function Invoke-DNSUpdate
{
<#
.SYNOPSIS
This function performs secure and nonsecure DNS dynamic updates against an AD domain controller. Authentication
for secure updates is performed through Kerberos GSS-TSIG.
Author: Kevin Robertson (@kevin_robertson)
License: BSD 3-Clause
.DESCRIPTION
This function can be used to add/delete dynamic DNS records through secure or nonsecure dynamic updates against an
AD domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled
after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options for secure updates or no authentication for
nonsecure updates.
By default, Active Directory-integrated zones have secure dynamic updates enabled with authenticated users having
'Create all child objects' permission. Records that do not exist in an AD zone can be added/deleted with a standard
user account. Existing records created by default or created by other users impose limitations. For example, creating
records that apply to the root of the zone or creating additional SRV records for kerberos/ldap will likely be blocked
due to existing records. Note however that older existing dynamic records can sometimes be hijacked. Subdomain folders
can also be created.
With secure dynamic updates, this function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using
two separate methods. By default, the function will have Windows perform all Kerberos steps up until the AP-REQ
is sent to DNS on the DC. This method will work with either the current session context or with specified credentials.
The second method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method
will accept a password or AES256 hash and will not place any tickets in the client side cache.
In the event that a zone is configured for nonsecure dynamic updates, you should have full control over the zone.
Note that wpad and isatap are on a block list by default starting with Server 2008. Although the records can be added
with both secure and nonsecure dynamic updates, AD DNS will not answer requests for wpad and isatap if they are listed
on the block list.
.PARAMETER Credential
PSCredential object that will be used to to perform dynamic update.
.PARAMETER DomainController
Domain controller to target in FQDN format.
.PARAMETER Realm
Kerberos realm.
.PARAMETER Username
Username of user with DNS secure dynamic update access. If using a machine account, the trailing '$' must be
included if one is shown in the SAMAccountName attribute. Note, this is an alternative to using Credential and
is mainly included as part of pass the hash functionality.
.PARAMETER Password
Password of user with DNS secure dynamic update access. The password must be in the form of a secure string.
Note, this is an alternative to using Credential and is mainly included as part of pass the hash
functionality.
.PARAMETER Hash
AES256 password hash for user with DNS secure dynamic update access. Note that this will use Kerberos
authentication built on top of TCPClient. Note, this is an alternative to using Credential and is mainly
included as part of pass the hash functionality.
.PARAMETER Security
Default = Secure: (Auto/Nonsecure/Secure) Dynamic update security type. Auto will attempt to use nonsecure. If
nonsecure fails, secure will be used. This is the standard dynamic update behavior. Secure is the default
because it generates less traffic with default setups.
.PARAMETER DNSName
DNS record name.
.PARAMETER DNSData
DNS records data. For most record types this will be the destination hostname or IP address. For TXT records
this can be used for data. If deleting a record, do not set this parameter.
.PARAMETER DNSPort
DNS SRV record port.
.PARAMETER DNSPreference
DNS MX record preference.
.PARAMETER DNSPriority
DNS SRV record priority.
.PARAMETER DNSTTL
Default = 600: DNS record TTL.
.PARAMETER DNSType
Default = A: DNS record type. This function supports A, AAAA, CNAME, MX, PTR, SRV, and TXT.
.PARAMETER DNSWeight
DNS SRV record weight.
.PARAMETER DNSZone
DNS zone.
.PARAMETER RecordCheck
Check for an existing matching record before attempting to add or delete.
.PARAMETER TCPClientAuth
Switch to force usage of the TCPClient based Kerberos authentication. Note, usernames are case sensitive with
this switch.
.EXAMPLE
Invoke-DNSUpdate -DNSName www -DNSData 192.168.100.125
Add A Record
.EXAMPLE
Invoke-DNSUpdate -DNSType AAAA -DNSName www.test.local -DNSData 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Add AAAA Record
.EXAMPLE
Invoke-DNSUpdate -DNSType CNAME -DNSName www.test.local -DNSData system.test.local
Add CNAME Record
.EXAMPLE
Invoke-DNSUpdate -DNSType MX -DNSName test.local -DNSData 192.168.100.125 -DNSPreference 10
Add MX Record
.EXAMPLE
Invoke-DNSUpdate -DNSType PTR -DNSName 125.100.168.192.in-addr.arpa -DNSData www.test.local -DNSZone 100.168.192.in-addr.arpa
Add PTR Record - there is a good chance this will be denied if there is an existing record for an IP
.EXAMPLE
Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.lab.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443
Add SRV Record
.EXAMPLE
Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local -DNSData "some text"
Add TXT Record
.EXAMPLE
Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local
Delete TXT record - all deletes follow the same format, just specify DNSType and DNSName
.EXAMPLE
Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser
Add A record using another account
.EXAMPLE
Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser -Hash 0C27E0A5B0D69640B40DDED4A28EB3BB0D157659EBED2816A41A8228E98D111B
Add A record using another account and an AES256 hash
.LINK
https://github.com/Kevin-Robertson/Powermad
#>
[CmdletBinding()]
param
(
[parameter(Mandatory=$false)][String]$DomainController,
[parameter(Mandatory=$false)][String]$Realm,
[parameter(Mandatory=$false)][String]$Username,
[parameter(Mandatory=$false)][System.Security.SecureString]$Password,
[parameter(Mandatory=$false)][ValidateScript({$_.Length -eq 64})][String]$Hash,
[parameter(Mandatory=$false)][String]$Zone,
[parameter(Mandatory=$false)][Int]$DNSTTL = 600,
[parameter(Mandatory=$false)][Int]$DNSPreference,
[parameter(Mandatory=$false)][Int]$DNSPriority,
[parameter(Mandatory=$false)][Int]$DNSWeight,
[parameter(Mandatory=$false)][Int]$DNSPort,
