command_execution
Execute PowerShell commands on compromised systems using NTLM or password authentication for Active Directory penetration testing.
Instructions
execute powershell commands if we have pwned the user, possible to use ntlm or password for authentication
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ips | Yes | ||
| username | Yes | ||
| password | Yes | ||
| command | Yes | ||
| ntlm | No | ||
| kerberos | No |
Implementation Reference
- src/pentestmcp/server.py:289-298 (handler)The handler function for the 'command_execution' tool. It uses netexec smb with the '-x' flag to execute the provided PowerShell command on the target IPs using the specified authentication method (NTLM, Kerberos, or password). The @mcp.tool decorator registers the tool with MCP.@mcp.tool(name="command_execution",description="execute powershell commands if we have pwned the user, possible to use ntlm or password for authentication") def command_execution(ips:List[str],username:str,password:str,command:str,ntlm:bool=False,kerberos:bool=False): if (ntlm): return run_command(["netexec","smb"]+ips+["-u",username,"-H",password,"-x",command]) elif(kerberos): return run_command(["netexec","smb"]+ips+["-u",username,"-p",password,'-k',"-x",command]) else: return run_command(["netexec","smb"]+ips+["-u",username,"-p",password,"-x",command])
- src/pentestmcp/server.py:28-86 (helper)Helper function used by command_execution (and other tools) to execute subprocess commands safely with timeout, logging, and error handling.def run_command(command: List[str], timeout: int = 150,communicate:bool=False) -> Dict[str, Union[str, int, bool]]: try: logger.info(f"communicate :{communicate}") logger.info(f"Running command: {' '.join(command)}") if communicate: # Use Popen for interactive communication process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, text=True ) stdout, stderr = process.communicate(input="y\n", timeout=timeout) returncode = process.returncode else: # Use run for non-interactive commands result = subprocess.run( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=True, timeout=timeout ) stdout = result.stdout stderr = result.stderr returncode = result.returncode logger.info(f"Command completed with return code {returncode}") return { "success": True, "stdout": stdout, "stderr": stderr, "returncode": returncode } except subprocess.CalledProcessError as e: logger.error(f"Command failed with return code {e.returncode}: {e.stderr}") return { "success": False, "stdout": e.stdout, "stderr": e.stderr, "returncode": e.returncode, "error": f"Command failed with return code {e.returncode}" } except subprocess.TimeoutExpired as e: logger.error(f"Command timed out after {timeout} seconds") return { "success": False, "error": f"Command timed out after {timeout} seconds" } except Exception as e: logger.error(f"Error running command: {str(e)}") return { "success": False, "error": str(e) }