From 4934f19aae7f860498e11731fc512aa663e1b159 Mon Sep 17 00:00:00 2001 From: Kevin Robertson Date: Wed, 2 May 2018 22:53:15 -0400 Subject: Added credential parameter to machine account tools Added the ability to accept creds for all of the machine account scripts. Also syncing Invoke-DNSUpdate with version that is currently in the Inveigh dev branch. --- Disable-MachineAccount.ps1 | 68 ++- Get-MachineAccountAttribute.ps1 | 70 ++- Get-MachineAccountCreator.ps1 | 92 +-- Invoke-DNSUpdate.ps1 | 1174 +++++++++++++++++++++------------------ New-MachineAccount.ps1 | 54 +- Set-MachineAccountAttribute.ps1 | 67 ++- 6 files changed, 889 insertions(+), 636 deletions(-) diff --git a/Disable-MachineAccount.ps1 b/Disable-MachineAccount.ps1 index ad68cbb..e0ddf9a 100644 --- a/Disable-MachineAccount.ps1 +++ b/Disable-MachineAccount.ps1 @@ -16,11 +16,17 @@ function Disable-MachineAccount Note that this function does not accept credentials. + .PARAMETER Credential + Credentials for account that was used to create the machine account. + .PARAMETER DistinguishedName Distinguished name for the computers OU. .PARAMETER Domain - The targeted domain. + The targeted domain. This parameter is mandatory on a non-domain attached system. + + .PARAMETER DomainController + Domain controller to target. This parameter is mandatory on a non-domain attached system. .PARAMETER MachineAccount The username of the machine account that will be disabled. @@ -37,9 +43,45 @@ function Disable-MachineAccount ( [parameter(Mandatory=$false)][String]$DistinguishedName, [parameter(Mandatory=$false)][String]$Domain, - [parameter(Mandatory=$true)][String]$MachineAccount + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$true)][String]$MachineAccount, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential ) + if(!$DomainController) + { + + try + { + $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() + $DomainController = $current_domain.DomainControllers[0].Name + $Domain = $current_domain.Name + } + catch + { + Write-Output "[-] domain controller not located" + throw + } + + } + + if(!$Domain) + { + + try + { + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } + + } + if($MachineAccount.EndsWith('$')) { $machine_account = $MachineAccount.SubString(0,$MachineAccount.Length - 1) @@ -49,19 +91,12 @@ function Disable-MachineAccount $machine_account = $MachineAccount } - if(!$Domain) - { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name - } - if(!$DistinguishedName) { - $distinguished_name = "CN=$machine_account,CN=Computers" + $DC_array = $Domain.Split(".") - $DCArray = $Domain.Split(".") - - ForEach($DC in $DCArray) + ForEach($DC in $DC_array) { $distinguished_name += ",DC=$DC" } @@ -72,7 +107,16 @@ function Disable-MachineAccount $distinguished_name = "$DistinguishedName" } - $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" + Write-Verbose "[+] Distinguished Name=$distinguished_name" + + if($Credential) + { + $account = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) + } + else + { + $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" + } if(!$account.InvokeGet("AccountDisabled")) { diff --git a/Get-MachineAccountAttribute.ps1 b/Get-MachineAccountAttribute.ps1 index fa58cd0..96c10f9 100644 --- a/Get-MachineAccountAttribute.ps1 +++ b/Get-MachineAccountAttribute.ps1 @@ -10,11 +10,18 @@ function Get-MachineAccountAttribute Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause + .PARAMETER Credential + Credentials for LDAP. + .PARAMETER DistinguishedName Distinguished name for the computers OU. .PARAMETER Domain - The targeted domain. + The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter + requires a DNS domain name and not a NetBIOS version. + + .PARAMETER DomainController + Domain controller to target. This parameter is mandatory on a non-domain attached system. .PARAMETER MachineAccount The username of the machine account that will be modified. @@ -22,9 +29,6 @@ function Get-MachineAccountAttribute .PARAMETER Attribute The machine account attribute. - .PARAMETER Value - The machine account attribute value. - .EXAMPLE Get-MachineAccountAttribute -MachineAccount payroll -Attribute description @@ -37,10 +41,44 @@ function Get-MachineAccountAttribute ( [parameter(Mandatory=$false)][String]$DistinguishedName, [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, [parameter(Mandatory=$true)][String]$MachineAccount, - [parameter(Mandatory=$true)][String]$Attribute + [parameter(Mandatory=$true)][String]$Attribute, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential ) + if(!$DomainController) + { + + try + { + $DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name + } + catch + { + Write-Output "[-] domain controller not located" + throw + } + + } + + if(!$Domain) + { + + try + { + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } + + } + if($MachineAccount.EndsWith('$')) { $machine_account = $MachineAccount.SubString(0,$MachineAccount.Length - 1) @@ -50,19 +88,12 @@ function Get-MachineAccountAttribute $machine_account = $MachineAccount } - if(!$Domain) - { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name - } - if(!$DistinguishedName) { - $distinguished_name = "CN=$machine_account,CN=Computers" + $DC_array = $Domain.Split(".") - $DCArray = $Domain.Split(".") - - ForEach($DC in $DCArray) + ForEach($DC in $DC_array) { $distinguished_name += ",DC=$DC" } @@ -73,7 +104,16 @@ function Get-MachineAccountAttribute $distinguished_name = "$DistinguishedName" } - $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" + Write-Verbose "[+] Distinguished Name=$distinguished_name" + + if($Credential) + { + $account = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) + } + else + { + $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } try { diff --git a/Get-MachineAccountCreator.ps1 b/Get-MachineAccountCreator.ps1 index 99f0480..788674c 100644 --- a/Get-MachineAccountCreator.ps1 +++ b/Get-MachineAccountCreator.ps1 @@ -4,7 +4,8 @@ function Get-MachineAccountCreator .SYNOPSIS This function leverages the ms-DS-CreatorSID property on machine accounts to return a list of usernames or SIDs and the associated machine account. The ms-DS-CreatorSID property is only - populated when a machine account is created by an unprivileged user. + populated when a machine account is created by an unprivileged user. Note that SIDs will be returned + over usernames if SID to username lookups fail through System.Security.Principal.SecurityIdentifier. .DESCRIPTION This function can be used to see how close a user is to a ms-DS-MachineAccountQuota before @@ -20,16 +21,17 @@ function Get-MachineAccountCreator Distinguished name for the computers OU. .PARAMETER Domain - The targeted domain. This parameter is mandatory on a non-domain system. + The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter + requires a DNS domain name and not a NetBIOS version. .PARAMETER DomainController - Domain controller to target. + Domain controller to target. This parameter is mandatory on a non-domain attached system. .EXAMPLE Get-MachineAccountCreator .EXAMPLE - $user_account_password = ConvertTo-SecureString 'Winter2018!' -AsPlainText -Force + $user_account_password = ConvertTo-SecureString 'Spring2018!' -AsPlainText -Force $user_account_creds = New-Object System.Management.Automation.PSCredential('domain\user',$user_account_password) Get-MachineAccountCreator -Credential $user_account_creds @@ -51,9 +53,7 @@ function Get-MachineAccountCreator try { - $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - $DomainController = $current_domain.DomainControllers[0].Name - $domain = $current_domain.Name + $DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name } catch { @@ -68,7 +68,7 @@ function Get-MachineAccountCreator try { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name } catch { @@ -82,9 +82,7 @@ function Get-MachineAccountCreator if(!$DistinguishedName) { - $distinguished_name = "CN=Computers" - $DC_array = $Domain.Split(".") ForEach($DC in $DC_array) @@ -98,45 +96,59 @@ function Get-MachineAccountCreator $distinguished_name = "$DistinguishedName" } - if($Credential) - { - $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) - } - else - { - $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" - } - - $machine_account_searcher = New-Object DirectoryServices.DirectorySearcher - $machine_account_searcher.SearchRoot = $directory_entry - $machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"} - $creator_object_list = @() - - ForEach($account in $machine_accounts) + Write-Verbose "[+] Distinguished Name=$distinguished_name" + + try { - $creator_SID_object = $account.properties."ms-ds-creatorsid" - if($creator_SID_object) + if($Credential) { - $creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value - $creator_object = New-Object PSObject + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) + } + else + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } + + $machine_account_searcher = New-Object DirectoryServices.DirectorySearcher + $machine_account_searcher.SearchRoot = $directory_entry + $machine_accounts = $machine_account_searcher.FindAll() | where-object {$_.properties.objectcategory -match "CN=computer"} + $creator_object_list = @() + + ForEach($account in $machine_accounts) + { + $creator_SID_object = $account.properties."ms-ds-creatorsid" - try - { - $creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username - } - catch + if($creator_SID_object) { - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID + $creator_SID = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID_object[0],0)).Value + $creator_object = New-Object PSObject + + try + { + $creator_username = (New-Object System.Security.Principal.SecurityIdentifier($creator_SID)).Translate([System.Security.Principal.NTAccount]).value + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_username + } + catch + { + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name Creator $creator_SID + } + + Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0] + $creator_object_list += $creator_object + $creator_SID_object = $null } - - Add-Member -InputObject $creator_object -MemberType NoteProperty -Name "Machine Account" $account.properties.samaccountname[0] - $creator_object_list += $creator_object - $creator_SID_object = $null + } } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } Write-Output $creator_object_list | Sort-Object -property @{Expression = {$_.Creator}; Ascending = $false}, "Machine Account" | Format-Table -AutoSize } \ No newline at end of file diff --git a/Invoke-DNSUpdate.ps1 b/Invoke-DNSUpdate.ps1 index f68184f..3f3ced3 100644 --- a/Invoke-DNSUpdate.ps1 +++ b/Invoke-DNSUpdate.ps1 @@ -2,30 +2,37 @@ function Invoke-DNSUpdate { <# .SYNOPSIS - This function allows DNS records to be added/deleted if secure dynamic updates are enabled on a domain - controller. Authentication is performed through Kerberos GSS-TSIG. + This function performs secure and nonsecure DNS dynamic updates against an AD domain controller. Authentication + for secure updates is performed through Kerberos GSS-TSIG. