PsMapExec: assess and compromise an Active Directory environment
PsMapExec
A PowerShell tool heavily inspired by the popular tool CrackMapExec / NetExec. PsMapExec aims to bring the function and feel of these tools to PowerShell with its own arsenal of improvements.
PsMapExec is used as a post-exploitation tool to assess and compromise an Active Directory environment.
What methods does it support
Currently supported methods (Protocols)
| Method | Description |
|---|---|
| IPMI | Dump IPMI hashes |
| Kerberoast | Kerberoast accounts |
| MSSQL | Check access, run commands |
| RDP | Check access |
| SMB | Check access, run commands |
| GenRelayList | Check SMB signing status |
| Spray | Spray passwords and hashes |
| SessionHunter | Check access, run commands |
| VNC | Check no auth access |
| WinRM | Check access, run commands |
| WMI | Check access, run commands |
Supported Modules
| Module | Description |
|---|---|
| Amnesiac | Executes Amnesiac C2 payloads |
| ConsoleHistory | Dumps PowerShell console history |
| Files | Lists files in common directories for each user |
| FileZilla | Dumps Filezilla credentials |
| KerbDump | Dumps Kerberos tickets |
| eKeys | Dumps encryption keys from memory (Mimikatz) |
| LogonPasswords | Dumps logon passwords from memory (Mimikatz) |
| LSA | Dumps LSA (Mimikatz) |
| NTDS | Executes DCsync on the remote system |
| Notepad | Dumps notepad backup files |
| NTLM | Grabs a NTLM hash for each user logon session |
| SAM | Dumps SAM hashes |
| SCCM | Dumps local NAA credentials and task sequences |
| SessionExec | Executes commands under each user logon session |
| SessionRelay | Relay NTLM hashes under each user logon session |
| TGTDeleg | Grab a fresh TGT under each user logon session |
| VNC | Dumps VNC credentials |
| Wi-Fi | Dumps Wi-Fi credentials |
| WinSCP | Dumps WinSCP credentials |
