SANS Penetration Testing

Psexec Python Rocks!

[Editor's Note: Last week, we posted an article about the many faces of psexec functionality from Sysinternals, Metasploit, and the Nmap Scripting Engine, with some tips for using it, along with a Penetration Tester's Pledge. Continuing in that vein, Mark Baggett describes another way to do psexec, and to do it very flexibly: via Python. With, penetration testers and ethical hackers can incorporate psexec functionality into their own code, giving huge new avenues of increased flexibility and automation. Sweet! -Ed.]

By Mark Baggett

Python rocks! PSEXEC rocks! So, what could be better than psexec written in Python? The script is one of many examples of super useful penetration testing scripts that are distributed with the IMPACKET Python module available from Core Labs. Kudos and many thanks to Core Security for their lab tools and the great features of IMPACKET.

After downloading and installing IMPACKET, running the Python version of psexec is pretty intuitive. You provide the script with credentials along with a target, and it does exactly what you would expect it to do. The following image illustrates how you would run cmd.exe on target with a username of demoadmin and a password of demopass.

Now, you may be saying to yourself, "SO WHAT? I can do that with the psexec tool from Microsoft Sysinternals." You're right. But this is a Python script! That means if I want to use all of that psexec awesomeness in my own programs, all I need to do is import into my own script, or into the Python shell. Then, I can build features on top of it, and make something even more powerful.

In the next image, you can see it only requires three lines of code to make use of the psexec feature from within your own script. In the first line, we "import psexec", making all the functionality in the original script available in the shell. In the second line, we create an object called "psobject" that is of type "PSEXEC". When we create the object we initialize it with a command (cmd.exe), the path to that program on the remote machine (c:\windows\system32\), the port and protocol (445/SMB), and the login credentials. After we escape the forward slashes in the path of (c:\windows\system32\), it becomes (c:\windows\system32\). Now, to execute the code, all we have to do is provide psobject with a target IP address. In the third line, we provide the target IP address to the psobject's run method.

Running that same command against multiple hosts is just a matter of passing different IP addresses to the run method, so finding targets in a range where these are valid credentials is a trivial process. A simple "for" loop can go through all the targets in a given IP range as follows:

for lastoctet in range(1,256):
ip="10.10.11.%s" % (str(lastoctet))

You can also try a list of usernames and passwords on all those same target hosts like this:

Okay, but who uses passwords anymore? More often than not, I'm passing the hash to access a target. That is not a problem with! Instead of setting the "password" parameter, we set the "hashes" parameter, and login with a hash. Nice!

That is the power of Python, my friends! With an import and a few lines of your own code, you can do some really lethal stuff. You don't have to be a coding expert to create some really great tools by tying together features of already existing, really powerful libraries and modules.

Follow me on twitter : @MarkBaggett
-Mark Baggett


Posted April 29, 2013 at 2:07 PM | Permalink | Reply


Hi and thanks for this excerpt !
First of all I faced a nice little issue with root (cf:
=> Need to export PYTHONPATH=/home/src/impacket ''.
Then trying to launch :
# python -path c:\\\\windows\\\\system32\\\\ -hashes ABCEDF1234:ABCDEF1234 cmd.exe Administrator@
Impacket v0.9.9 ''" Copyright 2002-2012 Core Security Technologies
Trying protocol 445/SMB''
[Errno -2] Name or service not known

Posted April 30, 2013 at 3:35 PM | Permalink | Reply


Send me an email to bethus at and I'll help you out figuring out your problem.

Posted May 30, 2013 at 2:06 PM | Permalink | Reply


Is it work for linux machines?

Posted June 30, 2013 at 5:44 PM | Permalink | Reply


Also receive
Impacket v0.9.10 ''" Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB''
[Errno -2] Name or service not known
Did you guys ever resolve this?
P.S. I am able to access the box via 445/SMB with several other tools.

Posted January 27, 2015 at 3:18 AM | Permalink | Reply

lowongan kerja paling baru

When I originally commented I appear to have clicked on the -Notify me when new comments are added- checkbox and
now whenever a comment is added I recieve 4 emails with the same comment.
There has to be a means you can remove me from that service?

Posted March 2, 2015 at 9:47 PM | Permalink | Reply


I just checked this out, and it looks great. However, it is still in Python2.
I changed the print statements to use the function call, and a few of the try/excepts needed to use the "as" statement'' however there are a few other "might be referenced before assignment"
"cannot find letters in"
"unresolved reference kerberosLogin"
and errors like that have me worried about using this in any sort of prod environment.
Beto, do you have a new python3 version of this script?

Posted March 26, 2015 at 5:17 AM | Permalink | Reply


Based on the current trunk, the constructor for the PSEXEC class appears to have changed since this example wad created. For those that were getting errors, this updated code *should* now work:
import psexec
psobject = psexec.PSEXEC(''cmd.exe',

Posted January 25, 2016 at 9:58 AM | Permalink | Reply

warship battle 3d world war ii hack

Hey! I'm at work browsing your blog from my new iphone 3gs!
Just wanted to say I love reading through your blog and look forward to all your posts!
Keep up the fantastic work!

Post a Comment - Cancel Reply


* Indicates a required field.