[parameter(Mandatory=$false)][ValidateSet("Auto","Nonsecure","Secure")][String]$Security = "Secure",
[parameter(Mandatory=$false)][ValidateSet("A","AAAA","CNAME","MX","PTR","SRV","TXT")][String]$DNSType = "A",
[parameter(Mandatory=$true)][String]$DNSName,
[parameter(Mandatory=$false)][ValidateScript({$_.Length -le 255})][String]$DNSData,
[parameter(Mandatory=$false)][Switch]$RecordCheck,
[parameter(Mandatory=$false)][Switch]$TCPClientAuth,
[parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
if($invalid_parameter)
{
Write-Output "[-] $($invalid_parameter) is not a valid parameter"
throw
}
if($TCPClientAuth -and (!$Credential -and !$Username))
{
Write-Output "[-] TCPClientAuth requires a username or PSCredential"
throw
}
switch ($DNSType)
{
'MX'
{
if(!$DNSPreference)
{
Write-Output "[-] MX records require a DNSPreference"
throw
}
}
'PTR'
{
if(!$Zone)
{
Write-Output "[-] PTR records require a DNSZone"
throw
}
}
'SRV'
{
if(!$DNSPriority -and !$DNSWeight -and !$DNSPort -and $DNSData)
{
Write-Output "[-] DNSType SRV requires DNSPriority, DNSWeight, and DNSPort"
throw
}
if($DNSName -notlike '*._tcp.*' -and $DNSName -notlike '*._udp.*')
{
Write-Output "[-] DNSName doesn't contain a protocol"
throw
}
}
}
if($Security -ne 'Nonsecure' -and $Username -and !$Hash)
{
$password = Read-Host -Prompt "Enter password" -AsSecureString
}
if(!$DistinguishedName -and (!$DomainController -or !$Domain -or !$Realm -or !$Zone))
{
try
{
$current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
}
catch
{
Write-Output "[-] $($_.Exception.Message)"
throw
}
}
if(!$DomainController)
{
$DomainController = $current_domain.PdcRoleOwner.Name
Write-Verbose "[+] Domain Controller = $DomainController"
}
if(!$Domain)
{
$Domain = $current_domain.Name
Write-Verbose "[+] Domain = $Domain"
}
if(!$Realm)
{
$Realm = $current_domain.Name
Write-Verbose "[+] Kerberos Realm = $Realm"
}
if(!$Zone)
{
$Zone = $current_domain.Name
Write-Verbose "[+] DNS Zone = $Zone"
}
$Zone = $Zone.ToLower()
if($TCPClientAuth -or $Hash -or ($TCPClientAuth -and $Credential))
{
$kerberos_tcpclient = $true
$Realm = $Realm.ToUpper()
if($Credential)
{
$Username = $Credential.Username
$Password = $Credential.Password
}
if($username -like "*\*")
{
$username = $username.SubString(($username.IndexOf("\") + 1),($username.Length - ($username.IndexOf("\") + 1)))
}
if($username -like "*@*")
{
$username = $username.SubString(0,($username.IndexOf("@")))
}
if($Username.EndsWith("$"))
{
$salt = $Realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $Realm.ToLower()
}
else
{
$salt = $Realm + $Username
}
Write-Verbose "[+] Salt $salt"
}
function ConvertFrom-PacketOrderedDictionary($OrderedDictionary)
{
ForEach($field in $OrderedDictionary.Values)
{
$byte_array += $field
}
return [Byte[]]$byte_array
}
function Get-KerberosAES256UsageKey
{
param([String]$key_type,[Int]$usage_number,[Byte[]]$base_key)
$padding = 0x00 * 16
if($key_type -eq 'checksum')
{
switch($usage_number)
{
25 {[Byte[]]$usage_constant = 0x5d,0xfb,0x7d,0xbf,0x53,0x68,0xce,0x69,0x98,0x4b,0xa5,0xd2,0xe6,0x43,0x34,0xba + $padding}
}
}
elseif($key_type -eq 'encrypt')
{
switch($usage_number)
{
1 {[Byte[]]$usage_constant = 0xae,0x2c,0x16,0x0b,0x04,0xad,0x50,0x06,0xab,0x55,0xaa,0xd5,0x6a,0x80,0x35,0x5a + $padding}
3 {[Byte[]]$usage_constant = 0xbe,0x34,0x9a,0x4d,0x24,0xbe,0x50,0x0e,0xaf,0x57,0xab,0xd5,0xea,0x80,0x75,0x7a + $padding}
4 {[Byte[]]$usage_constant = 0xc5,0xb7,0xdc,0x6e,0x34,0xc7,0x51,0x12,0xb1,0x58,0xac,0x56,0x2a,0x80,0x95,0x8a + $padding}
7 {[Byte[]]$usage_constant = 0xde,0x44,0xa2,0xd1,0x64,0xe0,0x51,0x1e,0xb7,0x5b,0xad,0xd6,0xea,0x80,0xf5,0xba + $padding}
11 {[Byte[]]$usage_constant = 0xfe,0x54,0xaa,0x55,0xa5,0x02,0x52,0x2f,0xbf,0x5f,0xaf,0xd7,0xea,0x81,0x75,0xfa + $padding}
12 {[Byte[]]$usage_constant = 0x05,0xd7,0xec,0x76,0xb5,0x0b,0x53,0x33,0xc1,0x60,0xb0,0x58,0x2a,0x81,0x96,0x0b + $padding}
}
}
elseif($key_type -eq 'integrity')
{
switch($usage_number)
{
1 {[Byte[]]$usage_constant = 0x5b,0x58,0x2c,0x16,0x0a,0x5a,0xa8,0x05,0x56,0xab,0x55,0xaa,0xd5,0x40,0x2a,0xb5 + $padding}
4 {[Byte[]]$usage_constant = 0x72,0xe3,0xf2,0x79,0x3a,0x74,0xa9,0x11,0x5c,0xae,0x57,0x2b,0x95,0x40,0x8a,0xe5 + $padding}
7 {[Byte[]]$usage_constant = 0x8b,0x70,0xb8,0xdc,0x6a,0x8d,0xa9,0x1d,0x62,0xb1,0x58,0xac,0x55,0x40,0xeb,0x15 + $padding}
11 {[Byte[]]$usage_constant = 0xab,0x80,0xc0,0x60,0xaa,0xaf,0xaa,0x2e,0x6a,0xb5,0x5a,0xad,0x55,0x41,0x6b,0x55 + $padding}
}
}
$AES = New-Object "System.Security.Cryptography.AesManaged"
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$AES.KeySize = 256
$AES.Key = $base_key
$AES_encryptor = $AES.CreateEncryptor()
$usage_key = $AES_encryptor.TransformFinalBlock($usage_constant,0,$usage_constant.Length)
return $usage_key
}
# TCPClient Kerberos start - this section can be removed if not using a hash or -TCPClientAuth
function Get-KerberosAES256BaseKey
{
param([String]$salt,[System.Security.SecureString]$password)
$password_BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
$password_cleartext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_BSTR)
[Byte[]]$salt = [System.Text.Encoding]::UTF8.GetBytes($salt)
[Byte[]]$password_cleartext = [System.Text.Encoding]::UTF8.GetBytes($password_cleartext)
$constant = 0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93,0x5C,0x9B,0xDC,0xDA,0xD9,0x5C,0x98,0x99,0xC4,0xCA,0xE4,0xDE,0xE6,0xD6,0xCA,0xE4
$PBKDF2 = New-Object Security.Cryptography.Rfc2898DeriveBytes($password_cleartext,$salt,4096)
Remove-Variable password_cleartext
$PBKDF2_key = $PBKDF2.GetBytes(32)
$AES = New-Object "System.Security.Cryptography.AesManaged"
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AES.Padding = [System.Security.Cryptography.PaddingMode]::None
$AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$AES.KeySize = 256
$AES.Key = $PBKDF2_key
$AES_encryptor = $AES.CreateEncryptor()
$base_key_part_1 = $AES_encryptor.TransformFinalBlock($constant,0,$constant.Length)
$base_key_part_2 = $AES_encryptor.TransformFinalBlock($base_key_part_1,0,$base_key_part_1.Length)
$base_key = $base_key_part_1[0..15] + $base_key_part_2[0..15]
return $base_key
}
function New-PacketKerberosASREQ()
{
param([Byte[]]$Username,[Byte[]]$Realm,[Byte[]]$NameString,[Byte[]]$Nonce,[Byte[]]$PAC,[Byte[]]$PACSignature)
$timestamp = Get-Date
$till = $timestamp.AddYears(20)
$timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
