Executes Mimikatz's sekurlsa::ekeys on each target system to retrieve Kerberos encryption keys.
For each system output is stored in $pwd\PME\eKeys\
Supported Methods
- MSSQL
- SMB
- SessionHunter (WMI)
- WMI
- WinRM
| Parameter | Value | Description |
|---|---|---|
| -NoParse | N/A | If specified, PsMapexec will not automatically parse output from all targets systems and identify accounts that belong to privileged groups. |
| -ShowOutput | N/A | Displays each targets output to the console |
| -SuccessOnly | N/A | Display only successful results |
{% code overflow="wrap" %}
# Standard execution
PsMapExec -Username [User] -Password [Pass] -targets [All] -Module eKeys -Method [Method] -ShowOutput{% endcode %}
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If -NoParse is not specified,, PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.
The table below shows the possible values for the notes field.
| Value | Description |
|---|---|
| AdminCount=1 | The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain. |
| rc4_hmac_nt=Empty Password | The rc4 value is equal to that of an empty password. |
| Cleartext Password | Cleartext password was parsed from the results. This is only highlited on user accounts and omitted for computer accounts. |
| Domain Admin Enterprise Admin Server Operator Account Operator | The account is a member of a high value group. |
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
f