SMBExec

Administrator rights on the target machine are mandatory.

SMBExec is part of the Impacket collection. It executes commands on a remote system by:

Not downloading service binaries to the target (stealthier than psexec).
By default, it creates a service named "BTOBTO". The name can be changed in smbexec.py under the variable SERVICE_NAME=..., or entered as a command line parameter to smbexec.py.
For each given command, smbexec transfers the commands from the attacker's machine to the target machine via SMB in the form of a batch file in %TEMP%/execute.bat.
A new service named "BTOBO" is created, copying the command to execute into a batch script, and redirecting the output to stdout and stderror to a Temp file. It then executes the .bat script and deletes it.
The Python script then extracts the output file via SMB and displays its content in our "pseudo-shell".

For each command we type in this shell, a new service is created, and the process is repeated. Hence, there is no need to drop a binary onto the victim machine's disk.

The service is launched with the highest possible privileges, including NT\System privileges, which is why this "pseudo-shell" is opened as NT\System.

python3 smbexec.py <DOMAIN>/<USERNAME:<PASSWORD>@<IP>

References

PreviousPSExec NextWMIexec / WMI

Last updated 1 year ago