SAM
Dumps SAM credentials for each target system using a heavily modified version of Invoke-NTLMExtract.ps1.
For each system output is stored in $pwd\PME\PME\SAM\
Supported Methods
MSSQL
SMB
SessionHunter (WMI)
WMI
WinRM
Optional Parameters
-NoParse
N/A
Will ommit parsing output from each system and checks for which SAM hashes are valid on multiple systems.
-Rainbow
N/A
When provided, collected SAM hashes will be compared against an online database https://ntlm.pw
-ShowOutput
N/A
Displays each targets output to the console
-SuccessOnly
N/A
Display only successful results
Usage
Parsing
If -NoParse
is not specified, PsMapExec will parse the results from each system and present the results in a digestable and readable format. PsMapExec will display which systems are reusing SAM hashes and then display all collected hashes in a Hashcat friendly format.
The output appends the system name from which the hash has been pulled from to the name for easy identification. Even in this format, it is still a Hashcat friendly format.
Last updated