Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:security:huntingdes

Hunting down DES in order to securely deploy Kerberos

Hunting down DES in order to securely deploy Kerberos

Get-KerberosEvents.ps1
[cmdletbinding(DefaultParameterSetName='local')]
param(
   [Parameter(ParameterSetName='Domain')][switch]$Domain,
   [Parameter(ParameterSetName='List')]$Computer,
   [Parameter(ParameterSetName='local')][Parameter(ParameterSetName='Domain')][Parameter(ParameterSetName='List')][long]$Seconds=60,
   [Parameter(ParameterSetName='local')][Parameter(ParameterSetName='Domain')][Parameter(ParameterSetName='List')][Switch]$Export    
)
 
$start = Get-Date
 
#$TimeToCheck = 36000000 # 1h
#$TimeToCheck = 6000000 # 10m
#$TimeToCheck = 600000 # 1m
$TimeToCheck = $Seconds * 10000
 
$xmlFilter = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4768 or EventID=4769) and TimeCreated[timediff(@SystemTime) &lt;= $TimeToCheck]]]</Select>
  </Query>
</QueryList>
"@
 
$htDigests = [ordered]@{
0x1='des-cbc-crc'; 
0x2='des-cbc-md4'; 
0x3='des-cbc-md5'; 
0x4='[reserved]'; 
0x5='des3-cbc-md5'; 
0x6='[reserved]'; 
0x7='des3-cbc-sha1';
0x9='dsaWithSHA1-CmsOID'; 
0xa='md5WithRSAEncryption-CmsOID';
0xb='sha1WithRSAEncryption-CmsOID';
0xc='rc2CBC-EnvOID';
0xd='rsaEncryption-EnvOID';
0xe='rsaES-OAEP-ENV-OID';
0xf='des-ede3-cbc-Env-OID'; 
0x10='des3-cbc-sha1-kd';
0x11='aes128-cts-hmac-sha1-96';
0x12='aes256-cts-hmac-sha1-96';
0x17='rc4-hmac';
0x18='rc4-hmac-exp';
0x41='subkey-keymaterial'
}
 
$sb = {
    try {
        $CollectedEvents = @(Get-WinEvent -FilterXml $using:xmlfilter -ErrorAction SilentlyContinue)
    }
    catch {
        $CollectedEvents = @()
    }
    foreach ($KerberosEvent in $CollectedEvents){
        $objEvent = New-Object System.Object | Select-Object -Property Request,User,ServiceName,DigestID,DigestName,IpAddress
        switch ($KerberosEvent.Id)
        {
            4768 {
                $objEvent.request = "TGT"
                $objEvent.user = $KerberosEvent.Properties[0].Value
                $objEvent.ServiceName = $KerberosEvent.Properties[3].Value
                $objEvent.DigestID = $KerberosEvent.Properties[7].Value
                $objEvent.DigestName = ($using:htDigests).Item($KerberosEvent.Properties[7].Value)
                $objEvent.IpAddress = ($KerberosEvent.Properties[9].Value -split ":")[3]
            }
            4769 {
                $objEvent.request = "TGS"
                $objEvent.user = $KerberosEvent.Properties[0].Value
                $objEvent.ServiceName = $KerberosEvent.Properties[2].Value
                $objEvent.DigestID = $KerberosEvent.Properties[5].Value
                $objEvent.DigestName = ($using:htDigests).Item($KerberosEvent.Properties[5].Value)
                $objEvent.IpAddress = ($KerberosEvent.Properties[6].Value -split ":")[3]
            }
        }
        if($objEvent.DigestID -in @(1,2,3)){
            $objEvent
        }
    }
}
 
Write-Verbose "Using XML Filter`n$xmlFilter"
 
Write-Verbose $pscmdlet.ParameterSetName
 
Write-Verbose "Starting jobs"
 
switch ($pscmdlet.ParameterSetName)
{
    'local' {
        $job = Start-Job -ScriptBlock $sb
        break
    }
    'Domain' {
        Write-Verbose "Enumerating servers to query"
        $Computers = (Get-ADDomain).ReplicaDirectoryServers
        Write-Verbose "Querying the following servers`n$Computers"
        Write-Verbose "Starting jobs"
        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
        break
    }
    'List' {
        $Computers = $Computer
        Write-Verbose "Querying the following servers`n$Computers"
        Write-Verbose "Starting jobs"
        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
        break
    }
}
 
 
Write-Verbose "Job $($job.name) startet"
Write-Verbose "Create $(($job.ChildJobs).count) subjobs"
#break
Write-Verbose "Waiting for completion"
wait-job $job
 
$KerberosEvents = @()
 
Write-Verbose "Jobs completed, getting data"
 
foreach ($subjob in $job.ChildJobs){
    Write-Verbose "Receiving child job `n$subjob"
    $CollectedEvents = Receive-Job $subjob
    if($CollectedEvents -like "*WinRM cannot complete the operation*"){
        Write-Verbose "Error collecting events"
    }
    else{
        Write-Verbose "Received $($CollectedEvents.count) events"
        $KerberosEvents += $CollectedEvents
    }
}
Write-Verbose "Data received removing job"
Remove-Job $job
 
If($Export){
    $KerberosEvents | Export-Csv -Path .\DES-Events.csv -Delimiter ";" -Force -Append
}
else {
    $KerberosEvents
}
 
$end = get-date
Write-Verbose ("Check took {0}" -f ($end - $start))
powershell/security/huntingdes.txt · Last modified: 2017/02/27 09:43 by marcus