$till = ("{0:u}" -f $till) -replace "-","" -replace " ","" -replace ":",""
[Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
[Byte[]]$till = [System.Text.Encoding]::UTF8.GetBytes($till)
if($PAC)
{
$pac_extra_length = 78
}
[Byte[]]$namestring1_length = Get-ASN1LengthArray $NameString.Count
[Byte[]]$namestring_length = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + 6)
[Byte[]]$namestring_length2 = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + 7)
[Byte[]]$sname_length = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13)
[Byte[]]$sname_length2 = Get-ASN1LengthArray ($NameString.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14)
[Byte[]]$realm_length = Get-ASN1LengthArray $Realm.Count
[Byte[]]$realm_length2 = Get-ASN1LengthArray ($Realm.Count + $realm_length.Count + 1)
[Byte[]]$cname_length = Get-ASN1LengthArray $Username.Count
[Byte[]]$cname_length2 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + 1)
[Byte[]]$cname_length3 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + 2)
[Byte[]]$cname_length4 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
[Byte[]]$cname_length5 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
$grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $NameString.Count +
$namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $Realm.Count + $realm_length.Count +
$realm_length2.Count + $Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count
[Byte[]]$reqbody_length = Get-ASN1LengthArrayLong ($grouped_length + 86)
[Byte[]]$reqbody_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + 87)
[Byte[]]$message_length = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $pac_extra_length + 114)
[Byte[]]$message_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $pac_extra_length + 115)
[Byte[]]$asreq_length = [System.BitConverter]::GetBytes($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $message_length2.Count +
$pac_extra_length + 116)[3..0]
$KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary
$KerberosASREQ.Add("Length",$asreq_length)
$KerberosASREQ.Add("Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length)
$KerberosASREQ.Add("Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
$KerberosASREQ.Add("Message_PVNO",[Byte[]](0x05))
$KerberosASREQ.Add("Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01))
$KerberosASREQ.Add("Message_MSGType",[Byte[]](0x0a))
if($PAC)
{
$KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02))
$KerberosASREQ.Add("Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01))
$KerberosASREQ.Add("Message_PAData0_Type",[Byte[]](0x12))
$KerberosASREQ.Add("Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38))
$KerberosASREQ.Add("Message_PAData0_Value",$PAC)
$KerberosASREQ.Add("Message_PAData0_Signature",$PACSignature)
$KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02))
}
else
{
$KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a))
$KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02))
}
$KerberosASREQ.Add("Message_PAData1_Type",[Byte[]](0x00,0x95))
$KerberosASREQ.Add("Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04))
$KerberosASREQ.Add("Message_PAData1_Value",[Byte[]](0x00))
$KerberosASREQ.Add("Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length)
$KerberosASREQ.Add("Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05))
$KerberosASREQ.Add("Message_REQBody_KDCOptions_Padding",[Byte[]](0x00))
$KerberosASREQ.Add("Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00))
$KerberosASREQ.Add("Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
$KerberosASREQ.Add("Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosASREQ.Add("Message_REQBody_CName_NameType",[Byte[]](0x01))
$KerberosASREQ.Add("Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length)
$KerberosASREQ.Add("Message_REQBody_CName_NameString",$Username)
$KerberosASREQ.Add("Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
$KerberosASREQ.Add("Message_REQBody_Realm",$Realm)
$KerberosASREQ.Add("Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length)
$KerberosASREQ.Add("Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosASREQ.Add("Message_REQBody_SName_NameType",[Byte[]](0x01))
$KerberosASREQ.Add("Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length)
$KerberosASREQ.Add("Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
$KerberosASREQ.Add("Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
$KerberosASREQ.Add("Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50
$KerberosASREQ.Add("Message_REQBody_SName_NameString1",$NameString)
$KerberosASREQ.Add("Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
$KerberosASREQ.Add("Message_REQBody_Till",$till)
$KerberosASREQ.Add("Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
$KerberosASREQ.Add("Message_REQBody_Nonce",$Nonce)
$KerberosASREQ.Add("Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13))
$KerberosASREQ.Add("Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03))
return $KerberosASREQ
}
function New-PacketKerberosAPREQ()
{
param([Byte[]]$Realm,[Byte[]]$SPN,[Byte[]]$KVNO,[Byte[]]$Ticket,[Byte[]]$Authenticator,[Byte[]]$AuthenticatorSignature)
$Authenticator += $AuthenticatorSignature
$parameter_length = $Realm.Count + $SPN.Count + $ticket.Count + $Authenticator.Count
[Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $Authenticator.Count
[Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($Authenticator.Count + $authenticator_length.Count + 1)
[Byte[]]$Authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7)
[Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($Authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8)
[Byte[]]$ticket_length = Get-ASN1LengthArrayLong $ticket.Count
[Byte[]]$ticket_length2 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + 1)
[Byte[]]$ticket_length3 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + 12)
[Byte[]]$ticket_length4 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + 13)
[Byte[]]$namestring1_length = Get-ASN1LengthArray $SPN.Count
[Byte[]]$namestring_length = Get-ASN1LengthArray ($SPN.Count + $namestring_length.Count + 4)
[Byte[]]$namestring_length2 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + 5)
[Byte[]]$sname_length = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4)
[Byte[]]$sname_length2 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5)
