SMBExec is part of the Impacket collection. It executes commands on a remote system by:

• Not downloading service binaries to the target (stealthier than psexec).

• By default, it creates a service named "BTOBTO". The name can be changed in smbexec.py under the variable SERVICE_NAME=..., or entered as a command line parameter to smbexec.py.

• For each given command, smbexec transfers the commands from the attacker's machine to the target machine via SMB in the form of a batch file in %TEMP%/execute.bat.

• A new service named "BTOBO" is created, copying the command to execute into a batch script, and redirecting the output to stdout and stderror to a Temp file. It then executes the .bat script and deletes it.

• The Python script then extracts the output file via SMB and displays its content in our "pseudo-shell".

For each command we type in this shell, a new service is created, and the process is repeated. Hence, there is no need to drop a binary onto the victim machine's disk.

The service is launched with the highest possible privileges, including NT\System privileges, which is why this "pseudo-shell" is opened as NT\System.

python3 smbexec.py <DOMAIN>/<USERNAME:<PASSWORD>@<IP>

References