- Ubuntu Documentation
- Client Access — Browsing SMB shares
- Ubuntu Clients
- Windows Clients (XP,Server,Vista, Win7)
- Samba Client — Manual Configuration
- Connecting to a Samba File Server from the command line
- Connecting using CIFS
- Allow non-root users to mount SMB shares
- Automagically mount SMB shares
- Connecting using SMBFS (deprecated)
- Ubuntu Client
- Windows Client
- Accessing Windows Systems Remotely From Linux
- Introduction
- Overview table
- Command line remote access methods
- Impacket
- CrackMapExec
- PTH Toolkit
- Keimpx
- Metasploit
- RedSnarf
- Winexe
- SMBMap
- Graphical remote access methods
- Rdesktop
- FreeRDP
- TightVNC
- TigerVNC
Ubuntu Documentation
Client Access — Browsing SMB shares
The samba package is a meta-package intended to be installed on file and printer sharing servers. Clients do not need this meta-package (you are acting as a client if you need to access files on another computer). For example, installing samba is not necessary if you only need your Ubuntu system to do any of the following:
Access shared folders, drives and printers on a Windows computer (that is, act as a client with Windows servers). To do this, you only need the smbfs plugin. See MountWindowsSharesPermanently for more information.
Have your Windows computer use (via a network) a printer that is attached to a Linux computer. CUPS can be configured to make the printer accessible to the network.
Share directories between two Linux computers. You can use NFS or setup an SSH server on one computer and access it from other computers using an scp or sftp client, or Places -> Connect to Server. and choose «SSH» as the service type.
Ubuntu Clients
Ubuntu and Gnome make it easy to access files on a Windows network share. Open the Places Menu, then click on Network. You will see a Windows network icon. Double-click to open it. The next window shows all the domains/workgroups found on your network. Inside each domain/workgroup you will see all the computers on the domain/workgroup with sharing enabled. Double-click on a computer icon to access its shares and files.
If you want to be able to share folders with nautilus (the file browser), install the nautilus-share package (installed by default in Ubuntu 9.10 Desktop edition):
Alternate: From the menu at the top select «Location» -> «Connect to a server». In the «Service type» pull down select «Windows share». Enter the server ip address in the «Server:» box and the share name in the «Share:» box. Click «Connect» and then «Connect» again on the second dialog box
Alternate 12.04: Double clicking on ‘Windows network’ did not work for me. So I went to ‘Go’ menu in the nautilus file browser and clicked ‘Location’. I got an address bar at the top of the window. I entered «smb://192.168.2.148» (substitute the IP address of your Samba server) — I was presented with user/password window — After typing in user/passwd I was able to see the samba shares on the server and browse the files/folders.
Note: The default installation of Samba does not synchronize passwords. You may have to run «smbpasswd» for each user that needs to have access to his Ubuntu home directory from Microsoft Windows.
Windows Clients (XP,Server,Vista, Win7)
Microsoft Windows clients connect and browse through their corresponding network interface.
Example: XP clients can open Windows Network Neighborhood or My Network Places to browse available SMB shares.
Samba Client — Manual Configuration
This section covers how to manually configure and connect to a SMB file server from an Ubuntu client. smbclient is a command line tool similar to a ftp connection while smbfs allows you to mount a SMB file share. Once a SMB share is mounted it acts similar to a local hard drive (you can access the SMB share with your file browser (nautilus, konqueror, thunar, other).
Connecting to a Samba File Server from the command line
Connecting from the command line is similar to a ftp connection.
List public SMB shares with
Connect to a SMB share with
Enter you user password.
You can connect directly with
but your password will show on the screen (less secure).
Once connected you will get a prompt that looks like this :
Type «help» , without quotes, at the prompt for a list of available commands.
Connecting using CIFS
CIFS is included in the smbfs package and is a replacement for smbfs (I know, the terminology here is a little confusing).
As above, install by any method, smbfs, on Ubuntu 12.10, smbfs has been replaced by cifs-utils.
Allow non-root users to mount SMB shares
By default only root may mount SMB shares on the command line. To allow non-root users to mount SMB shares you could set the SUID, but I advise you configure sudo. You should configure sudo with visudo
You may either allow the group «users» to mount SMB shares, or add a group, samba, and add users you wish to allow to mount SMB shares to the samba group.
