LogonPasswords
Executes Mimikatz's sekurlsa::logonpasswords on the target system.
Output for each system is stored in $pwd\PME\LogonPasswords\
Supported Methods
MSSQL
SMB
SessionHunter (WMI)
WMI
WinRM
Optional Parameters
| Parameter | Value | Description |
|---|---|---|
-NoParse | N/A | If specified, PsMapexec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups. |
-Rainbow | N/A | When provided, collected hashes will be compared against an online database https://ntlm.pw |
-ShowOutput | N/A | Displays each targets output to the console |
-SuccessOnly | N/A | Display only successful results |
Usage
Parsing
If -NoParse is not specified, , PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.
The table below shows the possible values for the notes field.
| Value | Description |
|---|---|
AdminCount=1 | The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain. |
NTLM=Empty Password | The NTLM value is equal to that of an empty password. |
Cleartext Password | Cleartext password was parsed from the results. This is only highlited on user accounts and omitted for computer accounts. |
Domain Admin Enterprise Admin Server Operator Account Operator | The account is a member of a high value group. |
At the end of parsing all unique NTLM hashes will be shown in the console window. A Hashcat ready file will also be populated for collected NTLM hashes in:
$pwd\PME\LogonPasswords\.AllUniqueNTLM.txt
Last updated