[Byte[]]$sname_length3 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11)
[Byte[]]$sname_length4 = Get-ASN1LengthArray ($SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + 12)
[Byte[]]$realm_length = Get-ASN1LengthArray $Realm.Count
[Byte[]]$realm_length2 = Get-ASN1LengthArray ($Realm.Count + $realm_length.Count + 1)
[Byte[]]$ticket_length5 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
$SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + 34)
[Byte[]]$ticket_length6 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
$SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35)
[Byte[]]$ticket_length7 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
$SPN.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $Realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36)
[Byte[]]$apreq_length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
$ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + 73)
[Byte[]]$apreq_length2 = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
$ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
$apreq_length.Count + 74)
[Byte[]]$length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
$ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
$sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
$apreq_length.Count + $apreq_length2.Count + 88)
$KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary
$KerberosAPREQ.Add("Length",([Byte[]](0x60) + $length))
$KerberosAPREQ.Add("MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
$KerberosAPREQ.Add("MechToken_TokenID",[Byte[]](0x01,0x00))
$KerberosAPREQ.Add("APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length)
$KerberosAPREQ.Add("PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAPREQ.Add("PVNO",[Byte[]]0x05)
$KerberosAPREQ.Add("MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
$KerberosAPREQ.Add("MSGType",[Byte[]](0x0e))
$KerberosAPREQ.Add("Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05))
$KerberosAPREQ.Add("Padding",[Byte[]](0x00))
$KerberosAPREQ.Add("APOptions",[Byte[]](0x20,0x00,0x00,0x00))
$KerberosAPREQ.Add("Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5)
$KerberosAPREQ.Add("Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAPREQ.Add("Ticket_TKTVNO",[Byte[]](0x05))
$KerberosAPREQ.Add("Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
$KerberosAPREQ.Add("Ticket_Realm",$Realm)
$KerberosAPREQ.Add("Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3)
$KerberosAPREQ.Add("Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAPREQ.Add("Ticket_SName_NameType",[Byte[]](0x01))
$KerberosAPREQ.Add("Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length)
$KerberosAPREQ.Add("Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
$KerberosAPREQ.Add("Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
$KerberosAPREQ.Add("Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length)
$KerberosAPREQ.Add("Ticket_SName_NameString1",$SPN)
$KerberosAPREQ.Add("Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3)
$KerberosAPREQ.Add("Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAPREQ.Add("Ticket_EncPart_EType",[Byte[]](0x12))
$KerberosAPREQ.Add("Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
$KerberosAPREQ.Add("Ticket_EncPart_KVNO",$KVNO)
$KerberosAPREQ.Add("Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length)
$KerberosAPREQ.Add("Ticket_EncPart_Cipher",$ticket)
$KerberosAPREQ.Add("Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3)
$KerberosAPREQ.Add("Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAPREQ.Add("Authenticator_EType",[Byte[]](0x12))
$KerberosAPREQ.Add("Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length)
$KerberosAPREQ.Add("Authenticator_Cipher",$Authenticator)
return $KerberosAPREQ
}
function Unprotect-KerberosASREP
{
param([Byte[]]$ke_key,[Byte[]]$encrypted_data)
$final_block_length = [Math]::Truncate($encrypted_data.Count % 16)
[Byte[]]$final_block = $encrypted_data[($encrypted_data.Count - $final_block_length)..$encrypted_data.Count]
[Byte[]]$penultimate_block = $encrypted_data[($encrypted_data.Count - $final_block_length - 16)..($encrypted_data.Count - $final_block_length - 1)]
$AES = New-Object "System.Security.Cryptography.AesManaged"
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$AES.KeySize = 256
$AES.Key = $ke_key
$AES_decryptor = $AES.CreateDecryptor()
$penultimate_block_cleartext = $AES_decryptor.TransformFinalBlock($penultimate_block,0,$penultimate_block.Length)
[Byte[]]$final_block_padding = $penultimate_block_cleartext[$final_block_length..$penultimate_block_cleartext.Count]
$final_block += $final_block_padding
[Byte[]]$cts_encrypted_data = $encrypted_data[0..($encrypted_data.Count - $final_block_length - 17)] + $final_block + $penultimate_block
[Byte[]]$cleartext = $AES_decryptor.TransformFinalBlock($cts_encrypted_data,0,$cts_encrypted_data.Length)
return $cleartext
}
function New-KerberosPACTimestamp
{
param([Byte[]]$ke_key)
[Byte[]]$timestamp = Get-KerberosTimestampUTC
[String]$confounder = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
[Byte[]]$confounder = $confounder.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
[Byte[]]$PAC_timestamp = $confounder +
0x30,0x1a,0xa0,0x11,0x18,0x0f +
$timestamp +
0xa1,0x05,0x02,0x03,0x01,0x70,0x16
return $PAC_timestamp
}
function New-KerberosAuthenticator
{
param([Byte[]]$Realm,[Byte[]]$Username,[Byte[]]$SubKey,[Byte[]]$SequenceNumber)
$parameter_length = $Realm.Count + $Username.Count + $SubKey.Count
[Byte[]]$subkey_length = Get-ASN1LengthArray $SubKey.Count
[Byte[]]$subkey_length2 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + 1)
[Byte[]]$subkey_length3 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + $subkey_length2.Count + 7)
[Byte[]]$subkey_length4 = Get-ASN1LengthArray ($SubKey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8)
[Byte[]]$cname_length = Get-ASN1LengthArray $Username.Count
[Byte[]]$cname_length2 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + 1)
[Byte[]]$cname_length3 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + 2)
[Byte[]]$cname_length4 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
[Byte[]]$cname_length5 = Get-ASN1LengthArray ($Username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
