LogonPasswords

Executes Mimikatz's sekurlsa::logonpasswords on the target system.

Output for each system is stored in $pwd\PME\LogonPasswords\

Supported Methods

• MSSQL

• SMB

• SessionHunter (WMI)

• WMI

• WinRM

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapexec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups.
-Rainbow	N/A	When provided, collected hashes will be compared against an online database https://ntlm.pw
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec -Username [User] -Password [Pass] -targets [All] -Module LogonPasswords -Method [Method] -ShowOutput

Parsing

If -NoParse is not specified, , PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.

The table below shows the possible values for the notes field.

Value	Description
AdminCount=1	The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain.
NTLM=Empty Password	The NTLM value is equal to that of an empty password.
Cleartext Password	Cleartext password was parsed from the results. This is only highlited on user accounts and omitted for computer accounts.
Domain Admin Enterprise Admin Server Operator Account Operator	The account is a member of a high value group.

At the end of parsing all unique NTLM hashes will be shown in the console window. A Hashcat ready file will also be populated for collected NTLM hashes in:

$pwd\PME\LogonPasswords\.AllUniqueNTLM.txt