eKeys
Last updated
Last updated
Executes Mimikatz's sekurlsa::ekeys on each target system to retrieve Kerberos encryption keys.
For each system output is stored in $pwd\PME\eKeys\
Supported Methods
MSSQL
SMB
SessionHunter (WMI)
WMI
WinRM
| Parameter | Value | Description |
|---|---|---|
-NoParse | N/A | If specified, PsMapexec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups. |
-ShowOutput | N/A | Displays each targets output to the console |
-SuccessOnly | N/A | Display only successful results |
If -NoParse is not specified,, PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.
The table below shows the possible values for the notes field.
| Value | Description |
|---|---|
AdminCount=1 | The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain. |
rc4_hmac_nt=Empty Password | The rc4 value is equal to that of an empty password. |
Cleartext Password | Cleartext password was parsed from the results. This is only highlited on user accounts and omitted for computer accounts. |
Domain Admin Enterprise Admin Server Operator Account Operator | The account is a member of a high value group. |
f