[Byte[]]$crealm_length = Get-ASN1LengthArray $Realm.Count
[Byte[]]$crealm_length2 = Get-ASN1LengthArray ($Realm.Count + $crealm_length.Count + 1)
[Byte[]]$authenticator_length = Get-ASN1LengthArrayLong ($parameter_length + 99 + $crealm_length.Count + $crealm_length2.Count +
$cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
$subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count)
[Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($parameter_length + 100 + $crealm_length.Count + $crealm_length2.Count +
$cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
$subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count + $authenticator_length.Count)
$KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary
$KerberosAuthenticator.Add("Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length)
$KerberosAuthenticator.Add("AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAuthenticator.Add("AuthenticatorVNO",[Byte[]](0x05))
$KerberosAuthenticator.Add("CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length)
$KerberosAuthenticator.Add("CRealm",$Realm)
$KerberosAuthenticator.Add("CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
$KerberosAuthenticator.Add("CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAuthenticator.Add("CName_NameType",[Byte[]](0x01))
$KerberosAuthenticator.Add("CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) +
$cname_length2 + [Byte[]](0x1b) + $cname_length)
$KerberosAuthenticator.Add("CName_CNameString",$Username)
$KerberosAuthenticator.Add("CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03))
$KerberosAuthenticator.Add("CKSum_CKSumType",[Byte[]](0x00,0x80,0x03))
$KerberosAuthenticator.Add("CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18))
$KerberosAuthenticator.Add("CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00))
$KerberosAuthenticator.Add("CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
$KerberosAuthenticator.Add("CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00))
$KerberosAuthenticator.Add("CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03))
$KerberosAuthenticator.Add("CKSum_CUSec",(Get-KerberosMicrosecond))
$KerberosAuthenticator.Add("CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
$KerberosAuthenticator.Add("CKSum_CTime",(Get-KerberosTimestampUTC))
$KerberosAuthenticator.Add("CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3)
$KerberosAuthenticator.Add("CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
$KerberosAuthenticator.Add("CKSum_Subkey_KeyType",[Byte[]](0x12))
$KerberosAuthenticator.Add("CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length)
$KerberosAuthenticator.Add("CKSum_Subkey_KeyValue",$SubKey)
$KerberosAuthenticator.Add("CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
$KerberosAuthenticator.Add("CKSum_SEQNumber",$SequenceNumber)
return $KerberosAuthenticator
}
function Get-KerberosTimestampUTC
{
[DateTime]$timestamp = (Get-Date).ToUniversalTime()
[String]$timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
[Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
return $timestamp
}
function Get-KerberosMicrosecond
{
[Int]$microseconds = Get-Date -Format ffffff
[Byte[]]$microseconds = [System.Bitconverter]::GetBytes($microseconds)[0..2]
return $microseconds
}
function Protect-KerberosAES256CTS
{
param([Byte[]]$ke_key,[Byte[]]$data)
$AES = New-Object "System.Security.Cryptography.AesManaged"
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
$AES.IV = $IV
$AES.KeySize = 256
$AES.Key = $ke_key
$AES_encryptor = $AES.CreateEncryptor()
$data_encrypted = $AES_encryptor.TransformFinalBlock($data,0,$data.Length)
$block_count = [Math]::Ceiling($data_encrypted.Count / 16)
if($block_count -gt 2)
{
$data_encrypted = $data_encrypted[0..($data_encrypted.Count - 33)] + $data_encrypted[($data_encrypted.Count - 16)..$data_encrypted.Count] +
$data_encrypted[($data_encrypted.Count - 32)..($data_encrypted.Count - 17)]
}
elseif($blocks -eq 2)
{
$data_encrypted = $data_encrypted[16..31] + $data_encrypted[0..15]
}
$final_block_length = [Math]::Truncate($data.Count % 16)
if($final_block_length -ne 0)
{
$remove_count = 16 - $final_block_length
$data_encrypted = $data_encrypted[0..($data_encrypted.Count - $remove_count - 1)]
}
return $data_encrypted
}
# TCPClient Kerberos end
function Get-KerberosHMACSHA1
{
param([Byte[]]$key,[Byte[]]$data)
$HMAC_SHA1 = New-Object System.Security.Cryptography.HMACSHA1
$HMAC_SHA1.key = $key
$hash = $HMAC_SHA1.ComputeHash($data)
$hash = $hash[0..11]
return $hash
}
function Get-ASN1LengthArray
{
param([Int]$Length)
[Byte[]]$asn1 = [System.BitConverter]::GetBytes($Length)
if($asn1[1] -eq 0)
{
$asn1 = $asn1[0]
}
else
{
$asn1 = $asn1[1,0]
}
return $asn1
}
function Get-ASN1LengthArrayLong
{
param([Int]$Length)
[Byte[]]$asn1 = [System.BitConverter]::GetBytes($Length)
if($asn1[1] -eq 0)
{
$asn1 = $asn1[0]
$asn1 = [Byte[]]0x81 + $asn1
}
else
{
$asn1 = $asn1[1,0]
$asn1 = [Byte[]]0x82 + $asn1
}
return $asn1
}
function New-RandomByteArray
{
param([Int]$Length,[Int]$Minimum=1,[Int]$Maximum=255)
[String]$random = [String](1..$Length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $Minimum -Maximum $Maximum)})
[Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
return $random
}
function New-DNSNameArray
{
param([String]$Name)
$character_array = $Name.ToCharArray()
[Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
if($index_array.Count -gt 0)
{
$name_start = 0
ForEach ($index in $index_array)
{
$name_end = $index - $name_start
[Byte[]]$name_array += $name_end
[Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end))
$name_start = $index + 1
}
[Byte[]]$name_array += ($Name.Length - $name_start)
[Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
}
else
{
[Byte[]]$name_array = $Name.Length
[Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
}
return $name_array
}
function New-PacketDNSQuery
{
param([String]$Name,[String]$Type)
switch ($Type)
{
'A'
{[Byte[]]$type = 0x00,0x01}
'AAAA'
{[Byte[]]$type = 0x00,0x1c}
'CNAME'
{[Byte[]]$type = 0x00,0x05}
'MX'
{[Byte[]]$type = 0x00,0x0f}
'PTR'
{[Byte[]]$type = 0x00,0x0c}
'SRV'
{[Byte[]]$type = 0x00,0x21}
'TXT'
{[Byte[]]$type = 0x00,0x10}
}
[Byte[]]$name = (New-DNSNameArray $Name) + 0x00
[Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0]
[Byte[]]$transaction_ID = New-RandomByteArray 2
$DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary
$DNSQuery.Add("Length",$length)
$DNSQuery.Add("TransactionID",$transaction_ID)
$DNSQuery.Add("Flags",[Byte[]](0x01,0x00))
$DNSQuery.Add("Questions",[Byte[]](0x00,0x01))
$DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00))
$DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00))
$DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00))
$DNSQuery.Add("Queries_Name",$name)
$DNSQuery.Add("Queries_Type",$type)
$DNSQuery.Add("Queries_Class",[Byte[]](0x00,0x01))
return $DNSQuery
}
function New-PacketDNSQueryTKEY
{
param([Byte[]]$Name,[byte[]]$Type,[Byte[]]$APReq)
[Byte[]]$transaction_ID = New-RandomByteArray 2
if($APReq)
{
$mechtoken_length = Get-ASN1LengthArrayLong ($APReq.Count)
$mechtoken_length2 = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + 1)
$innercontexttoken_length = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31
$innercontexttoken_length2 = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
$innercontexttoken_length.Count + 18)
$spnego_length = Get-ASN1LengthArrayLong ($APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
$innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27)
$grouped_length = $APReq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count +
$innercontexttoken_length2.Count + $spnego_length.Count + 25
$key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0]
$RD_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0]
$inception = [int64](([datetime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
$inception = [System.BitConverter]::GetBytes($inception)
$inception = $inception[3..0]
}
if($APReq)
{
[Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $Name.Count + 57)[1,0]
}
else
{
[Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0]
}
$DNSQueryTKEY = New-Object System.Collections.Specialized.OrderedDictionary
$DNSQueryTKEY.Add("Length",$length)
$DNSQueryTKEY.Add("TransactionID",$transaction_ID)
$DNSQueryTKEY.Add("Flags",[Byte[]](0x00,0x00))
$DNSQueryTKEY.Add("Questions",[Byte[]](0x00,0x01))
$DNSQueryTKEY.Add("AnswerRRs",[Byte[]](0x00,0x00))
$DNSQueryTKEY.Add("AuthorityRRs",[Byte[]](0x00,0x00))
if($apreq)
{
$DNSQueryTKEY.Add("AdditionalRRs",[Byte[]](0x00,0x01))
}
else
{
$DNSQueryTKEY.Add("AdditionalRRs",[Byte[]](0x00,0x00))
}
$DNSQueryTKEY.Add("Queries_Name",$Name)
$DNSQueryTKEY.Add("Queries_Type",$Type)
$DNSQueryTKEY.Add("Queries_Class",[Byte[]](0x00,0xff))
if($apreq)
{
$DNSQueryTKEY.Add("Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RDLength",$RD_length)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_Inception",$inception)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_Expiration",$inception)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_KeySize",$key_size)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) +
$innercontexttoken_length)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) +
$mechtoken_length)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$APReq)
$DNSQueryTKEY.Add("Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00))
}
return $DNSQueryTKEY
}
function New-PacketDNSUpdate
{
param([Byte[]]$TransactionID,[String]$Zone,[String]$Name,[String]$Type,[Int]$TTL,[Int]$Preference,[Int]$Priority,[Int]$Weight,[Int]$Port,[String]$Data,[Byte[]]$TimeSigned,[Byte[]]$TKeyname,[Byte[]]$MAC)
if($Data)
{
$add = $true
[Byte[]]$class = 0x00,0x01
}
else
{
[Byte[]]$class = 0x00,0xff
$TTL = 0
}
switch ($Type)
{
'A'
{
[Byte[]]$type = 0x00,0x01
if($Data -and [Bool]($Data -as [System.Net.IPAddress]))
{
[Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes()
}
elseif($Data)
{
[Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data)
}
}
'AAAA'
{
[Byte[]]$type = 0x00,0x1c
if($Data -and [Bool]($Data -as [System.Net.IPAddress]))
{
[Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes()
}
elseif($Data)
{
[Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data)
}
}
'CNAME'
{
[Byte[]]$type = 0x00,0x05
if($Data -and [Bool]($Data -as [System.Net.IPAddress]))
{
[Byte[]]$data = (New-DNSNameArray $Data) + 0x00
}
elseif($Data)
{
[Byte[]]$data = (New-DNSNameArray ($Data -replace ('.' + $Zone),'')) + 0xc0,0x0c
}
}
'MX'
{
$MX = $true
[Byte[]]$type = 0x00,0x0f
if($Data)
{
$extra_length = 2
[Byte[]]$preference = [System.Bitconverter]::GetBytes($Preference)[1,0]
}
if($Data -and [Bool]($Data -as [System.Net.IPAddress]))
{
[Byte[]]$data = (New-DNSNameArray $Data) + 0x00
}
elseif($Data)
{
[Byte[]]$data = (New-DNSNameArray ($Data -replace ('.' + $Zone),'')) + 0xc0,0x0c
}
}
'PTR'
{
[Byte[]]$type = 0x00,0x0c
if($Data)
{
[Byte[]]$data = (New-DNSNameArray $Data) + 0x00
}
}
'SRV'
{
$SRV = $true
[Byte[]]$type = 0x00,0x21
if($Data)
{
[Byte[]]$priority = [System.Bitconverter]::GetBytes($Priority)[1,0]
[Byte[]]$weight = [System.Bitconverter]::GetBytes($Weight)[1,0]
[Byte[]]$port = [System.Bitconverter]::GetBytes($Port)[1,0]
$extra_length = 6
[Byte[]]$data = (New-DNSNameArray $Data) + 0x00
}
}
'TXT'
{
$TXT = $true
[Byte[]]$type = 0x00,0x10
[Byte[]]$TXT_length = [System.BitConverter]::GetBytes($Data.Length)[0]
if($Data)
{
$extra_length = 1
[Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($Data)
}
}
}
if($Name -eq $Zone)
{
[Byte[]]$name = 0xc0,0x0c
}
else
{
[Byte[]]$name = (New-DNSNameArray ($Name -replace ('.' + $Zone),'')) + 0xc0,0x0c
}
[Byte[]]$Zone = (New-DNSNameArray $Zone) + 0x00
[Byte[]]$TTL = [System.Bitconverter]::GetBytes($TTL)[3..0]
[Byte[]]$data_length = [System.BitConverter]::GetBytes($data.Length + $extra_length)[1,0]
if($MAC)
{
[Byte[]]$length = [System.BitConverter]::GetBytes($Zone.Count + $name.Count + $data.Length + $TKeyname.Count + $MAC.Count + 62 + $extra_length)[1,0]
}
elseif(!$TKeyname)
{
[Byte[]]$length = [System.BitConverter]::GetBytes($Zone.Count + $name.Count + $data.Length + 26 + $extra_length)[1,0]
}
$DNSUpdate = New-Object System.Collections.Specialized.OrderedDictionary
if(!$TKeyname -or $MAC)
{
$DNSUpdate.Add("Length",$length)
}
$DNSUpdate.Add("TransactionID",$TransactionID)
$DNSUpdate.Add("Flags",[Byte[]](0x28,0x00))
$DNSUpdate.Add("Zones",[Byte[]](0x00,0x01))
$DNSUpdate.Add("Prerequisites",[Byte[]](0x00,0x00))
$DNSUpdate.Add("Updates",[Byte[]](0x00,0x01))
if($MAC)
{
$DNSUpdate.Add("AdditionalRRs",[Byte[]](0x00,0x01))
}
else
{
$DNSUpdate.Add("AdditiionalRRs",[Byte[]](0x00,0x00))
}
$DNSUpdate.Add("Zone_Name",$Zone)
