From 0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:05:08 -0500 Subject: first take at platyPS doc generation --- docs/Recon/Get-DomainSPNTicket.md | 136 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100755 docs/Recon/Get-DomainSPNTicket.md (limited to 'docs/Recon/Get-DomainSPNTicket.md') diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md new file mode 100755 index 0000000..70385a4 --- /dev/null +++ b/docs/Recon/Get-DomainSPNTicket.md @@ -0,0 +1,136 @@ +# Get-DomainSPNTicket + +## SYNOPSIS +Request the kerberos ticket for a specified service principal name (SPN). + +Author: machosec, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +### RawSPN (Default) +``` +Get-DomainSPNTicket [-SPN] [-OutputFormat ] [-Credential ] +``` + +### User +``` +Get-DomainSPNTicket [-User] [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +This function will either take one/more SPN strings, or one/more PowerView.User objects +(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN +using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. +The encrypted +portion of the ticket is then extracted and output in either crackable John or Hashcat +format (deafult of John). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSPNTicket -SPN "HTTP/web.testlab.local" +``` + +Request a kerberos service ticket for the specified SPN. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket +``` + +Request kerberos service tickets for all SPNs passed on the pipeline. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat +``` + +Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format. + +## PARAMETERS + +### -SPN +Specifies the service principal name to request the ticket for. + +```yaml +Type: String[] +Parameter Sets: RawSPN +Aliases: ServicePrincipalName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -User +Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for. + +```yaml +Type: Object[] +Parameter Sets: User +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote domain using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. + +### PowerView.User + +Accepts one or more PowerView.User objects on the pipeline with the User parameter set. + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3