KerbDump

Runs Kirby to dump kerberos tickets on the remote system. Kirby is based on PowerShellKerberos by Michael Zhmaylo (MzHmO): https://github.com/MzHmO/PowershellKerberos

For each system output is stored in $pwd\PME\Tickets\KerbDump\

Supported Methods

• MSSQL

• SMB

• SessionHunter (WMI)

• WMI

• WinRM

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapexec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups.
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec -Username [User] -Password [Pass] -targets [All] -Module KerbDump -Method [Method] -ShowOutput

Parsing

If -NoParse is not specified, PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.

Tickets identified as a TGT will also show an easy command to execute directly after with PsMapExec to impersonate that account within the Impersonate field.

The table below shows the possible values for the notes field.

Value	Description
TGT	Represents a TGT ticket
AdminCount=1	Identifies an account that may hold privileged permissions within the domain
Domain Admin Enterprise Admin Server Operator Account Operator	The account is a member of one of these privileged groups