🔵PsMapExec
Get it on GitHub: https://github.com/The-Viper-One/PsMapExec
Usage Examples
Usage Parameters
General Parameters
Parameter | Value | Description |
---|---|---|
-Command | whoami | Runs the specified command on the remote system |
-CurrentUser | N/A | Instructs PsMapExec to run in current user context. This is default when no other credentials are specified |
-Domain | [Domain] | Specifies what domain to run against. Otherwise the current user domain is used |
-DomainController | [DC] | Specifies what Domain controller to authenticate against |
-Force | N/A | Used to force PsMapExec to run when domain or enterprise admin credentials are used |
-Flush | N/A | Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time. |
-LocalFileServer | [IP] | Pull scripts from specified local file server address |
-Module | [Module] | Specifies the module to be used for command execution |
-NoBanner | N/A | Surpresses the script banner |
-NoParse | N/A | Surpresses parsing of some module outputs |
-Rainbow | N/A | Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS". |
-SuccessOnly | N/A | Shows only successful results |
-Timeout | [int] | Sets the port scan timeout (ms) against the specified method. |
-Threads | [int] | Sets the concurrent executions jobs to run (Default:30) |
Authentication Parameters
Parameter | Value | Description |
---|---|---|
-Hash | [RC4] or [AES256] | Hash value. Must be supplied with -Username |
-LocalAuth | N/A | Used to specify when local account authentication should be used |
-Password | [Password] | Password value. Must be suplied with -Username |
-Ticket | [Ticket] or [Path to ticket] | B64 encoded Kerberos ticket to use for authentication. -Username is not required |
Command execution Parameters
Parameter | Value | Description |
---|---|---|
-Command | [Command] | Runs the specified command on the remote system |
-Module | [Module] | Specifies the module to be used for command execution |
-ShowOutput | N/A | Displays output for executed modules. Commands will still be shown |
Spraying Parameters
Parameter | Value | Description |
---|---|---|
-AccountAsPassword | N/A | Sprays SAM Account name values as passwords |
-EmptyPassword | N/A | Sprays "blank" passwords |
-SprayHash | [RC4] or [AES256] | Hash value to be used for hash spraying |
-SprayPassword | [Password] | Password value to be used for hash spraying |
Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).
Generally, you can mix and match various parameters across different methods and modules.
Dependencies
PsMapExec has some dependencies that need to be pulled from outside the script itself in order to function.
Primarily these are:
Kirby (PowerShell based Kerberos ticket dump)
Invoke-Pandemonium (Slightly modified Mimikatz)
There are plans to ensure long term that PsMapExec requires no external dependencies, however this requires the script to be massively reduced and AV bypasses to be considered.
Currently, they are pulled from a seperate GitHub repository: https://github.com/The-Viper-One/PME-Scripts
If you are working within an environment that has no external access or GitHub is blocked by a firewall you will need to clone the scripts in the respository onto the system from which PsMapExec is running from. PsMapExec does not currently host a HTTP server for these so you will need to use something like HFS: https://www.rejetto.com/hfs/?f=dl
PsMapExec supports pointing to a locally or alternatively hosted server for the script dependencies.
Last updated