-
-
Notifications
You must be signed in to change notification settings - Fork 121
03 ‐ Credential Material Usage
PsMapExec supports impersonation through a variety of credential types, enabling flexible and targeted operations. When executing a command, PsMapExec first checks for supplied credentials. If credentials are present, it attempts to obtain a Kerberos Ticket Granting Ticket (TGT), typically using Rubeus and executes actions against the specified targets under that user's context. If no credentials are provided, it defaults to using the current user session.
If no credential material is provided, PsMapExec will execute commands using the current user’s context.
# Executes 'whoami' on all targets using the current user's session
PsMapExec WMI -Targets All -Command 'whoami'A base64-encoded Kerberos ticket can be passed using the -Ticket parameter, either directly or by referencing a file.
Note: You do not need to specify a username, as the ticket already contains this information.
PsMapExec WMI -Targets All -Ticket "doIhsj..."
PsMapExec WinRM -Targets All -Ticket "C:\ticket.txt"You can authenticate using a username and supported hash format. PsMapExec currently supports:
- RC4 / NT
- NTLM
- AES256 HMAC
PsMapExec WMI -Targets All -Command "net user" -Username [User] -Hash [Hash]Traditional username and password combinations are also supported.
Note: If the password includes special characters like
$, wrap it in single quotes.
PsMapExec WinRM -Targets All -Username [User] -Password '[Password]'The -LocalAuth switch enables local account authentication and is supported with the following methods:
- WMI
- RDP
- MSSQL (SQL Server Authentication)
Only username and password combinations are supported for local authentication.
# WMI Local Auth
PsMapExec WMI -Targets All -LocalAuth -Username [User] -Password [Password]
# MSSQL Local Auth
PsMapExec MSSQL -Targets All -LocalAuth -Username [User] -Password [Password]
# RDP Local Auth
PsMapExec RDP -Targets All -LocalAuth -Username [User] -Password [Password]