$DNSUpdate.Add("Zone_Type",[Byte[]](0x00,0x06))
$DNSUpdate.Add("Zone_Class",[Byte[]](0x00,0x01))
$DNSUpdate.Add("Updates_Name",$name)
$DNSUpdate.Add("Updates_Type",$type)
$DNSUpdate.Add("Updates_Class",$class)
$DNSUpdate.Add("Updates_TTL",$TTL)
$DNSUpdate.Add("Updates_DataLength",$data_length)
if($MX)
{
$DNSUpdate.Add("Updates_TXTLength",$preference)
}
if($TXT -and $add)
{
$DNSUpdate.Add("Updates_TXTLength",$TXT_length)
}
if($SRV -and $add)
{
$DNSUpdate.Add("Updates_Priority",$priority)
$DNSUpdate.Add("Updates_Weight",$weight)
$DNSUpdate.Add("Updates_Port",$port)
}
if($add)
{
$DNSUpdate.Add("Updates_Address",$data)
}
if($TKeyname)
{
$DNSUpdate.Add("AdditionalRecords_Name",$TKeyname)
if($MAC)
{
$DNSUpdate.Add("AdditionalRecords_Type",[Byte[]](0x00,0xfa))
}
$DNSUpdate.Add("AdditionalRecords_Class",[Byte[]](0x00,0xff))
$DNSUpdate.Add("AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
if($MAC)
{
$DNSUpdate.Add("AdditionalRecords_DataLength",[Byte[]](0x00,0x36))
}
$DNSUpdate.Add("AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
$DNSUpdate.Add("AdditionalRecords_TimeSigned",$TimeSigned)
$DNSUpdate.Add("AdditionalRecords_Fudge",[Byte[]](0x01,0x2c))
if($MAC)
{
$DNSUpdate.Add("AdditionalRecords_MACSize",[Byte[]](0x00,0x1c))
$DNSUpdate.Add("AdditionalRecords_MAC",$MAC)
$DNSUpdate.Add("AdditionalRecords_OriginalID",$TransactionID)
}
$DNSUpdate.Add("AdditionalRecords_Error",[Byte[]](0x00,0x00))
$DNSUpdate.Add("AdditionalRecords_OtherLength",[Byte[]](0x00,0x00))
}
return $DNSUpdate
}
function New-PacketDNSUpdateMAC
{
param([Byte[]]$Flags,[Byte[]]$SequenceNumber,[Byte[]]$Checksum)
$DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary
$DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04))
$DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$Flags)
$DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff))
$DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $SequenceNumber)
if($Checksum)
{
$DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$Checksum)
}
return $DNSUpdateMAC
}
function Get-DNSUpdateResponseStatus
{
param([Byte[]]$DNSClientReceive)
$DNS_response_flags = [System.BitConverter]::ToString($DNSClientReceive[4..5])
$DNS_response_flags = $DNS_response_flags -replace "-",""
switch ($DNS_response_flags)
{
'A800' {$DNS_update_response_status = "[+] DNS update successful"}
'A801' {$DNS_update_response_status = ("[-] format error 0x" + $DNS_response_flags)}
'A802' {$DNS_update_response_status = ("[-] failed to complete 0x" + $DNS_response_flags)}
'A804' {$DNS_update_response_status = ("[-] not implemented 0x" + $DNS_response_flags)}
'A805' {$DNS_update_response_status = ("[-] update refused 0x" + $DNS_response_flags)}
Default {$DNS_update_response_status = ("[-] DNS update was not successful 0x" + $DNS_response_flags)}
}
return $DNS_update_response_status
}
if($RecordCheck)
{
if($DNSType -ne 'MX' -and $DNSName -notlike '*.*')
{
$query_name = $DNSName + "." + $Zone
}
else
{
$query_name = $DNSName
}
$DNS_client = New-Object System.Net.Sockets.TCPClient
$DNS_client.Client.ReceiveTimeout = 3000
try
{
$DNS_client.Connect($DomainController,"53")
$DNS_client_stream = $DNS_client.GetStream()
$DNS_client_receive = New-Object System.Byte[] 2048
$packet_DNSQuery = New-PacketDNSQuery $query_name $DNSType
[Byte[]]$DNS_client_send = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
$DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
$DNS_client_stream.Flush()
$DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
$DNS_client.Close()
$DNS_client_stream.Close()
if($DNS_client_receive[9] -ne 0)
{
$DNS_record_exists = $true
Write-Output "[-] $DNSName of record type $DNSType already exists"
}
}
catch
{
Write-Output "[-] $DomainController did not respond on TCP port 53"
}
}
if(!$RecordCheck -or ($RecordCheck -and !$DNS_record_exists))
{
$DNS_client = New-Object System.Net.Sockets.TCPClient
$DNS_client.Client.ReceiveTimeout = 3000
if($Security -ne 'Secure')
{
try
{
$DNS_client.Connect($DomainController,"53")
}
catch
{
Write-Output "$DomainController did not respond on TCP port 53"
}
if($DNS_client.Connected)
{
$DNS_client_stream = $DNS_client.GetStream()
$DNS_client_receive = New-Object System.Byte[] 2048
[Byte[]]$transaction_id = New-RandomByteArray 2
$packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $Zone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData
[Byte[]]$DNSUpdate = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
$DNS_client_send = $DNSUpdate
$DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
$DNS_client_stream.Flush()
$DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
$DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
Write-Output $DNS_update_response_status
$DNS_client.Close()
$DNS_client_stream.Close()
}
}
if($Security -eq 'Secure' -or ($Security -eq 'Auto' -and $DNS_update_response_status -like '*0xA805'))
{
$tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) +
"-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0"
$tkey = $tkey -replace " ",""
Write-Verbose "[+] TKEY name $tkey"
[Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey)
$tkey_name = [Byte[]]0x08 + $tkey_name + 0x00
$tkey_name[9] = 0x06
$tkey_name[16] = 0x24
if($kerberos_tcpclient)
{
$kerberos_client = New-Object System.Net.Sockets.TCPClient
$kerberos_client.Client.ReceiveTimeout = 3000
$domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController)
$kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username)
$kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm)
try
{
$kerberos_client.Connect($DomainController,"88")
}
catch
{
Write-Output "$DomainController did not respond on TCP port 88"
}
}
if(!$kerberos_tcpclient -or $kerberos_client.Connected)
{
if($kerberos_tcpclient)
{
if($Hash)
{
$base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-"
$base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
else
{
$base_key = Get-KerberosAES256BaseKey $salt $password
}
$ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key
$ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key
$nonce = New-RandomByteArray 4
$kerberos_client_stream = $kerberos_client.GetStream()
$kerberos_client_receive = New-Object System.Byte[] 2048
$packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce
$AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
$kerberos_client_send = $AS_REQ
$kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
$kerberos_client_stream.Flush()
$kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
[Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key
[Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp
[Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp
$packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature
$AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
$kerberos_client_send = $AS_REQ
$kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
$kerberos_client_stream.Flush()
$kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
$asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
$asrep_payload = $asrep_payload -replace "-",""
$kerberos_client.Close()
$kerberos_client_stream.Close()
}
else
{
try
{
$Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel")
if($username -or $Credential)
{
if(!$Credential)
{
$Credential = New-Object System.Management.Automation.PSCredential ($username,$Password)
}
$network_creds = $Credential.GetNetworkCredential()
$network_creds.Domain = $domain
$token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds)
$ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1))
}
else
{
$ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController")
}
$asrep_key = $ticket.SecurityKey.GetSymmetricKey()
$kerberos_client_receive = $Ticket.GetRequest()
$asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
$asrep_payload = $asrep_payload -replace "-",""
}
catch
{
$auth_success = $false
}
}
if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*'))
{
Write-Verbose "[+] Kerberos preauthentication successful"
$auth_success = $true
}
elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*')
{
Write-Output ("[-] Kerberos preauthentication error 0x" + $asrep_payload.Substring(96,2))
$auth_success = $false
}
else
{
Write-Output "[-] Kerberos authentication failure"
$auth_success = $false
}
if($auth_success)
{
$ticket_index = $asrep_payload.IndexOf("A003020112A1030201")
$ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)]
if($asrep_payload.Substring($ticket_index + 22,2) -eq '82')
{
$ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4
}
else
{
$ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3
}
$ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)]
if($kerberos_tcpclient)
{
$cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1
if($asrep_payload.Substring($cipher_index + 22,2) -eq '82')
{
$cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4
}
else
{
$cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3
}
$cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)]
$ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key
$asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
$kerberos_session_key = $asrep_cleartext[37..68]
$ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key
$ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key
[Byte[]]$subkey = New-RandomByteArray 32
[Byte[]]$sequence_number = New-RandomByteArray 4
$packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number
[Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator
$authenticator = (New-RandomByteArray 16) + $authenticator
$authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator
$authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator
$packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature
[Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq
[Byte[]]$mac_flags = 0x04
}
else
{
[Byte[]]$apreq = $kerberos_client_receive
[Byte[]]$mac_flags = 0x00
}
$packet_DNSQuery = New-PacketDNSQueryTKEY $tkey_name 0x00,0xf9 $apreq
$DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
$DNS_client = New-Object System.Net.Sockets.TCPClient
$DNS_client.Client.ReceiveTimeout = 3000
try
{
$DNS_client.Connect($DomainController,"53")
}
catch
{
Write-Output "$DomainController did not respond on TCP port 53"
}
if($DNS_client.Connected)
{
$DNS_client_stream = $DNS_client.GetStream()
$DNS_client_receive = New-Object System.Byte[] 2048
$DNS_client_send = $DNSQueryTKEY
$DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
$DNS_client_stream.Flush()
$DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
$tkey_payload = [System.BitConverter]::ToString($DNS_client_receive)
$tkey_payload = $tkey_payload -replace "-",""
if($tkey_payload.Substring(8,4) -eq '8000')
{
Write-Verbose "[+] Kerberos TKEY query successful"
$TKEY_success = $true
}
else
{
Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4))
$TKEY_success = $false
}
if($TKEY_success)
{
if($kerberos_tcpclient)
{
$cipher_index = $tkey_payload.IndexOf("A003020112A2")
$cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)]
$cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)]
$ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key
$tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
$acceptor_subkey = $tkey_cleartext[59..90]
}
else
{
$sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000")
$sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)]
$acceptor_subkey = $asrep_key
}
$kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey
$time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
$time_signed = [System.BitConverter]::GetBytes($time_signed)
$time_signed = 0x00,0x00 + $time_signed[3..0]
[Byte[]]$transaction_id = New-RandomByteArray 2
$packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $Zone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name
[Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
$packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number
[Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
$DNSUpdateTSIG += $DNSUpdateMAC
$checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG
$packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum
[Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
$packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $Zone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC
[Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
$DNS_client_send = $DNSUpdateTSIG
$DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
$DNS_client_stream.Flush()
$DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
$DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
Write-Output $DNS_update_response_status
$DNS_client.Close()
$DNS_client_stream.Close()
}
}
}
}
}
}
}