Administrator rights on the target machine are mandatory.

SMBExec is part of the Impacket collection. It executes commands on a remote system by:

  • Not downloading service binaries to the target (stealthier than psexec).

  • By default, it creates a service named "BTOBTO". The name can be changed in under the variable SERVICE_NAME=..., or entered as a command line parameter to

  • For each given command, smbexec transfers the commands from the attacker's machine to the target machine via SMB in the form of a batch file in %TEMP%/execute.bat.

  • A new service named "BTOBO" is created, copying the command to execute into a batch script, and redirecting the output to stdout and stderror to a Temp file. It then executes the .bat script and deletes it.

  • The Python script then extracts the output file via SMB and displays its content in our "pseudo-shell".

For each command we type in this shell, a new service is created, and the process is repeated. Hence, there is no need to drop a binary onto the victim machine's disk.

The service is launched with the highest possible privileges, including NT\System privileges, which is why this "pseudo-shell" is opened as NT\System.



Last updated