Change «user» to the username you wish to add to the samba group.
In the «group» section add your group you wish to allow to mount SMB shares
Change «%samba» to «%users» if you wish to allow members of the users group to mount SMB shares.
The following will mount the myshare folder on myserver to
/mnt (it will be in your home directory):
Note : «samba_user» = the user name on the samba server (may be different from your log-in name on the client).
The «noexec» option prevents executable scripts running from the SMB share.
You will be asked for BOTH your sudo and then your samba_user password.
Automagically mount SMB shares
In order to have a share mounted automatically every time you reboot, you need to do the following:
With any editor, create a file containing your Windows/Samba user account details:
KDE users must use kdesu rather than gksu and instead of Gedit they can use Kwrite as editor.
. it should contain two lines as follows:
Note : «samba_user» = the user name on the samba server (may be different from your log-in name on the client). «samba_user_password» is the password you assigned to the samba_user on the samba server.
Save the file and exit gedit.
Change the permissions on the file for security:
Now create a directory where you want to mount your share (e.g. /media/samba_share):
Now, using any editor, and add a line to /etc/fstab for your SMB share as follows:
Add a line for your SMB share:
The share will mount automatically when you boot. The «noexec» option prevents executable scripts running from the SMB share.
To mount the share now, without rebooting,
You can unmount the share with :
If you wish to increase security at the expense of convenience, use this line in /etc/fstab
The noexec» option prevents executable scripts running from the SMB share.
Edit /etc/samba/user, remove the password (leave just the samba user).
Now the share will NOT automatically mount when you boot and you will be asked for your samba password.
Mount the share with :
CIFS may cause a shutdown error.
Connecting using SMBFS (deprecated)
Note : This method still works, but as outlined under the «CIFS» section above is «deprecated» (no longer maintained and pending removal from the kernel).
Mounting a share on the local filesystem allows you to work around programs that do not yet use GnomeVFS to browse remote shares transparently. To mount a SMB share, first install smbfs:
To allow non root accounts to mount shares, change the permissions on the smbmnt program thus:
Note : This may be a security risk as after setting the SUID bit anyone can mount a SMB share. I advise you configure sudo, as above.
The working line in /etc/sudoers is as follows (see CIFS section above):
This allows any user in the samba group to mount SMB shares (you will need to create a samba group and add users).
The following will mount the myshare folder on myserver to
/mnt (it will be in your home directory):
In order to have a share mounted automatically every time you reboot, you need to do the following:
Open a shell as root
Create a file containing your Windows/Samba user account details:
. it should contain two lines as follows:
Change the permissions on the file for security:
Now create a directory where you want to mount your share (e.g. /mnt/data):
Now edit the file system table (/etc/fstab) and add a line as follows:
. where ‘bob’ is the non-root user you log into ubuntu with, ‘server’ is the name or address of the Windows machine and ‘share’ is the name of the share.
To mount the share now, just use the following command as root. It will mount automatically on subsequent reboots.
to be continued.
Ubuntu Client
On the Ubuntu client using the menu at the top, go to «Places» -> «Network». You will see an icon «Windows network» and should be able to browse to your shared folder. You will be asked for a password, leave it blank. Click the «Connect button.
(no need for a password).
If you would like to mount your SMB share using your (server) hostname rather than the IP Address, edit /etc/hosts and add your samba server (syntax IP Address hostname).
Where «hostname» = the name of your samba server.
Windows Client
On Windows open «My Computer» and navigate to «My Network Places». Navigate to your Ubuntu server and your share will be available without a password.
Alternate : From the menu at the top select «Tools» -> «Map Network Drive». Select an available letter for your SMB share (Default is z: ). In the «Folder:» box enter \\samba_server_ipaddress\share. Tic (Select with the mouse) the option «Reconnect at login» if you want the share to be automatically mounted when you boot Windows. Click the «Finish» box. A dialog box will appear, enter your samba user name and password. Click «OK».
If you would like to mount your SMB share using your (server) hostname rather than the IP Address, edit C:\WINDOWS\system32\drivers\etc\hosts and add your samba server (syntax IP Address hostname).
Where «hostname» = the name of your samba server.