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .DESCRIPTION - This function can be used to add/delete dynamic DNS records if the default setting of enabled secure dynamic - updates is configured on a domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently - supported. Invoke-DNSUpdate is modeled after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options. - - An account/session with permission to perform secure dynamic updates is required. By default, authenticated - users have the 'Create all child objects' permission on the Active Directory-integrated zone. Most records - that do not currently exist in an AD zone can be added/deleted. Limitations for authenticated users can - include things like being prevented from adding SRV records that interfere with the AD Kerberos records. Older - existing dynamic records can sometimes be hijacked. Note that wpad and isatap are on a block list by default - starting with Server 2008. - - This function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using two separate methods. By - default, the function will have Windows perform all Kerberos steps up until the AP-REQ is sent to DNS on the - DC. This method will work with either the current session context or with specified credentials. The second - method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method + This function can be used to add/delete dynamic DNS records through secure or nonsecure dynamic updates against an + AD domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled + after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options for secure updates or no authentication for + nonsecure updates. + + By default, Active Directory-integrated zones have secure dynamic updates enabled with authenticated users having + 'Create all child objects' permission. Records that do not exist in an AD zone can be added/deleted with a standard + user account. Existing records created by default or created by other users impose limitations. For example, creating + records that apply to the root of the zone or creating additional SRV records for kerberos/ldap will likely be blocked + due to existing records. Note however that older existing dynamic records can sometimes be hijacked. Subdomain folders + can also be created. + + With secure dynamic updates, this function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using + two separate methods. By default, the function will have Windows perform all Kerberos steps up until the AP-REQ + is sent to DNS on the DC. This method will work with either the current session context or with specified credentials. + The second method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method will accept a password or AES256 hash and will not place any tickets in the client side cache. + In the event that a zone is configured for nonsecure dynamic updates, you should have full control over the zone. + + Note that wpad and isatap are on a block list by default starting with Server 2008. Although the records can be added + with both secure and nonsecure dynamic updates, AD DNS will not answer requests for wpad and isatap if they are listed + on the block list. + .PARAMETER DomainController Domain controller to target in FQDN format. @@ -43,6 +50,11 @@ function Invoke-DNSUpdate AES256 password hash for user with DNS secure dynamic update access. Note that this will use Kerberos authentication built on top of TCPClient. + .PARAMETER Security + Default = Secure: (Auto/Nonsecure/Secure) Dynamic update security type. Auto will attempt to use nonsecure. If + nonsecure fails, secure will be used. This is the standard dynamic update behavior. Secure is the default + because it generates less traffic. + .PARAMETER DNSName DNS record name. @@ -87,7 +99,7 @@ function Invoke-DNSUpdate Add CNAME Record .EXAMPLE - Invoke-DNSUpdate -DNSType MX -DNSName www.test.local -DNSData 192.168.100.125 -DNSPreference 10 + Invoke-DNSUpdate -DNSType MX -DNSName test.local -DNSData 192.168.100.125 -DNSPreference 10 Add MX Record .EXAMPLE @@ -132,6 +144,7 @@ function Invoke-DNSUpdate [parameter(Mandatory=$false)][Int]$DNSPriority, [parameter(Mandatory=$false)][Int]$DNSWeight, [parameter(Mandatory=$false)][Int]$DNSPort, + [parameter(Mandatory=$false)][ValidateSet("Auto","Nonsecure","Secure")][String]$Security = "Secure", [parameter(Mandatory=$true)][ValidateSet("A","AAAA","CNAME","MX","PTR","SRV","TXT")][String]$DNSType, [parameter(Mandatory=$true)][String]$DNSName, [parameter(Mandatory=$false)][ValidateScript({$_.Length -le 255})][String]$DNSData, @@ -172,7 +185,7 @@ function Invoke-DNSUpdate 'SRV' { - if(!$DNSPriority -or !$DNSWeight -or !$DNSPort -and $DNSData) + if(!$DNSPriority -and !$DNSWeight -and !$DNSPort -and $DNSData) { Write-Output "[-] DNSType SRV requires DNSPriority, DNSWeight, and DNSPort" throw @@ -217,14 +230,14 @@ function Invoke-DNSUpdate if(!$Realm) { - $realm = $domain + $Realm = $domain } if($TCPClientAuth -or $Hash) { $kerberos_tcpclient = $true - $realm = $realm.ToUpper() + $Realm = $Realm.ToUpper() if($username -like "*\*") { @@ -238,11 +251,11 @@ function Invoke-DNSUpdate if($Username.EndsWith("$")) { - $salt = $realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $realm.ToLower() + $salt = $Realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $Realm.ToLower() } else { - $salt = $realm + $Username + $salt = $Realm + $Username } Write-Verbose "[+] Salt $salt" @@ -258,9 +271,9 @@ function Invoke-DNSUpdate function ConvertFrom-PacketOrderedDictionary { - param($ordered_dictionary) + param($OrderedDictionary) - ForEach($field in $ordered_dictionary.Values) + ForEach($field in $OrderedDictionary.Values) { $byte_array += $field } @@ -349,7 +362,7 @@ function Invoke-DNSUpdate function New-PacketKerberosASREQ() { - param([Byte[]]$username,[Byte[]]$realm,[Byte[]]$namestring,[Byte[]]$nonce,[Byte[]]$pac,[Byte[]]$pac_signature) + param([Byte[]]$Username,[Byte[]]$Realm,[Byte[]]$NameString,[Byte[]]$Nonce,[Byte[]]$PAC,[Byte[]]$PACSignature) $timestamp = Get-Date $till = $timestamp.AddYears(20) @@ -358,26 +371,26 @@ function Invoke-DNSUpdate [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp) [Byte[]]$till = [System.Text.Encoding]::UTF8.GetBytes($till) - if($pac) + if($PAC) { $pac_extra_length = 78 } - [Byte[]]$namestring1_length = Get-ASN1LengthArray $namestring.Count - [Byte[]]$namestring_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + 6) - [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + 7) - [Byte[]]$sname_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13) - [Byte[]]$sname_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14) - [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count - [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1) - [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count - [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1) - [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2) - [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) - [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) - $grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $namestring.Count + - $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $realm.Count + $realm_length.Count + - $realm_length2.Count + $username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + [Byte[]]$namestring1_length = Get-ASN1LengthArray $NameString.Count + [Byte[]]$namestring_length = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + 6) + [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + 7) + [Byte[]]$sname_length = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13) + [Byte[]]$sname_length2 = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14) + [Byte[]]$realm_length = Get-ASN1LengthArray $Realm.Count + [Byte[]]$realm_length2 = Get-ASN1LengthArray ($Realm.Count + $realm_length.Count + 1) + [Byte[]]$cname_length = Get-ASN1LengthArray $Username.Count + [Byte[]]$cname_length2 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + 1) + [Byte[]]$cname_length3 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + 2) + [Byte[]]$cname_length4 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) + [Byte[]]$cname_length5 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) + $grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $NameString.Count + + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $Realm.Count + $realm_length.Count + + $realm_length2.Count + $Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count [Byte[]]$reqbody_length = Get-ASN1LengthArrayLong ($grouped_length + 86) [Byte[]]$reqbody_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + 87) [Byte[]]$message_length = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $pac_extra_length + 114) @@ -385,95 +398,95 @@ function Invoke-DNSUpdate [Byte[]]$asreq_length = [System.BitConverter]::GetBytes($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $message_length2.Count + $pac_extra_length + 116)[3..0] - $packet_KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary - $packet_KerberosASREQ.Add("KerberosASREQ_Length",$asreq_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PVNO",[Byte[]](0x05)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_MSGType",[Byte[]](0x0a)) + $KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary + $KerberosASREQ.Add("Length",$asreq_length) + $KerberosASREQ.Add("Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length) + $KerberosASREQ.Add("Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) + $KerberosASREQ.Add("Message_PVNO",[Byte[]](0x05)) + $KerberosASREQ.Add("Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01)) + $KerberosASREQ.Add("Message_MSGType",[Byte[]](0x0a)) - if($pac) + if($PAC) { - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Type",[Byte[]](0x12)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Value",$pac) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Signature",$pac_signature) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02)) + $KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02)) + $KerberosASREQ.Add("Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01)) + $KerberosASREQ.Add("Message_PAData0_Type",[Byte[]](0x12)) + $KerberosASREQ.Add("Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38)) + $KerberosASREQ.Add("Message_PAData0_Value",$PAC) + $KerberosASREQ.Add("Message_PAData0_Signature",$PACSignature) + $KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02)) } else { - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02)) + $KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a)) + $KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02)) } - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type",[Byte[]](0x00,0x95)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Value",[Byte[]](0x00)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions_Padding",[Byte[]](0x00)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameType",[Byte[]](0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameString",$username) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Realm",$realm) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameType",[Byte[]](0x01)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50 - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString1",$namestring) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Till",$till) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Nonce",$nonce) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13)) - $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03)) - - return $packet_KerberosASREQ + $KerberosASREQ.Add("Message_PAData1_Type",[Byte[]](0x00,0x95)) + $KerberosASREQ.Add("Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04)) + $KerberosASREQ.Add("Message_PAData1_Value",[Byte[]](0x00)) + $KerberosASREQ.Add("Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length) + $KerberosASREQ.Add("Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05)) + $KerberosASREQ.Add("Message_REQBody_KDCOptions_Padding",[Byte[]](0x00)) + $KerberosASREQ.Add("Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00)) + $KerberosASREQ.Add("Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4) + $KerberosASREQ.Add("Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosASREQ.Add("Message_REQBody_CName_NameType",[Byte[]](0x01)) + $KerberosASREQ.Add("Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length) + $KerberosASREQ.Add("Message_REQBody_CName_NameString",$Username) + $KerberosASREQ.Add("Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length) + $KerberosASREQ.Add("Message_REQBody_Realm",$Realm) + $KerberosASREQ.Add("Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length) + $KerberosASREQ.Add("Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosASREQ.Add("Message_REQBody_SName_NameType",[Byte[]](0x01)) + $KerberosASREQ.Add("Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length) + $KerberosASREQ.Add("Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) + $KerberosASREQ.Add("Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) + $KerberosASREQ.Add("Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50 + $KerberosASREQ.Add("Message_REQBody_SName_NameString1",$NameString) + $KerberosASREQ.Add("Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) + $KerberosASREQ.Add("Message_REQBody_Till",$till) + $KerberosASREQ.Add("Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) + $KerberosASREQ.Add("Message_REQBody_Nonce",$Nonce) + $KerberosASREQ.Add("Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13)) + $KerberosASREQ.Add("Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03)) + + return $KerberosASREQ } function New-PacketKerberosAPREQ() { - param([Byte[]]$realm,[Byte[]]$spn,[Byte[]]$kvno,[Byte[]]$ticket,[Byte[]]$authenticator,[Byte[]]$authenticator_signature) - - $authenticator += $authenticator_signature - $parameter_length = $realm.Count + $spn.Count + $ticket.Count + $authenticator.Count - [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $authenticator.Count - [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + 1) - [Byte[]]$authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7) - [Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8) + param([Byte[]]$Realm,[Byte[]]$SPN,[Byte[]]$KVNO,[Byte[]]$Ticket,[Byte[]]$Authenticator,[Byte[]]$AuthenticatorSignature) + + $Authenticator += $AuthenticatorSignature + $parameter_length = $Realm.Count + $SPN.Count + $ticket.Count + $Authenticator.Count + [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $Authenticator.Count + [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($Authenticator.Count + $authenticator_length.Count + 1) + [Byte[]]$Authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7) + [Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($Authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8) [Byte[]]$ticket_length = Get-ASN1LengthArrayLong $ticket.Count [Byte[]]$ticket_length2 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + 1) [Byte[]]$ticket_length3 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + 12) [Byte[]]$ticket_length4 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + 13) - [Byte[]]$namestring1_length = Get-ASN1LengthArray $spn.Count - [Byte[]]$namestring_length = Get-ASN1LengthArray ($spn.Count + $namestring_length.Count + 4) - [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + 5) - [Byte[]]$sname_length = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4) - [Byte[]]$sname_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5) - [Byte[]]$sname_length3 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11) - [Byte[]]$sname_length4 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + + [Byte[]]$namestring1_length = Get-ASN1LengthArray $SPN.Count + [Byte[]]$namestring_length = Get-ASN1LengthArray ($SPN.Count + $namestring_length.Count + 4) + [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + 5) + [Byte[]]$sname_length = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4) + [Byte[]]$sname_length2 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5) + [Byte[]]$sname_length3 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11) + [Byte[]]$sname_length4 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + 12) - [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count - [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1) + [Byte[]]$realm_length = Get-ASN1LengthArray $Realm.Count + [Byte[]]$realm_length2 = Get-ASN1LengthArray ($Realm.Count + $realm_length.Count + 1) [Byte[]]$ticket_length5 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + - $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + - $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + 34) + $SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + + $sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + 34) [Byte[]]$ticket_length6 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + - $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + - $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35) + $SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + + $sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35) [Byte[]]$ticket_length7 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + - $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + - $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36) + $SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + + $sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36) [Byte[]]$apreq_length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + 73) @@ -486,45 +499,45 @@ function Invoke-DNSUpdate $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + $apreq_length.Count + $apreq_length2.Count + 88) - $packet_KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary - $packet_KerberosAPREQ.Add("KerberosAPREQ_Length",([Byte[]](0x60) + $length)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_MechToken_TokenID",[Byte[]](0x01,0x00)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_PVNO",[Byte[]]0x05) - $packet_KerberosAPREQ.Add("KerberosAPREQ_MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_MSGType",[Byte[]](0x0e)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Padding",[Byte[]](0x00)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_APOptions",[Byte[]](0x20,0x00,0x00,0x00)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_TKTVNO",[Byte[]](0x05)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Realm",$realm) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameType",[Byte[]](0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString1",$spn) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_EType",[Byte[]](0x12)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_KVNO",$kvno) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Cipher",$ticket) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_EType",[Byte[]](0x12)) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length) - $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Cipher",$authenticator) - - return $packet_KerberosAPREQ + $KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary + $KerberosAPREQ.Add("Length",([Byte[]](0x60) + $length)) + $KerberosAPREQ.Add("MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) + $KerberosAPREQ.Add("MechToken_TokenID",[Byte[]](0x01,0x00)) + $KerberosAPREQ.Add("APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length) + $KerberosAPREQ.Add("PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAPREQ.Add("PVNO",[Byte[]]0x05) + $KerberosAPREQ.Add("MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) + $KerberosAPREQ.Add("MSGType",[Byte[]](0x0e)) + $KerberosAPREQ.Add("Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05)) + $KerberosAPREQ.Add("Padding",[Byte[]](0x00)) + $KerberosAPREQ.Add("APOptions",[Byte[]](0x20,0x00,0x00,0x00)) + $KerberosAPREQ.Add("Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5) + $KerberosAPREQ.Add("Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAPREQ.Add("Ticket_TKTVNO",[Byte[]](0x05)) + $KerberosAPREQ.Add("Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length) + $KerberosAPREQ.Add("Ticket_Realm",$Realm) + $KerberosAPREQ.Add("Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3) + $KerberosAPREQ.Add("Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAPREQ.Add("Ticket_SName_NameType",[Byte[]](0x01)) + $KerberosAPREQ.Add("Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length) + $KerberosAPREQ.Add("Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) + $KerberosAPREQ.Add("Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) + $KerberosAPREQ.Add("Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) + $KerberosAPREQ.Add("Ticket_SName_NameString1",$SPN) + $KerberosAPREQ.Add("Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3) + $KerberosAPREQ.Add("Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAPREQ.Add("Ticket_EncPart_EType",[Byte[]](0x12)) + $KerberosAPREQ.Add("Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) + $KerberosAPREQ.Add("Ticket_EncPart_KVNO",$KVNO) + $KerberosAPREQ.Add("Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length) + $KerberosAPREQ.Add("Ticket_EncPart_Cipher",$ticket) + $KerberosAPREQ.Add("Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3) + $KerberosAPREQ.Add("Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAPREQ.Add("Authenticator_EType",[Byte[]](0x12)) + $KerberosAPREQ.Add("Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length) + $KerberosAPREQ.Add("Authenticator_Cipher",$Authenticator) + + return $KerberosAPREQ } function Unprotect-KerberosASREP @@ -558,30 +571,30 @@ function Invoke-DNSUpdate [String]$confounder = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) [Byte[]]$confounder = $confounder.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - [Byte[]]$PAC_Timestamp = $confounder + + [Byte[]]$PAC_timestamp = $confounder + 0x30,0x1a,0xa0,0x11,0x18,0x0f + $timestamp + 0xa1,0x05,0x02,0x03,0x01,0x70,0x16 - return $PAC_Timestamp + return $PAC_timestamp } function New-KerberosAuthenticator { - param([Byte[]]$realm,[Byte[]]$username,[Byte[]]$subkey,[Byte[]]$sequence_number) - - $parameter_length = $realm.Count + $username.Count + $subkey.Count - [Byte[]]$subkey_length = Get-ASN1LengthArray $subkey.Count - [Byte[]]$subkey_length2 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + 1) - [Byte[]]$subkey_length3 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + 7) - [Byte[]]$subkey_length4 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8) - [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count - [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1) - [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2) - [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) - [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) - [Byte[]]$crealm_length = Get-ASN1LengthArray $realm.Count - [Byte[]]$crealm_length2 = Get-ASN1LengthArray ($realm.Count + $crealm_length.Count + 1) + param([Byte[]]$Realm,[Byte[]]$Username,[Byte[]]$SubKey,[Byte[]]$SequenceNumber) + + $parameter_length = $Realm.Count + $Username.Count + $SubKey.Count + [Byte[]]$subkey_length = Get-ASN1LengthArray $SubKey.Count + [Byte[]]$subkey_length2 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + 1) + [Byte[]]$subkey_length3 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + $subkey_length2.Count + 7) + [Byte[]]$subkey_length4 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8) + [Byte[]]$cname_length = Get-ASN1LengthArray $Username.Count + [Byte[]]$cname_length2 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + 1) + [Byte[]]$cname_length3 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + 2) + [Byte[]]$cname_length4 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) + [Byte[]]$cname_length5 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) + [Byte[]]$crealm_length = Get-ASN1LengthArray $Realm.Count + [Byte[]]$crealm_length2 = Get-ASN1LengthArray ($Realm.Count + $crealm_length.Count + 1) [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong ($parameter_length + 99 + $crealm_length.Count + $crealm_length2.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count) @@ -589,37 +602,37 @@ function Invoke-DNSUpdate $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count + $authenticator_length.Count) - $packet_KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_AuthenticatorVNO",[Byte[]](0x05)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CRealm",$realm) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_NameType",[Byte[]](0x01)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + + $KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary + $KerberosAuthenticator.Add("Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length) + $KerberosAuthenticator.Add("AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAuthenticator.Add("AuthenticatorVNO",[Byte[]](0x05)) + $KerberosAuthenticator.Add("CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length) + $KerberosAuthenticator.Add("CRealm",$Realm) + $KerberosAuthenticator.Add("CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4) + $KerberosAuthenticator.Add("CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAuthenticator.Add("CName_NameType",[Byte[]](0x01)) + $KerberosAuthenticator.Add("CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_CNameString",$username) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CKSumType",[Byte[]](0x00,0x80,0x03)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CUSec",(Get-KerberosMicrosecond)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CTime",(Get-KerberosTimestampUTC)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyType",[Byte[]](0x12)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyValue",$subkey) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) - $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_SEQNumber",$sequence_number) - - return $packet_KerberosAuthenticator + $KerberosAuthenticator.Add("CName_CNameString",$Username) + $KerberosAuthenticator.Add("CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03)) + $KerberosAuthenticator.Add("CKSum_CKSumType",[Byte[]](0x00,0x80,0x03)) + $KerberosAuthenticator.Add("CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18)) + $KerberosAuthenticator.Add("CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00)) + $KerberosAuthenticator.Add("CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) + $KerberosAuthenticator.Add("CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00)) + $KerberosAuthenticator.Add("CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03)) + $KerberosAuthenticator.Add("CKSum_CUSec",(Get-KerberosMicrosecond)) + $KerberosAuthenticator.Add("CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) + $KerberosAuthenticator.Add("CKSum_CTime",(Get-KerberosTimestampUTC)) + $KerberosAuthenticator.Add("CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3) + $KerberosAuthenticator.Add("CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) + $KerberosAuthenticator.Add("CKSum_Subkey_KeyType",[Byte[]](0x12)) + $KerberosAuthenticator.Add("CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length) + $KerberosAuthenticator.Add("CKSum_Subkey_KeyValue",$SubKey) + $KerberosAuthenticator.Add("CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) + $KerberosAuthenticator.Add("CKSum_SEQNumber",$SequenceNumber) + + return $KerberosAuthenticator } function Get-KerberosTimestampUTC @@ -690,9 +703,9 @@ function Invoke-DNSUpdate function Get-ASN1LengthArray { - param([Int]$length) + param([Int]$Length) - [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length) + [Byte[]]$asn1 = [System.BitConverter]::GetBytes($Length) if($asn1[1] -eq 0) { @@ -708,9 +721,9 @@ function Invoke-DNSUpdate function Get-ASN1LengthArrayLong { - param([Int]$length) + param([Int]$Length) - [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length) + [Byte[]]$asn1 = [System.BitConverter]::GetBytes($Length) if($asn1[1] -eq 0) { @@ -728,9 +741,9 @@ function Invoke-DNSUpdate function New-RandomByteArray { - param([Int]$length,[Int]$minimum=1,[Int]$maximum=255) + param([Int]$Length,[Int]$Minimum=1,[Int]$Maximum=255) - [String]$random = [String](1..$length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $minimum -Maximum $maximum)}) + [String]$random = [String](1..