function Invoke-DNSUpdate { <# .SYNOPSIS This function allows DNS records to be added/deleted if secure dynamic updates are enabled on a domain controller. Authentication is performed through Kerberos GSS-TSIG. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .DESCRIPTION This function can be used to add/delete dynamic DNS records if the default setting of enabled secure dynamic updates is configured on a domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options. An account/session with permission to perform secure dynamic updates is required. By default, authenticated users have the 'Create all child objects' permission on the Active Directory-integrated zone. Most records that do not currently exist in an AD zone can be added/deleted. Limitations for authenticated users can include things like being prevented from adding SRV records that interfere with the AD Kerberos records. Older existing dynamic records can sometimes be hijacked also. Note that wpad and isatap are on a block list by default starting with Server 2008. This function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using two separate methods. By default, the function will have Windows perform all Kerberos steps up until the AP-REQ is sent to DNS on the DC. This method will work with either the current session context or with specified credentials. The second method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method will accept a password or AES256 hash and will also not place any tickets in the client side cache. .PARAMETER DomainController Domain controller to target in FQDN format. .PARAMETER Realm Kerberos realm. .PARAMETER Username Username of user with DNS secure dynamic update access. If using a machine account, the trailing '$' must be included. .PARAMETER Password Password of user with DNS secure dynamic update access. The password must be in the form of a secure string. .PARAMETER Hash AES256 password hash for user with DNS secure dynamic update access. Note that this will use Kerberos authentication built on top of TCPClient. .PARAMETER DNSName DNS record name. .PARAMETER DNSData DNS records data. For most record types this will be the destination hostname or IP address. For TXT records this can be used for data. If deleting a record, leave off this parameter. .PARAMETER DNSType DNS record type. .PARAMETER DNSTTL DNS record TTL. .PARAMETER DNSPreference DNS MX record priority .PARAMETER DNSPriority DNS SRV record priority. .PARAMETER DNSWeight DNS SRV record weight. .PARAMETER DNSPort DNS SRV record port. .PARAMETER DNSZone DNS zone. .PARAMETER TCPClientAuth Switch to force usage of the TCPClient based Kerberos authentication. .EXAMPLE Invoke-DNSUpdate -DNSType A -DNSName www.test.local -DNSData 192.168.100.125 -DNSTTL 84600 Add A Record .EXAMPLE Invoke-DNSUpdate -DNSType AAAA -DNSName www.test.local -DNSData 2001:0db8:85a3:0000:0000:8a2e:0370:7334 Add AAAA Record .EXAMPLE Invoke-DNSUpdate -DNSType CNAME -DNSName www.test.local -DNSData system.test.local Add CNAME Record .EXAMPLE Invoke-DNSUpdate -DNSType MX -DNSName www.test.local -DNSData 192.168.100.125 -DNSPreference 10 Add MX Record .EXAMPLE Invoke-DNSUpdate -DNSType PTR -DNSName 125.100.168.192.in-addr.arpa -DNSData www.test.local -DNSZone 100.168.192.in-addr.arpa Add PTR Record - there is a good chance this will be denied if there is an existing record for an IP .EXAMPLE Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.lab.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443 Add SRV Record .EXAMPLE Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local -DNSData "some text" Add TXT Record .EXAMPLE Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local Delete TXT record - all deletes follow the same format, just specify DNSType and DNSName .EXAMPLE Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser Add A record using another account .EXAMPLE Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser -Hash 0C27E0A5B0D69640B40DDED4A28EB3BB0D157659EBED2816A41A8228E98D111B Add A record using another account and an AES256 hash .LINK https://github.com/Kevin-Robertson/Powermad #> [CmdletBinding()] param ( [parameter(Mandatory=$false)][String]$DomainController, [parameter(Mandatory=$false)][String]$Realm, [parameter(Mandatory=$false)][String]$Username, [parameter(Mandatory=$false)][System.Security.SecureString]$Password, [parameter(Mandatory=$false)][ValidateScript({$_.Length -eq 64})][String]$Hash, [parameter(Mandatory=$false)][String]$DNSZone, [parameter(Mandatory=$false)][Int]$DNSTTL = 600, [parameter(Mandatory=$false)][Int]$DNSPreference, [parameter(Mandatory=$false)][Int]$DNSPriority, [parameter(Mandatory=$false)][Int]$DNSWeight, [parameter(Mandatory=$false)][Int]$DNSPort, [parameter(Mandatory=$true)][ValidateSet("A","AAAA","CNAME","MX","PTR","SRV","TXT")][String]$DNSType, [parameter(Mandatory=$true)][String]$DNSName, [parameter(Mandatory=$false)][ValidateScript({$_.Length -le 255})][String]$DNSData, [parameter(Mandatory=$false)][Switch]$TCPClientAuth ) if($TCPClientAuth -and !