Samba/SambaClientGuide (последним исправлял пользователь milamipha 2014-01-07 20:02:19)
The material on this wiki is available under a free license, see Copyright / License for details
You can contribute to this wiki, see Wiki Guide for details
Accessing Windows Systems Remotely From Linux
This page contains a collection of methods for connecting to a remote Windows system from Linux and examples of how to execute commands on Windows machines remotely from Linux using number of different tools.
It covers over 30 different methods for obtaining remote shell, remote command execution or connecting to a remote desktop using variety of freely available tools and utilities.
Introduction
There are many different tools that can be used to access remote Windows machine from Linux and execute commands on it. Here’s a list of existing tools covered in this article which can be used for this task.
Tools for remote command or remote shell access:
- Impacket
- CrackMapExec
- PTH Toolkit
- Keimpx
- Metasploit
- Redsnarf
- Winexe
- SMBMap
Tools for remote graphical display:
- Rdesktop
- FreeRDP (xfreerdp)
- TightVNC (xtightvncviewer)
- TigerVNC (xtigervncviewer)
All these tools are open-source and freely available on any Linux distribution (Kali, Ubuntu, Debian, Arch, CentOS, RedHat, Parrot..) including UNIX based platforms such as BSD, Mac OS X and many others.
Most of these tools work by connecting to the SMB port (tcp/445) on the remote Windows machine, but some of them also utilize other interfaces as well such as WMI, MMC, DCOM, NetBIOS and of course RDP or VNC in case of connecting to the remote (graphical) desktop.
More details on this are included in the overview table below.
Overview table
The following table provides summary of all remote access methods described in this article.
You can see what type of remote execution is possible using each method and also details about which network ports are being utilized during the connection.
| # | Tool | Method | Access Type | Port(s) used |
|---|---|---|---|---|
| 1 | Impacket | psexec.py | shell | tcp/445 |
| 2 | Impacket | dcomexec.py | shell | tcp/135 tcp/445 tcp/49751 (DCOM) |
| 3 | Impacket | smbexec.py | shell | tcp/445 |
| 4 | Impacket | wmiexec.py | shell | tcp/135 tcp/445 tcp/50911 (Winmgmt) |
| 5 | Impacket | atexec.py | command | tcp/445 |
| 6 | CrackMapExec | wmiexec | command | tcp/135 tcp/445 tcp/50911 (Winmgmt) |
| 7 | CrackMapExec | atexec | command | tcp/445 |
| 8 | CrackMapExec | smbexec | command | tcp/445 |
| 9 | CrackMapExec | mmcexec | command | tcp/135 tcp/445 tcp/49751 (DCOM) |
| 10 | CrackMapExec | winrm | command | http/5985 or https/5986 |
| 11 | PTH Toolkit | pth-winexe | shell | tcp/445 |
| 12 | PTH Toolkit | pth-wmis | command | tcp/135 tcp/50911 (Winmgmt) |
| 13 | Keimpx | svcexec | command | tcp/445 |
| 14 | Keimpx | svcexec SERVER | command | tcp/445 |
| 15 | Keimpx | svcshell | shell | tcp/445 |
| 16 | Keimpx | svcshell SERVER | shell | tcp/445 |
| 17 | Keimpx | atexec | command | tcp/445 |
| 18 | Keimpx | psexec | shell | tcp/445 |
| 19 | Keimpx | bindshell | shell | tcp/445 tcp/any |
| 20 | Metasploit | wmiexec | command | tcp/135 tcp/445 tcp/51754 (Winmgmt) |
| 21 | Metasploit | dcomexec | command | tcp/135 tcp/445 tcp/55777 (DCOM) |
| 22 | Metasploit | psexec | command / shell / any | tcp/445 tcp/any |
| 23 | Redsnarf | SYSTEM shell | shell | tcp/445 |
| 24 | Redsnarf | Admin shell | shell | tcp/445 |
| 25 | Redsnarf | WMI shell | shell | tcp/135 tcp/445 tcp/50911 (Winmgmt) |
| 26 | Redsnarf | XCOMMAND | command | tcp/135 tcp/445 tcp/50911 (Winmgmt) |
| 27 | Winexe | — | command / shell | tcp/445 |
| 28 | Winexe | SYSTEM | command / shell | tcp/445 |
| 29 | Winexe | RUNAS | command / shell | tcp/445 |
| 30 | SMBMap | — | command | tcp/445 |
| 31 | Rdesktop | rdesktop | graphical desktop (RDP) | tcp/3389 |
| 32 | FreeRDP | xfreerdp | graphical desktop (RDP) | tcp/3389 |
| 33 | TightVNC | xtightvncviewer | graphical desktop (VNC) | tcp/5900 |
| 34 | TigerVNC | xtigervncviewer | graphical desktop (VNC) | tcp/5900 |
Command line remote access methods
This section contains all command line remote access methods which can be used to execute commands remotely on a Windows machine from Linux including spawning an interactive shell (cmd.exe or powershell.exe).