$Length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $Minimum -Maximum $Maximum)}) [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} return $random @@ -738,9 +751,9 @@ function Invoke-DNSUpdate function New-DNSNameArray { - param([String]$name) + param([String]$Name) - $character_array = $name.ToCharArray() + $character_array = $Name.ToCharArray() [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'} if($index_array.Count -gt 0) @@ -752,84 +765,109 @@ function Invoke-DNSUpdate { $name_end = $index - $name_start [Byte[]]$name_array += $name_end - [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start,$name_end)) + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end)) $name_start = $index + 1 } - [Byte[]]$name_array += ($name.Length - $name_start) - [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start)) + [Byte[]]$name_array += ($Name.Length - $name_start) + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) } else { - [Byte[]]$name_array = $name.Length - [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start)) + [Byte[]]$name_array = $Name.Length + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) } return $name_array } - function New-PacketDNSQueryTKEY + function New-PacketDNSQuery { - param([Byte[]]$tkey_name,[Byte[]]$apreq) + param([Byte[]]$Name,[byte[]]$Type,[Byte[]]$APReq) - [Byte[]]$transaction_id = New-RandomByteArray 2 - $mechtoken_length = Get-ASN1LengthArrayLong ($apreq.Count) - $mechtoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + 1) - $innercontexttoken_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31 - $innercontexttoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + - $innercontexttoken_length.Count + 18) - $spnego_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + - $innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27) - $grouped_length = $apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count + - $innercontexttoken_length2.Count + $spnego_length.Count + 25 - $key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0] - $rd_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0] - [Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $tkey_name.Count + 57)[1,0] - $inception = [int64](([datetime]::UtcNow)-(get-date "1/1/1970")).TotalSeconds - $inception = [System.BitConverter]::GetBytes($inception) - $inception = $inception[3..0] - - $packet_DNSQueryTKEY = New-Object System.Collections.Specialized.OrderedDictionary - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Length",$length) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_TransactionID",$transaction_ID) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Flags",[Byte[]](0x00,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Questions",[Byte[]](0x00,0x01)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AnswerRRs",[Byte[]](0x00,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AuthorityRRs",[Byte[]](0x00,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AdditionalRRs",[Byte[]](0x00,0x01)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Name",$tkey_name) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Type",[Byte[]](0x00,0xf9)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Class",[Byte[]](0x00,0xff)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RDLength",$rd_length) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Inception",$inception) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Expiration",$inception) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_KeySize",$key_size) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) + - $innercontexttoken_length) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) + - $mechtoken_length) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$apreq) - $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00)) - - return $packet_DNSQueryTKEY + [Byte[]]$transaction_ID = New-RandomByteArray 2 + + if($APReq) + { + $mechtoken_length = Get-ASN1LengthArrayLong ($APReq.Count) + $mechtoken_length2 = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + 1) + $innercontexttoken_length = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31 + $innercontexttoken_length2 = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + + $innercontexttoken_length.Count + 18) + $spnego_length = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + + $innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27) + $grouped_length = $APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count + + $innercontexttoken_length2.Count + $spnego_length.Count + 25 + $key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0] + $RD_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0] + $inception = [int64](([datetime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds + $inception = [System.BitConverter]::GetBytes($inception) + $inception = $inception[3..0] + } + + if($APReq) + { + [Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $Name.Count + 57)[1,0] + } + else + { + [Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0] + } + + $DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary + $DNSQuery.Add("Length",$length) + $DNSQuery.Add("TransactionID",$transaction_ID) + $DNSQuery.Add("Flags",[Byte[]](0x00,0x00)) + $DNSQuery.Add("Questions",[Byte[]](0x00,0x01)) + $DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00)) + $DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00)) + + if($apreq) + { + $DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x01)) + } + else + { + $DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00)) + } + + $DNSQuery.Add("Queries_Name",$Name) + $DNSQuery.Add("Queries_Type",$Type) + $DNSQuery.Add("Queries_Class",[Byte[]](0x00,0xff)) + + if($apreq) + { + $DNSQuery.Add("Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c)) + $DNSQuery.Add("Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9)) + $DNSQuery.Add("Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff)) + $DNSQuery.Add("Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) + $DNSQuery.Add("Queries_AdditionalRecords_RDLength",$RD_length) + $DNSQuery.Add("Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_Inception",$inception) + $DNSQuery.Add("Queries_AdditionalRecords_RData_Expiration",$inception) + $DNSQuery.Add("Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_KeySize",$key_size) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) + + $innercontexttoken_length) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) + + $mechtoken_length) + $DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$APReq) + $DNSQuery.Add("Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00)) + } + + return $DNSQuery } - function New-PacketDNSUpdateTSIG + function New-PacketDNSUpdate { - param([Byte[]]$transaction_ID,[String]$zone,[String]$name,[String]$type,[Int]$TTL,[Int]$preference,[Int]$priority,[Int]$weight,[Int]$port,[String]$data,[Byte[]]$time_signed,[Byte[]]$tkey_name,[Byte[]]$MAC) + param([Byte[]]$TransactionID,[String]$Zone,[String]$Name,[String]$Type,[Int]$TTL,[Int]$Preference,[Int]$Priority,[Int]$Weight,[Int]$Port,[String]$Data,[Byte[]]$TimeSigned,[Byte[]]$TKeyname,[Byte[]]$MAC) - if($data) + if($Data) { $add = $true [Byte[]]$class = 0x00,0x01 @@ -840,20 +878,20 @@ function Invoke-DNSUpdate $TTL = 0 } - switch ($type) + switch ($Type) { 'A' { [Byte[]]$type = 0x00,0x01 - if($data -and [Bool]($data -as [System.Net.IPAddress])) + if($Data -and [Bool]($Data -as [System.Net.IPAddress])) { - [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes() + [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes() } - elseif($data) + elseif($Data) { - [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) + [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data) } } @@ -862,13 +900,13 @@ function Invoke-DNSUpdate { [Byte[]]$type = 0x00,0x1c - if($data -and [Bool]($data -as [System.Net.IPAddress])) + if($Data -and [Bool]($Data -as [System.Net.IPAddress])) { - [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes() + [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes() } - elseif($data) + elseif($Data) { - [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) + [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data) } } @@ -877,13 +915,13 @@ function Invoke-DNSUpdate { [Byte[]]$type = 0x00,0x05 - if($data -and [Bool]($data -as [System.Net.IPAddress])) + if($Data -and [Bool]($Data -as [System.Net.IPAddress])) { - [Byte[]]$data = (New-DNSNameArray $data) + 0x00 + [Byte[]]$data = (New-DNSNameArray $Data) + 0x00 } - elseif($data) + elseif($Data) { - [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c + [Byte[]]$data = (New-DNSNameArray ($Data -replace ('.' + $Zone),'')) + 0xc0,0x0c } } @@ -893,19 +931,19 @@ function Invoke-DNSUpdate $MX = $true [Byte[]]$type = 0x00,0x0f - if($data) + if($Data) { $extra_length = 2 - [Byte[]]$preference = [System.Bitconverter]::GetBytes($preference)[1,0] + [Byte[]]$preference = [System.Bitconverter]::GetBytes($Preference)[1,0] } - if($data -and [Bool]($data -as [System.Net.IPAddress])) + if($Data -and [Bool]($Data -as [System.Net.IPAddress])) { - [Byte[]]$data = (New-DNSNameArray $data) + 0x00 + [Byte[]]$data = (New-DNSNameArray $Data) + 0x00 } - elseif($data) + elseif($Data) { - [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c + [Byte[]]$data = (New-DNSNameArray ($Data -replace ('.' + $Zone),'')) + 0xc0,0x0c } } @@ -914,9 +952,9 @@ function Invoke-DNSUpdate { [Byte[]]$type = 0x00,0x0c - if($data) + if($Data) { - [Byte[]]$data = (New-DNSNameArray $data) + 0x00 + [Byte[]]$data = (New-DNSNameArray $Data) + 0x00 } } @@ -926,13 +964,13 @@ function Invoke-DNSUpdate $SRV = $true [Byte[]]$type = 0x00,0x21 - if($data) + if($Data) { - [Byte[]]$priority = [System.Bitconverter]::GetBytes($priority)[1,0] - [Byte[]]$weight = [System.Bitconverter]::GetBytes($weight)[1,0] - [Byte[]]$port = [System.Bitconverter]::GetBytes($port)[1,0] + [Byte[]]$priority = [System.Bitconverter]::GetBytes($Priority)[1,0] + [Byte[]]$weight = [System.Bitconverter]::GetBytes($Weight)[1,0] + [Byte[]]$port = [System.Bitconverter]::GetBytes($Port)[1,0] $extra_length = 6 - [Byte[]]$data = (New-DNSNameArray $data) + 0x00 + [Byte[]]$data = (New-DNSNameArray $Data) + 0x00 } } @@ -941,394 +979,452 @@ function Invoke-DNSUpdate { $TXT = $true [Byte[]]$type = 0x00,0x10 - [Byte[]]$TXT_length = [System.BitConverter]::GetBytes($data.Length)[0] + [Byte[]]$TXT_length = [System.BitConverter]::GetBytes($Data.Length)[0] - if($data) + if($Data) { $extra_length = 1 - [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) + [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data) } } } - if($MX) + if($Name -eq $Zone) { [Byte[]]$name = 0xc0,0x0c } else { - [Byte[]]$name = (New-DNSNameArray ($name -replace ('.' + $zone),'')) + 0xc0,0x0c + [Byte[]]$name = (New-DNSNameArray ($Name -replace ('.' + $Zone),'')) + 0xc0,0x0c } - [Byte[]]$zone = (New-DNSNameArray $zone) + 0x00 + [Byte[]]$Zone = (New-DNSNameArray $Zone) + 0x00 [Byte[]]$TTL = [System.Bitconverter]::GetBytes($TTL)[3..0] [Byte[]]$data_length = [System.BitConverter]::GetBytes($data.Length + $extra_length)[1,0] - [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + $tkey_name.Count + $MAC.Count + 62 + $extra_length)[1,0] - - $packet_DNSUpdateTSIG = New-Object System.Collections.Specialized.OrderedDictionary if($MAC) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Length",$length) + [Byte[]]$length = [System.BitConverter]::GetBytes($Zone.Count + $name.Count + $data.Length + $TKeyname.Count + $MAC.Count + 62 + $extra_length)[1,0] + } + elseif(!