From 14dbf8aca26eaaa807fcfaa21e94047294186485 Mon Sep 17 00:00:00 2001
From: Kevin Robertson <Kevin-Robertson@users.noreply.github.com>
Date: Mon, 25 Feb 2019 23:02:51 -0500
Subject: Added SMB Kerberos TGT capture and kirbi output

Added SMB Kerberos TGT capture through packet sniffing and kirbi output. To use, credentials are required for an account with unconstrained delegation.

This is still in the early stages. I'm not using an ASN.1 library so there is probably lots that can throw off the parsing.
---
 Inveigh-Relay.ps1 | 38 +++++++++++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 11 deletions(-)

(limited to 'Inveigh-Relay.ps1')

diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1
index 0b99c3b..ce5af25 100644
--- a/Inveigh-Relay.ps1
+++ b/Inveigh-Relay.ps1
@@ -6961,18 +6961,24 @@ Get added DNS host records.
 .PARAMETER ADIDNSFailed
 Get failed DNS host record adds.
 
-.PARAMETER Learning
-Get valid hosts discovered through spoofer learning.
-
-.PARAMETER Log
-Get log entries.
-
 .PARAMETER Cleartext
 Get captured cleartext credentials.
 
 .PARAMETER CleartextUnique
 Get unique captured cleartext credentials.
 
+.PARAMETER KerberosUsername
+Get IP addresses, usernames, and index for captured Kerberos TGTs.
+
+.PARAMETER KerberosTGT
+Get Kerberos TGT kirbi byte array by index.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+
+.PARAMETER Log
+Get log entries.
+
 .PARAMETER NTLMv1
 Get captured NTLMv1 challenge/response hashes.
 
@@ -7009,6 +7015,8 @@ Get relay session list.
         [parameter(Mandatory=$false)][Switch]$Console,
         [parameter(Mandatory=$false)][Switch]$ADIDNS,
         [parameter(Mandatory=$false)][Switch]$ADIDNSFailed,
+        [parameter(Mandatory=$false)][Int]$KerberosTGT,
+        [parameter(Mandatory=$false)][Switch]$KerberosUsername,
         [parameter(Mandatory=$false)][Switch]$Learning,
         [parameter(Mandatory=$false)][Switch]$Log,
         [parameter(Mandatory=$false)][Switch]$NTLMv1,
@@ -7079,6 +7087,7 @@ Get relay session list.
 
     if($ADIDNSFailed)
     {
+
         $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys
 
         foreach($ADIDNS_host in $ADIDNS_table_keys_temp)
@@ -7093,6 +7102,16 @@ Get relay session list.
 
     }
 
+    if($KerberosTGT)
+    {
+        Write-Output $inveigh.kerberos_TGT_list[$KerberosTGT]
+    }
+
+    if($KerberosUsername)
+    {
+        Write-Output $inveigh.kerberos_TGT_username_list
+    }
+
     if($Log)
     {
         Write-Output $inveigh.log
@@ -7183,7 +7202,6 @@ Get relay session list.
 
     if($Session)
     {
-        $sessions_temp = $inveigh.session
         $i = 0
 
         while($i -lt $inveigh.session_socket_table.Count)
@@ -7197,14 +7215,12 @@ Get relay session list.
             $i++
         }
 
-        Write-Output $sessions_temp | Format-Table -AutoSize
+        Write-Output $inveigh.session | Format-Table -AutoSize
     }
 
     if($Enumerate)
     {
-        $enumerate_temp = $inveigh.enumerate
-        Write-Output $enumerate_temp
-        Remove-Variable enumerate_temp
+        Write-Output $inveigh.enumerate
     }
 
 }
-- 
cgit v1.2.3