IMPORTANT: In order to use these methods, it is required to provide credentials of the administrator user. This applies to all described methods below.
Now let’s get to the actual methods and techniques.
Impacket
Impacket is a Python library for working with various Windows network protocols. It is used by many different pentesting tools and it contains number of methods for executing commands on remote Windows machines.
Here’s how we can use Impacket to execute commands on a remote Windows system:
1. Impacket psexec.py
This will spawn an interactive remote shell via Psexec method:
2. Impacket dcomexec.py
This will spawn a semi-interactive remote shell using DCOM:
3. Impacket smbexec.py
This will spawn a semi-interactive remote shell via native Windows SMB functionality:
4. Impacket wmiexec.py
This will spawn a semi-interactive remote shell using WMI:
5. Impacket atexec.py
This will execute a command remotely via Atsvc:
Note: Impacket also supports pass-the-hash authentication method and so it allows to use NTLM hash instead of a password. Here’s an example with psexec.py:
Detailed information about these methods with even more examples and screenshots can be found here:
CrackMapExec
CrackMapExec is a swiss army knife of pentesting. It has many useful features and it integrates with a number of other offensive security projects such as Mimikatz, Empire, PowerSploit or Metasploit.
It also contains number of methods for executing commands on remote Windows machines.
Here’s how to use CrackMapExec for executing commands on remote systems:
6. CrackMapExec wmiexec
This will execute a command (CMD / PowerShell) remotely using WMI:
7. CrackMapExec atexec
This will execute a command (CMD / PowerShell) remotely via Atsvc:
8. CrackMapExec smbexec
This will execute a command (CMD / PowerShell) remotely using native SMB:
9. CrackMapExec mmcexec
This will execute a command (CMD / PowerShell) remotely via MMC:
10. CrackMapExec winrm
This will execute a command (CMD / PowerShell) remotely using PSRemoting:
Note: Although CrackMapExec only allows to run a command on the remote system, we can still use it to spawn an interactive shell using a PowerShell reverse shell cmdlet (e.g. some of these).
CrackMapExec also supports passing the NTLM hash instead of a password (pass-the-hash). Here’s an example with wmiexec:
More details about CrackMapExec with examples and screenshots can be found here:
PTH Toolkit
PTH Toolkit is a collection of utilities made by the pioneers of the pass-the-hash technique. It contains a number of useful tools for connecting to remote Windows machines with some of them also designed for executing commands on remote Windows systems.
Here’s how to use all PTH Toolkit remote access features:
11. PTH Toolkit: pth-winexe
This will spawn an interactive remote shell using Psexec-like method:
Note that by using the “–system” option, pth-winexe can also automatically escalate to the “nt authority\system” account.
12. PTH Toolkit: pth-wmis
This will execute a command remotely using WMI:
Note that this particular method doesn’t return the output from the command. If we want the output, we have to fetch it using the complementary pth-smbget utility.
Note: PTH Toolkit of course also supports to supply NTLM hash instead of a password (pass-the-hash). Here’s an example with pth-winexe:
More details about PTH Toolkit with examples and screenshots can be found here:
Keimpx
Keimpx is a tool from the NCC Group labs developed for pentesting of Windows environments. It has many interesting features such as working with network shares or registry hives, dumping hashes and extracting NTDS files remotely, and of course number of methods for executing commands on Windows systems remotely.
Here’s how to use Keimpx to execute commands remotely.
First we have to launch Keimpx with a target list to connect to. Here we are connecting to a single machine:
Now there will be an interactive menu where we can choose what we want to do.