$TKeyname) + { + [Byte[]]$length = [System.BitConverter]::GetBytes($Zone.Count + $name.Count + $data.Length + 26 + $extra_length)[1,0] + } + + $DNSUpdate = New-Object System.Collections.Specialized.OrderedDictionary + + if(!$TKeyname -or $MAC) + { + $DNSUpdate.Add("Length",$length) } - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_TransactionID",$transaction_ID) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Flags",[Byte[]](0x28,0x00)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zones",[Byte[]](0x00,0x01)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Prerequisites",[Byte[]](0x00,0x00)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates",[Byte[]](0x00,0x01)) + $DNSUpdate.Add("TransactionID",$TransactionID) + $DNSUpdate.Add("Flags",[Byte[]](0x28,0x00)) + $DNSUpdate.Add("Zones",[Byte[]](0x00,0x01)) + $DNSUpdate.Add("Prerequisites",[Byte[]](0x00,0x00)) + $DNSUpdate.Add("Updates",[Byte[]](0x00,0x01)) if($MAC) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRRs",[Byte[]](0x00,0x01)) + $DNSUpdate.Add("AdditionalRRs",[Byte[]](0x00,0x01)) } else { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditiionalRRs",[Byte[]](0x00,0x00)) + $DNSUpdate.Add("AdditiionalRRs",[Byte[]](0x00,0x00)) } - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Name",$zone) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Type",[Byte[]](0x00,0x06)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Class",[Byte[]](0x00,0x01)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Name",$name) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Type",$type) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Class",$class) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TTL",$TTL) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_DataLength",$data_length) + $DNSUpdate.Add("Zone_Name",$Zone) + $DNSUpdate.Add("Zone_Type",[Byte[]](0x00,0x06)) + $DNSUpdate.Add("Zone_Class",[Byte[]](0x00,0x01)) + $DNSUpdate.Add("Updates_Name",$name) + $DNSUpdate.Add("Updates_Type",$type) + $DNSUpdate.Add("Updates_Class",$class) + $DNSUpdate.Add("Updates_TTL",$TTL) + $DNSUpdate.Add("Updates_DataLength",$data_length) if($MX) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TXTLength",$preference) + $DNSUpdate.Add("Updates_TXTLength",$preference) } if($TXT -and $add) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TXTLength",$TXT_length) + $DNSUpdate.Add("Updates_TXTLength",$TXT_length) } if($SRV -and $add) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Priority",$priority) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Weight",$weight) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Port",$port) + $DNSUpdate.Add("Updates_Priority",$priority) + $DNSUpdate.Add("Updates_Weight",$weight) + $DNSUpdate.Add("Updates_Port",$port) } if($add) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Address",$data) + $DNSUpdate.Add("Updates_Address",$data) } - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Name",$tkey_name) - - if($MAC) + if($TKeyname) { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Type",[Byte[]](0x00,0xfa)) - } + $DNSUpdate.Add("AdditionalRecords_Name",$TKeyname) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Class",[Byte[]](0x00,0xff)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) + if($MAC) + { + $DNSUpdate.Add("AdditionalRecords_Type",[Byte[]](0x00,0xfa)) + } - if($MAC) - { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_DataLength",[Byte[]](0x00,0x36)) - } + $DNSUpdate.Add("AdditionalRecords_Class",[Byte[]](0x00,0xff)) + $DNSUpdate.Add("AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_TimeSigned",$time_signed) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Fudge",[Byte[]](0x01,0x2c)) + if($MAC) + { + $DNSUpdate.Add("AdditionalRecords_DataLength",[Byte[]](0x00,0x36)) + } - if($MAC) - { - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_MACSize",[Byte[]](0x00,0x1c)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_MAC",$MAC) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_OriginalID",$transaction_ID) - } + $DNSUpdate.Add("AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) + $DNSUpdate.Add("AdditionalRecords_TimeSigned",$TimeSigned) + $DNSUpdate.Add("AdditionalRecords_Fudge",[Byte[]](0x01,0x2c)) + + if($MAC) + { + $DNSUpdate.Add("AdditionalRecords_MACSize",[Byte[]](0x00,0x1c)) + $DNSUpdate.Add("AdditionalRecords_MAC",$MAC) + $DNSUpdate.Add("AdditionalRecords_OriginalID",$TransactionID) + } - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Error",[Byte[]](0x00,0x00)) - $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_OtherLength",[Byte[]](0x00,0x00)) + $DNSUpdate.Add("AdditionalRecords_Error",[Byte[]](0x00,0x00)) + $DNSUpdate.Add("AdditionalRecords_OtherLength",[Byte[]](0x00,0x00)) + } - return $packet_DNSUpdateTSIG + return $DNSUpdate } function New-PacketDNSUpdateMAC { - param([Byte[]]$flags,[Byte[]]$sequence_number,[Byte[]]$checksum) + param([Byte[]]$Flags,[Byte[]]$SequenceNumber,[Byte[]]$Checksum) + + $DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary + $DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04)) + $DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$Flags) + $DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff)) + $DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $SequenceNumber) + + if($Checksum) + { + $DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$Checksum) + } + + return $DNSUpdateMAC + } + + function Get-DNSUpdateResponseStatus + { + param([Byte[]]$DNSClientReceive) - $packet_DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary - $packet_DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04)) - $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$flags) - $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff)) - $packet_DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $sequence_number) + $DNS_response_flags = [System.BitConverter]::ToString($DNSClientReceive[4..5]) + $DNS_response_flags = $DNS_response_flags -replace "-","" - if($checksum) + switch ($DNS_response_flags) { - $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$checksum) + 'A800' {$DNS_update_response_status = "[+] DNS update successful"} + 'A801' {$DNS_update_response_status = ("[-] format error 0x" + $DNS_response_flags)} + 'A802' {$DNS_update_response_status = ("[-] failed to complete 0x" + $DNS_response_flags)} + 'A804' {$DNS_update_response_status = ("[-] not implemented 0x" + $DNS_response_flags)} + 'A805' {$DNS_update_response_status = ("[-] update refused 0x" + $DNS_response_flags)} + Default {$DNS_update_response_status = ("[-] DNS update was not successful 0x" + $DNS_response_flags)} } - return $packet_DNSUpdateMAC + return $DNS_update_response_status } - $tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) + - "-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0" - $tkey = $tkey -replace " ","" - Write-Verbose "[+] TKEY name $tkey" - [Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey) - $tkey_name = [Byte[]]0x08 + $tkey_name + 0x00 - $tkey_name[9] = 0x06 - $tkey_name[16] = 0x24 + $DNS_client = New-Object System.Net.Sockets.TCPClient + $DNS_client.Client.ReceiveTimeout = 3000 - if($kerberos_tcpclient) + if($Security -ne 'Secure') { - $kerberos_client = New-Object System.Net.Sockets.TCPClient - $kerberos_client.Client.ReceiveTimeout = 3000 - $domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController) - $kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username) - $kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm) try { - $kerberos_client.Connect($DomainController,"88") + $DNS_client.Connect($DomainController,"53") } catch { - Write-Output "$DomainController did not respond on TCP port 88" + Write-Output "$DomainController did not respond on TCP port 53" + } + + if($DNS_client.Connected) + { + $DNS_client_stream = $DNS_client.GetStream() + $DNS_client_receive = New-Object System.Byte[] 2048 + [Byte[]]$transaction_id = New-RandomByteArray 2 + $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData + [Byte[]]$DNSUpdate = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate + $DNS_client_send = $DNSUpdate + $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null + $DNS_client_stream.Flush() + $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null + $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive + Write-Output $DNS_update_response_status + $DNS_client.Close() + $DNS_client_stream.Close() } } - if(!$kerberos_tcpclient -or $kerberos_client.Connected) + if($Security -eq 'Secure' -or ($Security -eq 'Auto' -and $DNS_update_response_status -like '*0xA805')) { + $tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) + + "-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0" + $tkey = $tkey -replace " ","" + Write-Verbose "[+] TKEY name $tkey" + [Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey) + $tkey_name = [Byte[]]0x08 + $tkey_name + 0x00 + $tkey_name[9] = 0x06 + $tkey_name[16] = 0x24 if($kerberos_tcpclient) { + $kerberos_client = New-Object System.Net.Sockets.TCPClient + $kerberos_client.Client.ReceiveTimeout = 3000 + $domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController) + $kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username) + $kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm) - if($Hash) + try { - $base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" - $base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $kerberos_client.Connect($DomainController,"88") } - else + catch { - $base_key = Get-KerberosAES256BaseKey $salt $password + Write-Output "$DomainController did not respond on TCP port 88" } - $ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key - $ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key - $nonce = New-RandomByteArray 4 - $kerberos_client_stream = $kerberos_client.GetStream() - $kerberos_client_receive = New-Object System.Byte[] 2048 - $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce - $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ - $kerberos_client_send = $AS_REQ - $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null - $kerberos_client_stream.Flush() - $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null - [Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key - [Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp - [Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp - $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature - $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ - $kerberos_client_send = $AS_REQ - $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null - $kerberos_client_stream.Flush() - $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null - $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive) - $asrep_payload = $asrep_payload -replace "-","" - $kerberos_client.Close() - $kerberos_client_stream.Close() } - else + + if(!