Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the
ADMIN$ share on the target host. It then registers the service via
RPC and the
Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as
SYSTEM on the victim host.
Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation. It does not drop any files or executables on the target host and generates fewer logs than other modules. After connecting, it runs as the local admin user we connected with (this can be less obvious to someone hunting for an intrusion than seeing SYSTEM executing many commands). This is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems. We will use the same account as with psexec.py to access the host.
smbserver.py - Samba local server
Setup SMB Server - Kali
/opt/tools/impacket/examples/smbserver.py -smb2support -username $USER -password $PASS public .
# /opt/tools/impacket/examples/smbserver.py -smb2support -username 'thm' -password 'Passw0rd!' public .
# /opt/tools/impacket/examples/smbserver.py -smb2support -username 'htb-student' -password 'Academy_student_AD!' public .