From 4cedfa1c308a1bc37530725734290d506c0170dd Mon Sep 17 00:00:00 2001
From: Harmj0y <will@harmj0y.net>
Date: Sun, 24 Apr 2016 10:56:07 -0400
Subject: added Request-SPNTicket to request kerberos tickets for specified
 SPNs

---
 Recon/PowerView.ps1 | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

(limited to 'Recon')

diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 4c64e80..dd63509 100644
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -1262,6 +1262,54 @@ filter Get-Proxy {
 }
 
 
+function Request-SPNTicket {
+<#
+    .SYNOPSIS
+    
+        Request the kerberos ticket for a specified service principal name (SPN).
+    
+    .PARAMETER SPN
+
+        The service principal name to request the ticket for. Required.
+
+    .EXAMPLE
+
+        PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local"
+    
+        Request a kerberos service ticket for the specified SPN.
+
+    .EXAMPLE
+
+        PS C:\> "HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Request-SPNTicket
+
+        Request kerberos service tickets for all SPNs passed on the pipeline.
+
+    .EXAMPLE
+
+        PS C:\> Get-NetUser -SPN | Request-SPNTicket
+
+        Request kerberos service tickets for all users with non-null SPNs.
+#>
+
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName = $True)]
+        [Alias('ServicePrincipalName')]
+        [String[]]
+        $SPN
+    )
+
+    begin {
+        Add-Type -AssemblyName System.IdentityModel
+    }
+
+    process {
+        Write-Verbose "Requesting ticket for: $SPN"
+        New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPN
+    }
+}
+
+
 function Get-PathAcl {
 <#
     .SYNOPSIS
-- 
cgit v1.2.3