eKeys
Executes Mimikatz's sekurlsa::ekeys on each target system to retrieve Kerberos encryption keys.
For each system output is stored in $pwd\PME\eKeys\
Supported Methods
MSSQL
SMB
SessionHunter
WMI
WinRM
Optional Parameters
-NoParse
N/A
If specified, PsMapExec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups.
-ShowOutput
N/A
Displays each targets output to the console
-SuccessOnly
N/A
Display only successful results
Usage
Parsing
PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.
The table below shows the possible values for the notes field.
AdminCount=1
The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain.
rc4_hmac_nt=Empty Password
The rc4 value is equal to that of an empty password.
Cleartext Password
Cleartext password was parsed from the results. This is only highlited on user accounts and omitted for computer accounts.
Domain Admin Enterprise Admin Server Operator Account Operator
The account is a member of a high value group.
Example Output
Last updated
Was this helpful?