NTLM

Does not currently working against Windows Server 2008 / Windows 7 / Windows Server 2012

This module builds upon the module. Whereby, execution on a remote host will force each user logon session to authenticate to a locally hosted web sever and obtain the users NTLMv1 or NTLMv2 hash.

This modules code is based on a fork of .

If you wish to relay hashes or capture them with Inveigh or Responder, instead use the module.

For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec will attempt to obtain each users NTLMv1 or NTLMv2 hash.

C:\Users\SRV2019-Admin>quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 standarduser                              1  Disc            7  04/08/2024 17:14
 srv2019-admin         console             2  Active      none   04/08/2024 17:18

Output for NTLM is stored $PWD\PME\NTLM\

Supported Methods

SMB
SessionHunter
WMI
WinRM

Optional Parameters

Parameter

Value

Description

-ShowOutput

N/A

Displays each targets output to the console

-SuccessOnly

N/A

Display only successful results

Usage

# SMB execution with password authentication, targeting workstations
PsMapExec SMB -Module SessionExec -Targets "Workstations" -Username [User] -Password [Pass] -Command "whoami /all"

# WinRM execution with hash authentication, targeting servers
PsMapExec WinRM -Module SessionExec -Targets "Servers" -Username [User] -Hash [Hash] -Command "whoami /all"

# WMI execution with Kerberos ticket authentication (Username not required)
PsMapExec WMI -Module SessionExec -Targets "All" -Ticket [doI..]

Last updated 5 days ago

Was this helpful?