Here is a list of all supported methods available in the menu for executing commands or spawning shells:
13. Keimpx: svcexec
This executes a command on the remote system using a Windows service. Type in the menu:
14. Keimpx: svcexec SERVER
The svcexec SERVER method also executes a command, but it is designed for more restricted systems which do not have any writable network share:
15. Keimpx: svcshell
This will spawn a semi-interactive shell on the remote system using a Windows service:
16. Keimpx: svcshell SERVER
The svcshell also supports the SERVER mode which can spawn a remote shell on more restricted systems without any writable network share:
17. Keimpx: atexec
This executes a command on the remote system via Atsvc:
18. Keimpx: psexec
This method can execute any command on the remote system, including interactive commands such as cmd.exe or powershell.exe:
19. Keimpx: bindshell
This method spawns a bindshell on the target Windows machine on a selected tcp port:
Keimpx will then automatically connect to it and give us remote shell.
Note: Keimpx also of course supports passing NTLM hashes instead of passwords to authenticate (pass-the-hash). Here’s how to connect using a hash:
More details about Keimpx with examples and screenshots can be found here:
Metasploit
Metasploit Framework probably needs no introduction. It is one of the most comprehensive penetration testing platforms with over 4,280 various modules and exploits. Naturally, some of those modules are designed for executing commands on remote Windows systems.
Here’s how to use it for remote execution.
First we have to launch the msfconsole from the command line and then we can use any of the following techniques:
20. Metasploit: wmiexec
The wmiexec module uses WMI for executing commands on the remote system. Here’s an example:
21. Metasploit: dcomexec
The dcomexec module can execute a command on the remote system using various DCOM objects such as:
- MMC20
- ShellWindows
- ShellBrowserWindow
These objects can be selected by setting the OBJECT option ( set OBJECT .. ) in the msfconsole.
Here’s an example of executing a command on the remote system using dcomexec method:
22. Metasploit: psexec
The Metasploit psexec module can execute any payload (e.g. a reverse shell) using the following 4 methods:
- PowerShell
- Native upload
- MOF upload
- Command
These methods can be selected via the target option ( set target 1-4 ) in the msfconsole.
Here’s an example of getting a reverse shell using the Native upload method:
Note: Metasploit of course supports passing NTLM hashes to authenticate instead of passwords (pass-the-hash). To use, simply set the SMBPass option like this:
More details about Metasploit RCE capabilities with examples and screenshots can be found here:
RedSnarf
RedSnarf is a another pentesting and red teaming utility from the NCC Group labs. It offers some quite unique features for pentesting of Windows systems including number of methods for executing commands remotely.
Here’s how to use it.
First we have to launch RedSnarf with a target to connect to. For example:
Now there will be an interactive menu where we can choose what we want to do.
There are the following 4 supported methods of executing a command or a shell on the target Windows system:
23. RedSnarf: SYSTEM shell
Pressing ‘s’ in the menu will spawn an interactive shell with SYSTEM privileges (nt authority\system) on the remote system using method similar to Psexec.
24. RedSnarf: Admin shell
Pressing ‘n’ in the menu will spawn an interactive shell running in the context of the provided administrative username (without escalating to SYSTEM).
25. RedSnarf: WMI shell
Pressing ‘w’ in the menu will spawn a semi-interactive shell via WMI.
26. RedSnarf: XCOMMAND
We can also simply execute a supplied command on the remote system by running RedSnarf like this:
Note: RedSnarf naturally also supports passing NTLM hashes to authenticate instead of passwords (pass-the-hash). Here’s how to connect using a hash:
More details about RedSnarf with examples and screenshots can be found here:
Winexe
Winexe is a small Linux utility designed for executing commands remotely on Windows systems over SMB protocol. It doesn’t do many other things, but it works very well and it has built-in Runas feature which can come quite handy sometimes.
Here are all the methods for accessing remote Windows systems with Winexe:
27. Winexe
By default, Winexe runs a command remotely which can also be an interactive commands such as cmd.exe or powershell.exe for obtaining shell:
28. Winexe: SYSTEM
This will execute the supplied commands with SYSTEM privileges (nt authority\system) on the remote system:
29. Winexe: RUNAS
Winexe can also execute commands under a specified Windows account on the remote system by doing automatic logon (Runas):
The built-in Runas feature can be especially useful in situations when we want to execute something under a specific user profile.
Note: Winexe doesn’t have native pass-the-hash support, but by installing the passing-the-hash package it becomes possible. This is because the passing-the-hash package contains a library with pass-the-hash support and it wraps around Winexe via LD_PRELOAD.