$Username) { Write-Output "[-] TCPClientAuth requires a username" throw } switch ($DNSType) { 'MX' { if(!$DNSPreference) { Write-Output "[-] MX records require a DNSPreference" throw } } 'PTR' { if(!$DNSZone) { Write-Output "[-] PTR records require a DNSZone" throw } } 'SRV' { if(!$DNSPriority -or !$DNSWeight -or !$DNSPort -and $DNSData) { Write-Output "[-] DNSType SRV requires DNSPriority, DNSWeight, and DNSPort" throw } if($DNSName -notlike '*._tcp.*' -and $DNSName -notlike '*._udp.*') { Write-Output "[-] DNSName doesn't contain a protocol" throw } } } if($Username -and !$Hash) { $password = Read-Host -Prompt "Enter password" -AsSecureString } if(!$DomainController) { try { $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $DomainController = $current_domain.DomainControllers[0].Name $domain = $current_domain.Name } catch { Write-Output "[-] Domain controller not located" throw } } if(!$Realm) { if($domain) { $realm = $domain } else { $realm_index = $DomainController.IndexOf(".") $domain = $DomainController.Substring($realm_index + 1) $realm = $domain } } if($TCPClientAuth -or $Hash) { $kerberos_tcpclient = $true $realm = $realm.ToUpper() if($username -like "*\*") { $username = $username.SubString(($username.IndexOf("\") + 1),($username.Length - ($username.IndexOf("\") + 1))) } if($username -like "*@*") { $username = $username.SubString(0,($username.IndexOf("@"))) } if($Username.EndsWith("$")) { $salt = $realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $realm.ToLower() } else { $salt = $realm + $Username } Write-Verbose "[+] Salt $salt" } if(!$DNSZone) { $DNSZone_index = $DomainController.IndexOf(".") $DNSZone = $DomainController.Substring($DNSZone_index + 1) } $DNSZone = $DNSZone.ToLower() function ConvertFrom-PacketOrderedDictionary { param($ordered_dictionary) ForEach($field in $ordered_dictionary.Values) { $byte_array += $field } return $byte_array } function Get-KerberosAES256UsageKey { param([String]$key_type,[Int]$usage_number,[Byte[]]$base_key) $padding = 0x00 * 16 if($key_type -eq 'checksum') { switch($usage_number) { 25 {[Byte[]]$usage_constant = 0x5d,0xfb,0x7d,0xbf,0x53,0x68,0xce,0x69,0x98,0x4b,0xa5,0xd2,0xe6,0x43,0x34,0xba + $padding} } } elseif($key_type -eq 'encrypt') { switch($usage_number) { 1 {[Byte[]]$usage_constant = 0xae,0x2c,0x16,0x0b,0x04,0xad,0x50,0x06,0xab,0x55,0xaa,0xd5,0x6a,0x80,0x35,0x5a + $padding} 3 {[Byte[]]$usage_constant = 0xbe,0x34,0x9a,0x4d,0x24,0xbe,0x50,0x0e,0xaf,0x57,0xab,0xd5,0xea,0x80,0x75,0x7a + $padding} 4 {[Byte[]]$usage_constant = 0xc5,0xb7,0xdc,0x6e,0x34,0xc7,0x51,0x12,0xb1,0x58,0xac,0x56,0x2a,0x80,0x95,0x8a + $padding} 7 {[Byte[]]$usage_constant = 0xde,0x44,0xa2,0xd1,0x64,0xe0,0x51,0x1e,0xb7,0x5b,0xad,0xd6,0xea,0x80,0xf5,0xba + $padding} 11 {[Byte[]]$usage_constant = 0xfe,0x54,0xaa,0x55,0xa5,0x02,0x52,0x2f,0xbf,0x5f,0xaf,0xd7,0xea,0x81,0x75,0xfa + $padding} 12 {[Byte[]]$usage_constant = 0x05,0xd7,0xec,0x76,0xb5,0x0b,0x53,0x33,0xc1,0x60,0xb0,0x58,0x2a,0x81,0x96,0x0b + $padding} } } elseif($key_type -eq 'integrity') { switch($usage_number) { 1 {[Byte[]]$usage_constant = 0x5b,0x58,0x2c,0x16,0x0a,0x5a,0xa8,0x05,0x56,0xab,0x55,0xaa,0xd5,0x40,0x2a,0xb5 + $padding} 4 {[Byte[]]$usage_constant = 0x72,0xe3,0xf2,0x79,0x3a,0x74,0xa9,0x11,0x5c,0xae,0x57,0x2b,0x95,0x40,0x8a,0xe5 + $padding} 7 {[Byte[]]$usage_constant = 0x8b,0x70,0xb8,0xdc,0x6a,0x8d,0xa9,0x1d,0x62,0xb1,0x58,0xac,0x55,0x40,0xeb,0x15 + $padding} 11 {[Byte[]]$usage_constant = 0xab,0x80,0xc0,0x60,0xaa,0xaf,0xaa,0x2e,0x6a,0xb5,0x5a,0xad,0x55,0x41,0x6b,0x55 + $padding} } } $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $AES.KeySize = 256 $AES.Key = $base_key $AES_encryptor = $AES.CreateEncryptor() $usage_key = $AES_encryptor.TransformFinalBlock($usage_constant,0,$usage_constant.Length) return $usage_key } # TCPClient Kerberos start - this section can be removed if not using a hash or -TCPClientAuth function Get-KerberosAES256BaseKey { param([String]$salt,[System.Security.SecureString]$password) $password_BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password) $password_cleartext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_BSTR) [Byte[]]$salt = [System.Text.Encoding]::UTF8.GetBytes($salt) [Byte[]]$password_cleartext = [System.Text.Encoding]::UTF8.GetBytes($password_cleartext) $constant = 0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93,0x5C,0x9B,0xDC,0xDA,0xD9,0x5C,0x98,0x99,0xC4,0xCA,0xE4,0xDE,0xE6,0xD6,0xCA,0xE4 $PBKDF2 = New-Object Security.Cryptography.Rfc2898DeriveBytes($password_cleartext,$salt,4096) Remove-Variable password_cleartext $PBKDF2_key = $PBKDF2.GetBytes(32) $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::None $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $AES.KeySize = 256 $AES.Key = $PBKDF2_key $AES_encryptor = $AES.CreateEncryptor() $base_key_part_1 = $AES_encryptor.TransformFinalBlock($constant,0,$constant.Length) $base_key_part_2 = $AES_encryptor.TransformFinalBlock($base_key_part_1,0,$base_key_part_1.Length) $base_key = $base_key_part_1[0..15] + $base_key_part_2[0..15] return $base_key } function New-PacketKerberosASREQ() { param([Byte[]]$username,[Byte[]]$realm,[Byte[]]$namestring,[Byte[]]$nonce,[Byte[]]$pac,[Byte[]]$pac_signature) $timestamp = Get-Date $till = $timestamp.AddYears(20) $timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":","" $till = ("{0:u}" -f $till) -replace "-","" -replace " ","" -replace ":","" [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp) [Byte[]]$till = [System.Text.Encoding]::UTF8.GetBytes($till) if($pac) { $pac_extra_length = 78 } [Byte[]]$namestring1_length = Get-ASN1LengthArray $namestring.Count [Byte[]]$namestring_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + 6) [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + 7) [Byte[]]$sname_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13) [Byte[]]$sname_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14) [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1) [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1) [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2) [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) $grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count [Byte[]]$reqbody_length = Get-ASN1LengthArrayLong ($grouped_length + 86) [Byte[]]$reqbody_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + 87) [Byte[]]$message_length = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $pac_extra_length + 114) [Byte[]]$message_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $pac_extra_length + 115) [Byte[]]$asreq_length = [System.BitConverter]::GetBytes($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $message_length2.Count + $pac_extra_length + 116)[3..0] $packet_KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary $packet_KerberosASREQ.Add("KerberosASREQ_Length",$asreq_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PVNO",[Byte[]](0x05)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_MSGType",[Byte[]](0x0a)) if($pac) { $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Type",[Byte[]](0x12)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Value",$pac) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData0_Signature",$pac_signature) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02)) } else { $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02)) } $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Type",[Byte[]](0x00,0x95)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_PAData1_Value",[Byte[]](0x00)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions_Padding",[Byte[]](0x00)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameType",[Byte[]](0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_CName_NameString",$username) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Realm",$realm) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameType",[Byte[]](0x01)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50 $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_SName_NameString1",$namestring) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Till",$till) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_Nonce",$nonce) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13)) $packet_KerberosASREQ.Add("KerberosASREQ_Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03)) return $packet_KerberosASREQ } function New-PacketKerberosAPREQ() { param([Byte[]]$realm,[Byte[]]$spn,[Byte[]]$kvno,[Byte[]]$ticket,[Byte[]]$authenticator,[Byte[]]$authenticator_signature) $authenticator += $authenticator_signature $parameter_length = $realm.Count + $spn.Count + $ticket.Count + $authenticator.Count [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $authenticator.Count [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + 1) [Byte[]]$authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7) [Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8) [Byte[]]$ticket_length = Get-ASN1LengthArrayLong $ticket.Count [Byte[]]$ticket_length2 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + 1) [Byte[]]$ticket_length3 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + 12) [Byte[]]$ticket_length4 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + 13) [Byte[]]$namestring1_length = Get-ASN1LengthArray $spn.Count [Byte[]]$namestring_length = Get-ASN1LengthArray ($spn.Count + $namestring_length.Count + 4) [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + 5) [Byte[]]$sname_length = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4) [Byte[]]$sname_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5) [Byte[]]$sname_length3 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11) [Byte[]]$sname_length4 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + 12) [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1) [Byte[]]$ticket_length5 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + 34) [Byte[]]$ticket_length6 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35) [Byte[]]$ticket_length7 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36) [Byte[]]$apreq_length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + 73) [Byte[]]$apreq_length2 = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + $apreq_length.Count + 74) [Byte[]]$length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + $apreq_length.Count + $apreq_length2.Count + 88) $packet_KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary $packet_KerberosAPREQ.Add("KerberosAPREQ_Length",([Byte[]](0x60) + $length)) $packet_KerberosAPREQ.Add("KerberosAPREQ_MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) $packet_KerberosAPREQ.Add("KerberosAPREQ_MechToken_TokenID",[Byte[]](0x01,0x00)) $packet_KerberosAPREQ.Add("KerberosAPREQ_APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_PVNO",[Byte[]]0x05) $packet_KerberosAPREQ.Add("KerberosAPREQ_MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_MSGType",[Byte[]](0x0e)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Padding",[Byte[]](0x00)) $packet_KerberosAPREQ.Add("KerberosAPREQ_APOptions",[Byte[]](0x20,0x00,0x00,0x00)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_TKTVNO",[Byte[]](0x05)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_Realm",$realm) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameType",[Byte[]](0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_SName_NameString1",$spn) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_EType",[Byte[]](0x12)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_KVNO",$kvno) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_Ticket_EncPart_Cipher",$ticket) $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3) $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_EType",[Byte[]](0x12)) $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length) $packet_KerberosAPREQ.Add("KerberosAPREQ_Authenticator_Cipher",$authenticator) return $packet_KerberosAPREQ } function Unprotect-KerberosASREP { param([Byte[]]$ke_key,[Byte[]]$encrypted_data) $final_block_length = [Math]::Truncate($encrypted_data.Count % 16) [Byte[]]$final_block = $encrypted_data[($encrypted_data.Count - $final_block_length)..$encrypted_data.Count] [Byte[]]$penultimate_block = $encrypted_data[($encrypted_data.Count - $final_block_length - 16)..($encrypted_data.Count - $final_block_length - 1)] $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $AES.KeySize = 256 $AES.Key = $ke_key $AES_decryptor = $AES.CreateDecryptor() $penultimate_block_cleartext = $AES_decryptor.TransformFinalBlock($penultimate_block,0,$penultimate_block.Length) [Byte[]]$final_block_padding = $penultimate_block_cleartext[$final_block_length..$penultimate_block_cleartext.Count] $final_block += $final_block_padding [Byte[]]$cts_encrypted_data = $encrypted_data[0..($encrypted_data.Count - $final_block_length - 17)] + $final_block + $penultimate_block [Byte[]]$cleartext = $AES_decryptor.TransformFinalBlock($cts_encrypted_data,0,$cts_encrypted_data.Length) return $cleartext } function New-KerberosPACTimestamp { param([Byte[]]$ke_key) [Byte[]]$timestamp = Get-KerberosTimestampUTC [String]$confounder = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) [Byte[]]$confounder = $confounder.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} [Byte[]]$PAC_Timestamp = $confounder + 0x30,0x1a,0xa0,0x11,0x18,0x0f + $timestamp + 0xa1,0x05,0x02,0x03,0x01,0x70,0x16 return $PAC_Timestamp } function New-KerberosAuthenticator { param([Byte[]]$realm,[Byte[]]$username,[Byte[]]$subkey,[Byte[]]$sequence_number) $parameter_length = $realm.Count + $username.Count + $subkey.Count [Byte[]]$subkey_length = Get-ASN1LengthArray $subkey.Count [Byte[]]$subkey_length2 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + 1) [Byte[]]$subkey_length3 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + 7) [Byte[]]$subkey_length4 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8) [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1) [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2) [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8) [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9) [Byte[]]$crealm_length = Get-ASN1LengthArray $realm.Count [Byte[]]$crealm_length2 = Get-ASN1LengthArray ($realm.Count + $crealm_length.Count + 1) [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong ($parameter_length + 99 + $crealm_length.Count + $crealm_length2.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count) [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($parameter_length + 100 + $crealm_length.Count + $crealm_length2.