# SMBExec

{% hint style="warning" %}
Administrator rights on the target machine are mandatory.
{% endhint %}

SMBExec is part of the Impacket collection. It executes commands on a remote system by:

* Not downloading service binaries to the target (stealthier than psexec).
* By default, it creates a service named "BTOBTO". The name can be changed in smbexec.py under the variable SERVICE\_NAME=..., or entered as a command line parameter to smbexec.py.
* For each given command, smbexec transfers the commands from the attacker's machine to the target machine via SMB in the form of a batch file in %TEMP%/execute.bat.
* A new service named "BTOBO" is created, copying the command to execute into a batch script, and redirecting the output to stdout and stderror to a Temp file. It then executes the .bat script and deletes it.
* The Python script then extracts the output file via SMB and displays its content in our "pseudo-shell".

For each command we type in this shell, a new service is created, and the process is repeated. Hence, there is no need to drop a binary onto the victim machine's disk.

The service is launched with the highest possible privileges, including *NT\System* privileges, which is why this "pseudo-shell" is opened as *NT\System*.

```python
python3 smbexec.py <DOMAIN>/<USERNAME:<PASSWORD>@<IP>
```

## References

{% embed url="<https://book.hacktricks.xyz/windows-hardening/ntlm/smbexec>" %}