Here’s how to pass hash to Winexe instead of a password:
More details about Winexe can be found here:
SMBMap
SMBMap is primarily a SMB/CIFS share drive enumerator, however it can also execute commands on a remote Windows system.
30. SMBMap
Execute a command on the remote system via native SMB:
Note: SMBMap also nativelly supports pass-the-hash authentication. Here’s how to pass hash to SMBMap:
We can also spawn a remote interactive shell with SMBMap, similarly like with CrackMapExec by executing a PowerShell cmdlet (e.g. some of these).
More details about SMBMap with examples can be found here:
Graphical remote access methods
This section contains methods of connecting to remote Windows systems from Linux via graphical user interfaces such as RDP or VNC.
Rdesktop
Rdesktop is a popular open-source RDP client supporting most Windows operating systems, officially up to Windows Server 2012 RDS. It has many useful features including network drive support, multimedia and USB redirection, bidirectional clipboard and more. Currently this project is looking for a new maintainer.
31. Rdesktop
Here’s how to open RDP session to a remote Windows computer using rdesktop:
Here are some useful rdesktop options:
| -f | Full-screen mode |
| -g 1200×800 | Set desktop resolution |
| -r disk:datadir=/home/kali/upload | Connect local /home/kali/upload directory to the remote Windows desktop as “datadir” network share |
| -r clipboard:PRIMARYCLIPBOARD | Enable clipboard support |
| -r sound:local | Enable sound redirector to hear sound from the remote Windows desktop |
| -P | Bitmap caching (for slow connections) |
FreeRDP
FreeRDP is another very popular RDP client also for Linux (xfreerdp) and it has also many interesting features such as network drive support, multimedia and USB redirection, bidirectional clipboard and also many other things.
32. FreeRDP: xfreerdp
Here’s how to open RDP session to a remote Windows computer using xfreerdp:
Here are some useful xfreerdp options:
| /f | Full-screen mode |
| /w:1200 /h:800 | Set desktop resolution |
| /drive:datadir, /home/kali/upload | Connect local /home/kali/upload directory to the remote Windows desktop as “datadir” network share |
| +drives | Connect whole local Linux filesystem to the remote Windows desktop as network shares |
| +clipboard | Enable clipboard support |
| /sec:rdp | Force RDP security protocol authentication |
Note: FreeRDP also supports passing NTLM hashes instead of passwords (pass-the-hash), here’s how to use it:
This however works only on Windows 2012 R2 and Windows 8.1 (details here).
TightVNC
TightVNC is a light-weight VNC software with client for Linux (xtightvncviewer) which provides fast and reliable way of connecting to all kinds of VNC servers, not just the ones running on Windows.
33. TightVNC: xtightvncviewer
Here’s how to open VNC connection to a remote Windows computer using xtightvncviewer:
We will be prompted for authentication if there is any required.
Here are some useful xtightvncviewer options:
| -shared | Do not disconnect existing users that are already connected (default) |
| -noshared | Disconnect any existing users that are already connected |
| -fullscreen | Full-screen mode |
| -compresslevel | Set compression level (0-fast, 9-best) |
| -quality | Set JPEG quality (0-low, 9-hig) |
TigerVNC
TigerVNC is another popular VNC software with Linux client (xtigervncviewer) with many useful features. For example it supports clipboard, advanced authentication methods, TLS encryption and other things.
Here’s how to user it.
34. TigerVNC: xtigervncviewer
Here’s how to open VNC connection to a remote Windows computer with xtigervncviewer:
We will be prompted for authentication if there is any required.
Here are some useful xtigervncviewer options:
| −Shared | Do not disconnect existing users that are already connected (default) |
| −Shared=0 | Disconnect any existing users that are already connected |
| -FullScreen | Full-screen mode |
| -DesktopSize=1200×800 | Set desktop resolution |
| -CompressLevel= | Set compression level (0-fast, 9-best) |
| -QualityLevel= | Set JPEG quality (0-low, 9-hig) |
If you liked this collection of methods for accessing remote Windows systems from Linux and you would like more content like this, please subscribe to my mailing list and follow InfosecMatter on Twitter and Facebook to keep up with the latest developments! You can also support this website through a donation.
