SAM

Dumps SAM credentials for each target system using a heavily modified version of Invoke-NTLMExtract.ps1.

For each system output is stored in $pwd\PME\PME\SAM\

Supported Methods

  • MSSQL

  • SMB

  • SessionHunter (WMI)

  • WMI

  • WinRM

Optional Parameters

Parameter
Value
Description

-NoParse

N/A

Will ommit parsing output from each system and checks for which SAM hashes are valid on multiple systems.

-Rainbow

N/A

When provided, collected SAM hashes will be compared against an online database https://ntlm.pw

-ShowOutput

N/A

Displays each targets output to the console

-SuccessOnly

N/A

Display only successful results

Usage

# Standard execution
PsMapExec -Username [User] -Password [Pass] -targets [All] -Module SAM -Method [Method] -ShowOutput

Parsing

If -NoParse is not specified, PsMapExec will parse the results from each system and present the results in a digestable and readable format. PsMapExec will display which systems are reusing SAM hashes and then display all collected hashes in a Hashcat friendly format.

The output appends the system name from which the hash has been pulled from to the name for easy identification. Even in this format, it is still a Hashcat friendly format.

Last updated