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count + $authenticator_length.Count) $packet_KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary $packet_KerberosAuthenticator.Add("KerberosAuthenticator_Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_AuthenticatorVNO",[Byte[]](0x05)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CRealm",$realm) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_NameType",[Byte[]](0x01)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CName_CNameString",$username) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CKSumType",[Byte[]](0x00,0x80,0x03)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CUSec",(Get-KerberosMicrosecond)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_CTime",(Get-KerberosTimestampUTC)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyType",[Byte[]](0x12)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_Subkey_KeyValue",$subkey) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04)) $packet_KerberosAuthenticator.Add("KerberosAuthenticator_CKSum_SEQNumber",$sequence_number) return $packet_KerberosAuthenticator } function Get-KerberosTimestampUTC { [DateTime]$timestamp = (Get-Date).ToUniversalTime() [String]$timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":","" [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp) return $timestamp } function Get-KerberosMicrosecond { [Int]$microseconds = Get-Date -Format ffffff [Byte[]]$microseconds = [System.Bitconverter]::GetBytes($microseconds)[0..2] return $microseconds } function Protect-KerberosAES256CTS { param([Byte[]]$ke_key,[Byte[]]$data) $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 $AES.IV = $IV $AES.KeySize = 256 $AES.Key = $ke_key $AES_encryptor = $AES.CreateEncryptor() $data_encrypted = $AES_encryptor.TransformFinalBlock($data,0,$data.Length) $block_count = [Math]::Ceiling($data_encrypted.Count / 16) if($block_count -gt 2) { $data_encrypted = $data_encrypted[0..($data_encrypted.Count - 33)] + $data_encrypted[($data_encrypted.Count - 16)..$data_encrypted.Count] + $data_encrypted[($data_encrypted.Count - 32)..($data_encrypted.Count - 17)] } elseif($blocks -eq 2) { $data_encrypted = $data_encrypted[16..31] + $data_encrypted[0..15] } $final_block_length = [Math]::Truncate($data.Count % 16) if($final_block_length -ne 0) { $remove_count = 16 - $final_block_length $data_encrypted = $data_encrypted[0..($data_encrypted.Count - $remove_count - 1)] } return $data_encrypted } # TCPClient Kerberos end function Get-KerberosHMACSHA1 { param([Byte[]]$key,[Byte[]]$data) $HMAC_SHA1 = New-Object System.Security.Cryptography.HMACSHA1 $HMAC_SHA1.key = $key $hash = $HMAC_SHA1.ComputeHash($data) $hash = $hash[0..11] return $hash } function Get-ASN1LengthArray { param([Int]$length) [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length) if($asn1[1] -eq 0) { $asn1 = $asn1[0] } else { $asn1 = $asn1[1,0] } return $asn1 } function Get-ASN1LengthArrayLong { param([Int]$length) [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length) if($asn1[1] -eq 0) { $asn1 = $asn1[0] $asn1 = [Byte[]]0x81 + $asn1 } else { $asn1 = $asn1[1,0] $asn1 = [Byte[]]0x82 + $asn1 } return $asn1 } function New-RandomByteArray { param([Int]$length,[Int]$minimum=1,[Int]$maximum=255) [String]$random = [String](1..$length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $minimum -Maximum $maximum)}) [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} return $random } function New-DNSNameArray { param([String]$name) $character_array = $name.ToCharArray() [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'} if($index_array.Count -gt 0) { $name_start = 0 ForEach ($index in $index_array) { $name_end = $index - $name_start [Byte[]]$name_array += $name_end [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start,$name_end)) $name_start = $index + 1 } [Byte[]]$name_array += ($name.Length - $name_start) [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start)) } else { [Byte[]]$name_array = $name.Length [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start)) } return $name_array } function New-PacketDNSQueryTKEY { param([Byte[]]$tkey_name,[Byte[]]$apreq) [Byte[]]$transaction_id = New-RandomByteArray 2 $mechtoken_length = Get-ASN1LengthArrayLong ($apreq.Count) $mechtoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + 1) $innercontexttoken_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31 $innercontexttoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count + 18) $spnego_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27) $grouped_length = $apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count + $innercontexttoken_length2.Count + $spnego_length.Count + 25 $key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0] $rd_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0] [Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $tkey_name.Count + 57)[1,0] $inception = [int64](([datetime]::UtcNow)-(get-date "1/1/1970")).TotalSeconds $inception = [System.BitConverter]::GetBytes($inception) $inception = $inception[3..0] $packet_DNSQueryTKEY = New-Object System.Collections.Specialized.OrderedDictionary $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Length",$length) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_TransactionID",$transaction_ID) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Flags",[Byte[]](0x00,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Questions",[Byte[]](0x00,0x01)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AnswerRRs",[Byte[]](0x00,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AuthorityRRs",[Byte[]](0x00,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_AdditionalRRs",[Byte[]](0x00,0x01)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Name",$tkey_name) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Type",[Byte[]](0x00,0xf9)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_Class",[Byte[]](0x00,0xff)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RDLength",$rd_length) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Inception",$inception) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Expiration",$inception) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_KeySize",$key_size) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) + $innercontexttoken_length) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02)) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) + $mechtoken_length) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$apreq) $packet_DNSQueryTKEY.Add("DNSQueryTKEY_Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00)) return $packet_DNSQueryTKEY } function New-PacketDNSUpdateTSIG { param([Byte[]]$transaction_ID,[String]$zone,[String]$name,[String]$type,[Int]$TTL,[Int]$preference,[Int]$priority,[Int]$weight,[Int]$port,[String]$data,[Byte[]]$time_signed,[Byte[]]$tkey_name,[Byte[]]$MAC) if($data) { $add = $true [Byte[]]$class = 0x00,0x01 } else { [Byte[]]$class = 0x00,0xff $TTL = 0 } switch ($type) { 'A' { [Byte[]]$type = 0x00,0x01 if($data -and [Bool]($data -as [System.Net.IPAddress])) { [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes() } elseif($data) { [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) } } 'AAAA' { [Byte[]]$type = 0x00,0x1c if($data -and [Bool]($data -as [System.Net.IPAddress])) { [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes() } elseif($data) { [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) } } 'CNAME' { [Byte[]]$type = 0x00,0x05 if($data -and [Bool]($data -as [System.Net.IPAddress])) { [Byte[]]$data = (New-DNSNameArray $data) + 0x00 } elseif($data) { [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c } } 'MX' { $MX = $true [Byte[]]$type = 0x00,0x0f if($data) { $extra_length = 2 [Byte[]]$preference = [System.Bitconverter]::GetBytes($preference)[1,0] } if($data -and [Bool]($data -as [System.Net.IPAddress])) { [Byte[]]$data = (New-DNSNameArray $data) + 0x00 } elseif($data) { [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c } } 'PTR' { [Byte[]]$type = 0x00,0x0c if($data) { [Byte[]]$data = (New-DNSNameArray $data) + 0x00 } } 'SRV' { $SRV = $true [Byte[]]$type = 0x00,0x21 if($data) { [Byte[]]$priority = [System.Bitconverter]::GetBytes($priority)[1,0] [Byte[]]$weight = [System.Bitconverter]::GetBytes($weight)[1,0] [Byte[]]$port = [System.Bitconverter]::GetBytes($port)[1,0] $extra_length = 6 [Byte[]]$data = (New-DNSNameArray $data) + 0x00 } } 'TXT' { $TXT = $true [Byte[]]$type = 0x00,0x10 [Byte[]]$TXT_length = [System.BitConverter]::GetBytes($data.Length)[0] if($data) { $extra_length = 1 [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data) } } } if($MX) { [Byte[]]$name = 0xc0,0x0c } else { [Byte[]]$name = (New-DNSNameArray ($name -replace ('.' + $zone),'')) + 0xc0,0x0c } [Byte[]]$zone = (New-DNSNameArray $zone) + 0x00 [Byte[]]$TTL = [System.Bitconverter]::GetBytes($TTL)[3..0] [Byte[]]$data_length = [System.BitConverter]::GetBytes($data.Length + $extra_length)[1,0] [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + $tkey_name.Count + $MAC.Count + 62 + $extra_length)[1,0] $packet_DNSUpdateTSIG = New-Object System.Collections.Specialized.OrderedDictionary if($MAC) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Length",$length) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_TransactionID",$transaction_ID) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Flags",[Byte[]](0x28,0x00)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zones",[Byte[]](0x00,0x01)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Prerequisites",[Byte[]](0x00,0x00)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates",[Byte[]](0x00,0x01)) if($MAC) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRRs",[Byte[]](0x00,0x01)) } else { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditiionalRRs",[Byte[]](0x00,0x00)) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Name",$zone) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Type",[Byte[]](0x00,0x06)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Zone_Class",[Byte[]](0x00,0x01)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Name",$name) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Type",$type) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Class",$class) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TTL",$TTL) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_DataLength",$data_length) if($MX) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TXTLength",$preference) } if($TXT -and $add) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_TXTLength",$TXT_length) } if($SRV -and $add) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Priority",$priority) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Weight",$weight) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Port",$port) } if($add) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_Updates_Address",$data) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Name",$tkey_name) if($MAC) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Type",[Byte[]](0x00,0xfa)) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Class",[Byte[]](0x00,0xff)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00)) if($MAC) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_DataLength",[Byte[]](0x00,0x36)) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_TimeSigned",$time_signed) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Fudge",[Byte[]](0x01,0x2c)) if($MAC) { $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_MACSize",[Byte[]](0x00,0x1c)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_MAC",$MAC) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_OriginalID",$transaction_ID) } $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_Error",[Byte[]](0x00,0x00)) $packet_DNSUpdateTSIG.Add("DNSUpdateTSIG_AdditionalRecords_OtherLength",[Byte[]](0x00,0x00)) return $packet_DNSUpdateTSIG } function New-PacketDNSUpdateMAC { param([Byte[]]$flags,[Byte[]]$sequence_number,[Byte[]]$checksum) $packet_DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary $packet_DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04)) $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$flags) $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff)) $packet_DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $sequence_number) if($checksum) { $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$checksum) } return $packet_DNSUpdateMAC } $tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) + "-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0" $tkey = $tkey -replace " ","" Write-Verbose "[+] TKEY name $tkey" [Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey) $tkey_name = [Byte[]]0x08 + $tkey_name + 0x00 $tkey_name[9] = 0x06 $tkey_name[16] = 0x24 if($kerberos_tcpclient) { $kerberos_client = New-Object System.Net.Sockets.TCPClient $kerberos_client.Client.ReceiveTimeout = 3000 $domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController) $kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username) $kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm) try { $kerberos_client.Connect($DomainController,"88") } catch { Write-Output "$DomainController did not respond on TCP port 88" } } if(!$kerberos_tcpclient -or $kerberos_client.Connected) { if($kerberos_tcpclient) { if($Hash) { $base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-" $base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { $base_key = Get-KerberosAES256BaseKey $salt $password } $ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key $ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key $nonce = New-RandomByteArray 4 $kerberos_client_stream = $kerberos_client.GetStream() $kerberos_client_receive = New-Object System.Byte[] 2048 $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ $kerberos_client_send = $AS_REQ $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null $kerberos_client_stream.Flush() $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null [Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key [Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp [Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ $kerberos_client_send = $AS_REQ $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null $kerberos_client_stream.Flush() $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive) $asrep_payload = $asrep_payload -replace "-","" $kerberos_client.Close() $kerberos_client_stream.Close() } else { try { $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel") if($username) { $creds = New-Object System.Management.Automation.PSCredential ($username,$Password) $network_creds = $creds.GetNetworkCredential() $network_creds.Domain = $domain $token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds) $ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1)) } else { $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController") } $asrep_key = $ticket.SecurityKey.GetSymmetricKey() $kerberos_client_receive = $Ticket.GetRequest() $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive) $asrep_payload = $asrep_payload -replace "-","" } catch { $auth_success = $false } } if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*')) { Write-Verbose "[+] Kerberos preauthentication successful" $auth_success = $true } elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*') { Write-Output "[-] Kerberos preauthentication error, check credentials" $auth_success = $false } else { Write-Output "[-] Kerberos authentication failure" $auth_success = $false } if($auth_success) { $ticket_index = $asrep_payload.IndexOf("A003020112A1030201") $ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)] if($asrep_payload.Substring($ticket_index + 22,2) -eq '82') { $ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4 } else { $ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3 } $ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)] if($kerberos_tcpclient) { $cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1 if($asrep_payload.Substring($cipher_index + 22,2) -eq '82') { $cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4 } else { $cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3 } $cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)] $ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key $asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] $kerberos_session_key = $asrep_cleartext[37..68] $ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key $ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key [Byte[]]$subkey = New-RandomByteArray 32 [Byte[]]$sequence_number = New-RandomByteArray 4 $packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number [Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator $authenticator = (New-RandomByteArray 16) + $authenticator $authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator $authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator $packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature [Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq [Byte[]]$mac_flags = 0x04 } else { [Byte[]]$apreq = $kerberos_client_receive [Byte[]]$mac_flags = 0x00 } $packet_DNSQueryTKEY = New-PacketDNSQueryTKEY $tkey_name $apreq $DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQueryTKEY $DNS_client = New-Object System.Net.Sockets.TCPClient $DNS_client.Client.ReceiveTimeout = 3000 try { $DNS_client.Connect($DomainController,"53") } catch { Write-Output "$DomainController did not respond on TCP port 53" } if($DNS_client.Connected) { $DNS_client_stream = $DNS_client.GetStream() $DNS_client_receive = New-Object System.Byte[] 2048 $DNS_client_send = $DNSQueryTKEY $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null $DNS_client_stream.Flush() $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null $tkey_payload = [System.BitConverter]::ToString($DNS_client_receive) $tkey_payload = $tkey_payload -replace "-","" if($tkey_payload.Substring(8,4) -eq '8000') { Write-Verbose "[+] Kerberos TKEY query successful" $TKEY_success = $true } else { Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4)) $TKEY_success = $false } if($TKEY_success) { if($kerberos_tcpclient) { $cipher_index = $tkey_payload.IndexOf("A003020112A2") $cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)] $cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)] $ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key $tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)] $acceptor_subkey = $tkey_cleartext[59..90] } else { $sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000") $sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)] $acceptor_subkey = $asrep_key } $kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey $time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds $time_signed = [System.BitConverter]::GetBytes($time_signed) $time_signed = 0x00,0x00 + $time_signed[3..0] [Byte[]]$transaction_id = New-RandomByteArray 2 $packet_DNSUpdateTSIG = New-PacketDNSUpdateTSIG $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateTSIG $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC $DNSUpdateTSIG += $DNSUpdateMAC $checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC $packet_DNSUpdateTSIG = New-PacketDNSUpdateTSIG $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateTSIG $DNS_client_send = $DNSUpdateTSIG $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null $DNS_client_stream.Flush() $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null $DNS_response_flags = [System.BitConverter]::ToString($DNS_client_receive[4..5]) $DNS_response_flags = $DNS_response_flags -replace "-","" switch ($DNS_response_flags) { 'A800' {Write-Output "[+] DNS update successful"} 'A801' {Write-Output ("[-] format error 0x" + $DNS_response_flags)} 'A802' {Write-Output ("[-] failed to complete 0x" + $DNS_response_flags)} 'A804' {Write-Output ("[-] not implemented 0x" + $DNS_response_flags)} 'A805' {Write-Output ("[-] update refused 0x" + $DNS_response_flags)} Default {Write-Output ("[-] DNS update was not successful 0x" + $DNS_response_flags)} } $DNS_client.Close() $DNS_client_stream.Close() } } } } }