$kerberos_tcpclient -or $kerberos_client.Connected) { - - try - { - $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel") + if($kerberos_tcpclient) + { - if($username) + if($Hash) { - $creds = New-Object System.Management.Automation.PSCredential ($username,$Password) - $network_creds = $creds.GetNetworkCredential() - $network_creds.Domain = $domain - $token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds) - $ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1)) + $base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" + $base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { - $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController") + $base_key = Get-KerberosAES256BaseKey $salt $password } - $asrep_key = $ticket.SecurityKey.GetSymmetricKey() - $kerberos_client_receive = $Ticket.GetRequest() + $ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key + $ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key + $nonce = New-RandomByteArray 4 + $kerberos_client_stream = $kerberos_client.GetStream() + $kerberos_client_receive = New-Object System.Byte[] 2048 + $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce + $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ + $kerberos_client_send = $AS_REQ + $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null + $kerberos_client_stream.Flush() + $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null + [Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key + [Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp + [Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp + $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature + $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ + $kerberos_client_send = $AS_REQ + $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null + $kerberos_client_stream.Flush() + $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive) $asrep_payload = $asrep_payload -replace "-","" - } - catch - { - $auth_success = $false - } - - } - - if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*')) - { - Write-Verbose "[+] Kerberos preauthentication successful" - $auth_success = $true - } - elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*') - { - Write-Output ("[-] Kerberos preauthentication error 0x" + $asrep_payload.Substring(96,2)) - $auth_success = $false - } - else - { - Write-Output "[-] Kerberos authentication failure" - $auth_success = $false - } - - if($auth_success) - { - $ticket_index = $asrep_payload.IndexOf("A003020112A1030201") - $ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)] - - if($asrep_payload.Substring($ticket_index + 22,2) -eq '82') - { - $ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4 + $kerberos_client.Close() + $kerberos_client_stream.Close() } else { - $ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3 - } + + try + { - $ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)] + $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel") - if($kerberos_tcpclient) - { - $cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1 + if($username) + { + $creds = New-Object System.Management.Automation.PSCredential ($username,$Password) + $network_creds = $creds.GetNetworkCredential() + $network_creds.Domain = $domain + $token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds) + $ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1)) + } + else + { + $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController") + } - if($asrep_payload.Substring($cipher_index + 22,2) -eq '82') - { - $cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4 + $asrep_key = $ticket.SecurityKey.GetSymmetricKey() + $kerberos_client_receive = $Ticket.GetRequest() + $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive) + $asrep_payload = $asrep_payload -replace "-","" } - else + catch { - $cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3 + $auth_success = $false } - $cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)] - $ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key - $asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] - $kerberos_session_key = $asrep_cleartext[37..68] - $ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key - $ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key - [Byte[]]$subkey = New-RandomByteArray 32 - [Byte[]]$sequence_number = New-RandomByteArray 4 - $packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number - [Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator - $authenticator = (New-RandomByteArray 16) + $authenticator - $authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator - $authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator - $packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature - [Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq - [Byte[]]$mac_flags = 0x04 } - else + + if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*')) { - [Byte[]]$apreq = $kerberos_client_receive - [Byte[]]$mac_flags = 0x00 + Write-Verbose "[+] Kerberos preauthentication successful" + $auth_success = $true } - - $packet_DNSQueryTKEY = New-PacketDNSQueryTKEY $tkey_name $apreq - $DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQueryTKEY - $DNS_client = New-Object System.Net.Sockets.TCPClient - $DNS_client.Client.ReceiveTimeout = 3000 - - try + elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*') { - $DNS_client.Connect($DomainController,"53") + Write-Output ("[-] Kerberos preauthentication error 0x" + $asrep_payload.Substring(96,2)) + $auth_success = $false } - catch + else { - Write-Output "$DomainController did not respond on TCP port 53" + Write-Output "[-] Kerberos authentication failure" + $auth_success = $false } - if($DNS_client.Connected) + if($auth_success) { - $DNS_client_stream = $DNS_client.GetStream() - $DNS_client_receive = New-Object System.Byte[] 2048 - $DNS_client_send = $DNSQueryTKEY - $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null - $DNS_client_stream.Flush() - $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null - $tkey_payload = [System.BitConverter]::ToString($DNS_client_receive) - $tkey_payload = $tkey_payload -replace "-","" + $ticket_index = $asrep_payload.IndexOf("A003020112A1030201") + $ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)] - if($tkey_payload.Substring(8,4) -eq '8000') + if($asrep_payload.Substring($ticket_index + 22,2) -eq '82') { - Write-Verbose "[+] Kerberos TKEY query successful" - $TKEY_success = $true + $ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4 } else { - Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4)) - $TKEY_success = $false + $ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3 } - if($TKEY_success) + $ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)] + + if($kerberos_tcpclient) { + $cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1 - if($kerberos_tcpclient) + if($asrep_payload.Substring($cipher_index + 22,2) -eq '82') { - $cipher_index = $tkey_payload.IndexOf("A003020112A2") - $cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)] - $cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)] - $ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key - $tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] - $acceptor_subkey = $tkey_cleartext[59..90] + $cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4 } else { - $sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000") - $sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)] - $acceptor_subkey = $asrep_key + $cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3 } - $kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey - $time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds - $time_signed = [System.BitConverter]::GetBytes($time_signed) - $time_signed = 0x00,0x00 + $time_signed[3..0] - [Byte[]]$transaction_id = New-RandomByteArray 2 - $packet_DNSUpdateTSIG = New-PacketDNSUpdateTSIG $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name - [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateTSIG - $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number - [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC - $DNSUpdateTSIG += $DNSUpdateMAC - $checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG - $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum - [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC - $packet_DNSUpdateTSIG = New-PacketDNSUpdateTSIG $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC - [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateTSIG - $DNS_client_send = $DNSUpdateTSIG + $cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)] + $ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key + $asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] + $kerberos_session_key = $asrep_cleartext[37..68] + $ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key + $ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key + [Byte[]]$subkey = New-RandomByteArray 32 + [Byte[]]$sequence_number = New-RandomByteArray 4 + $packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number + [Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator + $authenticator = (New-RandomByteArray 16) + $authenticator + $authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator + $authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator + $packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature + [Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq + [Byte[]]$mac_flags = 0x04 + } + else + { + [Byte[]]$apreq = $kerberos_client_receive + [Byte[]]$mac_flags = 0x00 + } + + $packet_DNSQuery = New-PacketDNSQuery $tkey_name 0x00,0xf9 $apreq + $DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery + $DNS_client = New-Object System.Net.Sockets.TCPClient + $DNS_client.Client.ReceiveTimeout = 3000 + + try + { + $DNS_client.Connect($DomainController,"53") + } + catch + { + Write-Output "$DomainController did not respond on TCP port 53" + } + + if($DNS_client.Connected) + { + $DNS_client_stream = $DNS_client.GetStream() + $DNS_client_receive = New-Object System.Byte[] 2048 + $DNS_client_send = $DNSQueryTKEY $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null $DNS_client_stream.Flush() $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null - $DNS_response_flags = [System.BitConverter]::ToString($DNS_client_receive[4..5]) - $DNS_response_flags = $DNS_response_flags -replace "-","" + $tkey_payload = [System.BitConverter]::ToString($DNS_client_receive) + $tkey_payload = $tkey_payload -replace "-","" + + if($tkey_payload.Substring(8,4) -eq '8000') + { + Write-Verbose "[+] Kerberos TKEY query successful" + $TKEY_success = $true + } + else + { + Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4)) + $TKEY_success = $false + } - switch ($DNS_response_flags) + if($TKEY_success) { - 'A800' {Write-Output "[+] DNS update successful"} - 'A801' {Write-Output ("[-] format error 0x" + $DNS_response_flags)} - 'A802' {Write-Output ("[-] failed to complete 0x" + $DNS_response_flags)} - 'A804' {Write-Output ("[-] not implemented 0x" + $DNS_response_flags)} - 'A805' {Write-Output ("[-] update refused 0x" + $DNS_response_flags)} - Default {Write-Output ("[-] DNS update was not successful 0x" + $DNS_response_flags)} + + if($kerberos_tcpclient) + { + $cipher_index = $tkey_payload.IndexOf("A003020112A2") + $cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)] + $cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)] + $ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key + $tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] + $acceptor_subkey = $tkey_cleartext[59..90] + } + else + { + $sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000") + $sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)] + $acceptor_subkey = $asrep_key + } + + $kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey + $time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds + $time_signed = [System.BitConverter]::GetBytes($time_signed) + $time_signed = 0x00,0x00 + $time_signed[3..0] + [Byte[]]$transaction_id = New-RandomByteArray 2 + $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name + [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate + $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number + [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC + $DNSUpdateTSIG += $DNSUpdateMAC + $checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG + $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum + [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC + $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC + [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate + $DNS_client_send = $DNSUpdateTSIG + $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null + $DNS_client_stream.Flush() + $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null + $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive + Write-Output $DNS_update_response_status + $DNS_client.Close() + $DNS_client_stream.Close() } - $DNS_client.Close() - $DNS_client_stream.Close() } } diff --git a/New-MachineAccount.ps1 b/New-MachineAccount.ps1 index ba86524..e7a8131 100644 --- a/New-MachineAccount.ps1 +++ b/New-MachineAccount.ps1 @@ -15,16 +15,18 @@ function New-MachineAccount Directory. This function does not modify the domain attachment and machine account associated with the host system. - Note that you will not be able to remove the account without elevating privilege. + Note that you will not be able to remove the account without elevating privilege. You can however disable the + account as long as you maintain access to the account used to create the machine account. .PARAMETER Credential Credentials for adding the machine account. Note that machine accounts can also add machine accounts. .PARAMETER Domain - The targeted domain. + The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter + requires a DNS domain name and not a NetBIOS version. .PARAMETER DomainController - Domain controller to target in FQDN format. + Domain controller to target. This parameter is mandatory on a non-domain attached system. .PARAMETER DistinguishedName Distinguished name for the computers OU. @@ -45,10 +47,10 @@ function New-MachineAccount Add a machine account with creds from another user. .EXAMPLE - $machine_account_password = ConvertTo-SecureString 'Summer2017!' -AsPlainText -Force - $user_account_password = ConvertTo-SecureString 'Spring2017!' -AsPlainText -Force + $machine_account_password = ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force + $user_account_password = ConvertTo-SecureString 'Spring2018!' -AsPlainText -Force $user_account_creds = New-Object System.Management.Automation.PSCredential('domain\user',$user_account_password) - New-MachineAccount -MachineName iamapc -Password $machine_account_password -Credential $user_account_creds + New-MachineAccount -MachineAccount iamapc -Password $machine_account_password -Credential $user_account_creds Add a machine account with creds from another user and also avoid the machine account password prompt. .LINK @@ -76,14 +78,12 @@ function New-MachineAccount $password_BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password) $password_cleartext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_BSTR) - if(!$DomainController) + if(!$DomainController) { try { - $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - $DomainController = $current_domain.DomainControllers[0].Name - $domain = $current_domain.Name + $DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name } catch { @@ -95,10 +95,22 @@ function New-MachineAccount if(!$Domain) { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + + try + { + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } + } - $domain = $domain.ToLower() + $Domain = $Domain.ToLower() $machine_account = $MachineAccount if($MachineAccount.EndsWith('$')) @@ -115,12 +127,10 @@ function New-MachineAccount if(!$DistinguishedName) { - $distinguished_name = "CN=$machine_account,CN=Computers" + $DC_array = $Domain.Split(".") - $DCArray = $Domain.Split(".") - - ForEach($DC in $DCArray) + ForEach($DC in $DC_array) { $distinguished_name += ",DC=$DC" } @@ -131,7 +141,7 @@ function New-MachineAccount $distinguished_name = "$DistinguishedName" } - Write-Verbose $distinguished_name + Write-Verbose "[+] Distinguished Name=$distinguished_name" $password_cleartext = [System.Text.Encoding]::Unicode.GetBytes('"' + $password_cleartext + '"') $identifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($DomainController,389) @@ -165,7 +175,15 @@ function New-MachineAccount } catch { - Write-Output "[-] something went wrong" + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + + if($error_message -eq 'Exception calling "SendRequest" with "1" argument(s): "The server cannot handle directory requests."') + { + Write-Output "[!] User may have reached ms-DS-MachineAccountQuota limit" + } + } } \ No newline at end of file diff --git a/Set-MachineAccountAttribute.ps1 b/Set-MachineAccountAttribute.ps1 index 1e5ba74..610cc6f 100644 --- a/Set-MachineAccountAttribute.ps1 +++ b/Set-MachineAccountAttribute.ps1 @@ -27,11 +27,18 @@ function Set-MachineAccountAttribute Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause + .PARAMETER Credential + Credentials for account that was used to create the machine account. + .PARAMETER DistinguishedName Distinguished name for the computers OU. .PARAMETER Domain - The targeted domain. + The targeted domain. This parameter is mandatory on a non-domain attached system. Note this parameter + requires a DNS domain name and not a NetBIOS version. + + .PARAMETER DomainController + Domain controller to target. This parameter is mandatory on a non-domain attached system. .PARAMETER MachineAccount The username of the machine account that will be modified. @@ -54,11 +61,45 @@ function Set-MachineAccountAttribute ( [parameter(Mandatory=$false)][String]$DistinguishedName, [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, [parameter(Mandatory=$true)][String]$MachineAccount, [parameter(Mandatory=$true)][String]$Attribute, - [parameter(Mandatory=$true)]$Value + [parameter(Mandatory=$true)]$Value, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential ) + if(!$DomainController) + { + + try + { + $DomainController = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers[0].Name + } + catch + { + Write-Output "[-] domain controller not located" + throw + } + + } + + if(!$Domain) + { + + try + { + $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + Write-Output "[-] $error_message" + throw + } + + } + if($MachineAccount.EndsWith('$')) { $machine_account = $MachineAccount.SubString(0,$MachineAccount.Length - 1) @@ -68,19 +109,12 @@ function Set-MachineAccountAttribute $machine_account = $MachineAccount } - if(!$Domain) - { - $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name - } - if(!$DistinguishedName) { - $distinguished_name = "CN=$machine_account,CN=Computers" + $DC_array = $Domain.Split(".") - $DCArray = $Domain.Split(".") - - ForEach($DC in $DCArray) + ForEach($DC in $DC_array) { $distinguished_name += ",DC=$DC" } @@ -91,7 +125,16 @@ function Set-MachineAccountAttribute $distinguished_name = "$DistinguishedName" } - $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$distinguished_name" + Write-Verbose "[+] Distinguished Name=$distinguished_name" + + if($Credential) + { + $account = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$credential.GetNetworkCredential().Password) + } + else + { + $account = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } try { -- cgit v1.2.3