-liner as the NT Authority\System user, and then sends the output back to you.
• Atexec connects to the target host over RPC and uses the Task Schedule Service to register a task.
• The task uses cmd.exe to run each command, and it redirects the STDOUT and STDERR to a temporary file in the ADMIN$ share.
• Atexec runs the task, then deletes it. Finally, it connects to the ADMIN$ share over SMB, retrieves the output file, and deletes it.
• Tasks dir : C:\Windows\System32\Tasks