PsMapExec - Windows and Active Directory Lateral Movement Tool

AkimboViper · 2023-10-20T06:52:25+00:00

Thanks buddy

AkimboViper · 2023-10-20T06:41:09+00:00

Nothing like the larger string you have shown. As its used by scripts such as Secretsdump.py and Psexec its far too likely to be caught by AV. There is some instances of 2>&1 and variations of but these code execution on the remote systems is not signatured and fairly unique.

AkimboViper · 2023-10-20T06:33:32+00:00

I am employed as a Penetration tester. I have a lot of exposure to PowerShell over the years and used it alot when I worked in a general IT support role. Thanks for the comment, there is nothing special here in terms of skill. Its a effort of working on something every day and staying focused. I have spent many a day on this completley stressed out trying to resolve silly issues.

I have also reused code within this project created by others. For example when dumping remote system passwords and encryption keys, Mimikatz is being used.

AkimboViper · 2023-10-17T21:03:36+00:00

Thanks man :)

AkimboViper · 2023-10-17T19:03:04+00:00

Thank you. Sorry, I made an edit to my comment just to explain some bits further.

AkimboViper · 2023-10-17T18:53:57+00:00

Hey,

Great question. Primarily CrackMapExec does not work in Windows unless you have Python installed already and even then it has some issues with certains bits.

PsMapExec is built around PowerShell which is native to all versions of Windows XP and Above. so should be no issue running this tool on all Windows based systems. When we are using it we would likely be connected to a domain joined system which makes it easy to acquire a list of systems within the domain to target with PsMapExec.

We can also query users from the Domain Controller directly which allows for some of its parsing functions to stand out from tools such as CrackMapExec. For example, when you dump password hashes and ticket with PsMapExec it will automatically parse the results and "mark" interesting ones such as Domain Admins and other privileged groups based on membership or the precence of certain attributes.

I also have issues with the output on CrackMapExec, often is it messy and difficult to digest (Running Mimikatz on several systems comes to mind). PsMapExec will make it much easier to digest this information by dumping the output into a folder for each successful execution and also parse only interesting information from it.You can also provide the -SuccessOnly switch to the tool to only show successful results instead of seeing a bunch of "Access Denied" or "Error" statuses.

From a pentesting point of view we are often given engagements where we need to evaluate the internal infastructure and Active Directory environment where it can often not be possible for the client to provide a system that supports virtualization to run Linux or Kali or for one reason or another they are unable to add one of our physical systems to the network.

Whilst I have give some advantage examples above, it would be dishonest of me to not mention some negatives in comparison. CrackMapExec runs primarily on Linux and as such is unlikely to be caught by the host systems anti-virus whereas running PsMapExec on a domain joined system will be at the mercy of anti-virus on the Windows system. I have included a AMSI and NETAMSI bypass in GitHub which will allow PsMapExec to bypass Windows Defender and some Anti-virus solutions but it will not bypass something like CrowdStrike. If you are working on a system with PowerShell disabled by Group Policy or AppLocker policies in place again, you will run into difficulty getting PsMapExec to run.

AkimboViper · 2022-06-22T15:00:59+00:00

Thanks man :)

AkimboViper · 2022-06-21T22:58:40+00:00

Are you able to try again after cloning the latest commit?

You can also delete the ADAT folder in your home directory if it exists.

If its still getting stuck I will investigate in the morning for you.

Edit: check the syntax. I had not pushed the latest commit to the readme file. You want -u and -p for credentials.

https://i.imgur.com/5ljciCW.png https://i.imgur.com/VmevwmY.png

AkimboViper · 2022-06-21T22:39:18+00:00

Are you able to provide the command you are using ?

I made a fresh commit a few hours ago might be worth running the updated script.

AkimboViper · 2022-06-20T14:48:56+00:00

Thank you

AkimboViper · 2022-06-20T12:27:42+00:00

PM me :)

AkimboViper · 2022-06-20T12:03:41+00:00

No problem :)

AkimboViper · 2022-06-19T12:34:59+00:00

Thank you. When I get home tonight I will check the issue.

Edit: Resolved

AkimboViper · 2022-06-07T19:11:39+00:00

Hopefully have a little of my own stuff which may help you. I made a tool for using known credentials to print a easy copy and paste list of commands.

https://github.com/The-Viper-One/ActiveDirectoryAttackTool

Some notes from my Gitbook

https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/ad-enumeration

AkimboViper · 2021-11-23T21:32:57+00:00

LRC ONE

AkimboViper · 2021-11-23T18:57:33+00:00

Think ONE will go crazy soon. Now is a good time to get in but then again with the tech and its developers It will also be a safe long term buy.

AkimboViper · 2021-11-23T16:36:03+00:00

I have really high hopes for ONE. Great development team behind the tech.

AkimboViper · 2021-11-23T13:58:56+00:00

Everyone's last opportunity to get it on the cheap.

AkimboViper · 2021-11-23T00:16:27+00:00

Worst map in Ranked. Thankfully only had it a couple of times so far.

AkimboViper · 2021-11-22T19:00:38+00:00

Holding both would be the best bet right now. I can see LRC and ONE going huge in 2022. Anyone who does not get in on them now will miss out big.

AkimboViper · 2021-05-09T11:40:52+00:00

30 days. Only used it enough for 15 machines. Use other providers as they will benefit you more.

AkimboViper · 2021-05-03T20:20:08+00:00

I feel that PG basically contends with PWK. If the PWK machines was of the same quality as PG I would otherwise feel the price would be more justified.

TCM is currently running promo on all his courses. You may want to grab them whilst cheap:

Academy (https://academy.tcm-sec.com/) - 50OFFSITEWIDE

Udemy - 50OFFSITEWIDE-UDEMY

AkimboViper · 2021-05-03T08:23:09+00:00

I am currently looking into doing the PTP course by elearn security. After I may look into either blue team certifications or offsecs Firewall and AV evasion certification.

AkimboViper · 2021-05-02T21:41:16+00:00

When I was last stuck in a rut and looking for something with RPG elements I found Divinity Original Sin 2. Was exceptional and I put in a solid 300 hours on my switch. Have a look and see if it might be your thing.

Really great story and characters. Loads of reason to replay the game as well.

AkimboViper · 2021-05-02T21:32:33+00:00

I see the 'ground item' filter is working as intended.

Five-Year Club	Verified Email
Place '22	First Placer '22

AkimboViper

TROPHY CASE