Overview
impacket-smbexec executes commands on a remote host by creating a temporary Windows service for each command. Unlike psexec, it does not upload any binary to the target. Each command is executed via cmd.exe /Q /c, with output redirected to a file on a writable share. The service is created and deleted per command.
Authentication Methods
| Method | Flag | Example |
|---|---|---|
| Password | (default) | domain/user:password@target |
| NTLM hash | -hashes | -hashes :NT_HASH |
| Kerberos | -k -no-pass | -k -no-pass -dc-ip DC_IP |
| AES key | -aesKey | -aesKey AES256_KEY |
Basic Usage — Interactive Shell
Execute Specific Command
How It Works
- Authenticates to the target via SMB (port 445).
- Connects to the Service Control Manager (SCM) via RPC.
- For each command, creates a new service with a random name.
- The service
binPathruns%COMSPEC% /Q /cto drop a temporary batch file (under%SYSTEMROOT%) that executes<command>and redirects output to\\%COMPUTERNAME%\<share>\__output 2>&1, then deletes it. It does not use127.0.0.1or place the command directly inbinPath. - Starts the service, which executes the command and writes output to the share.
- Reads the output file over SMB.
- Deletes the output file and the service immediately after.
OPSEC Considerations
| Indicator | Detail |
|---|---|
| Service creation | One per command — created and deleted each time |
| Binary on disk | None — no executable uploaded |
| Temp files | Output written to C$ share (short-lived) |
| Event logs | Service install/delete (7045, 7009) per command |
| Detection | Rapid service create/delete pattern is very distinctive |
| Noise level | High — service churn is easily detected by SIEM rules |
- System Event ID 7045 (new service installed) for every command
- System Event ID 7009 (service timeout) after each execution
- Security Event ID 4624 (network logon type 3)
- Security Event ID 4697 (service installation)
- Temp output files briefly written to
C$
Pass-the-Hash
Kerberos Authentication
Requires a valid ccache file or keytab.Specify Share for Output
By default, output goes toC$. Use a different share:
When to Use: smbexec vs psexec vs wmiexec
| Feature | psexec | smbexec | wmiexec |
|---|---|---|---|
| Protocol | SMB (445) | SMB (445) | DCOM/WMI (135 + high ports) |
| Binary upload | Yes (RemComSvc) | No | No |
| Service creation | One persistent | One per command | None |
| Shell context | SYSTEM | SYSTEM | Authenticated user |
| OPSEC noise | High | High | Medium |
| Ports required | 445 | 445 | 135 + 445 + dynamic |
| AV/EDR detection | Very likely | Moderate | Lower |
| Output method | Named pipes | File on share | File on share |
| Interactive | Full | Semi | Semi |
- psexec — Need a full interactive SYSTEM shell and stealth is not a concern.
- smbexec — Target blocks DCOM/WMI but allows SMB, and you cannot upload binaries (AV blocking writes to ADMIN$).
- wmiexec — Stealth matters. No service creation, no binary on disk. Best default choice when all ports are available.
Common Errors and Fixes
| Error | Cause | Fix |
|---|---|---|
STATUS_ACCESS_DENIED | User lacks local admin or SCM access | Verify local admin membership |
rpc_s_access_denied | Cannot reach Service Control Manager | Check SMB access and admin rights |
ERROR_SERVICE_REQUEST_TIMEOUT | Command took too long | Service times out — command still runs but output may be lost |
Connection refused | SMB port 445 blocked | Check firewall |
KDC_ERR_PREAUTH_FAILED | Wrong password or expired ticket | Verify creds, regenerate ccache |
SessionError: STATUS_LOGON_FAILURE | Incorrect credentials | Double-check password/hash |
| Empty output | Share not writable or output file deleted by AV | Try -share ADMIN$ or different share |