Methods
PsMapExec currently supports the following methods:
Inject
IPMI
Kerberoast
MSSQL (New addition, not yet feature complete)
SMB
SessionHunter
RDP
VNC
WinRM
WMI
Command Execution Methods
The following methods support command execution and running modules on target systems:
MSSQL (Need SYSADMIN on Instance)
SMB
SessionHunter (WMI)
WinRM
WMI
Authentication Types
When -Command and -Module are omitted, PsMapExec will simply check the provided or current user credentials against the specified target systems for administrative access over the specified method.
Command Execution
All currently supported command execution methods support the -Command parameter. The command parameter can be appended to the above Authentication Types to execute given commands as a specified or current user.
Module Execution
All currently supported command execution methods support the -Module parameter. The module parameter can be appended to the Authentication Types to execute given modules as a specified or current user.
For supported modules and syntax visit the link below
GenRelayList / SMB Signing
The GenRelayList method checks targets SMB signing requirements.
IPMI
The IPMI method attempts to retrieve IPMI hashes from vulnerable servers
Kerberoast
Performs kerberoasting against the current or specified domain.
SessionHunter
The SessionHunter method filters targets by those which are likely to have administrative or privileged users credentials in memory and for which we have administrative access to. This is the ideal way of filtering down to a small number of system for which to extract credentials from to escalate privileges further.
Spray
PsMapExec supports password and hash spraying as well as some additional parameters for spraying accounts as passwords and empty password values.
VNC
The VNC method is used to simply check if a VNC server has "NoAuth" set which means we can connect to the remote system without providing a username or password.
Last updated
Was this helpful?