Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:security:huntingdes

Hunting down DES in order to securely deploy Kerberos

Hunting down DES in order to securely deploy Kerberos

Get-KerberosEvents.ps1
[cmdletbinding(DefaultParameterSetName='local')]
param(
   [Parameter(ParameterSetName='Domain')][switch]$Domain,
   [Parameter(ParameterSetName='List')]$Computer,
   [Parameter(ParameterSetName='local')][Parameter(ParameterSetName='Domain')][Parameter(ParameterSetName='List')][long]$Seconds=60,
   [Parameter(ParameterSetName='local')][Parameter(ParameterSetName='Domain')][Parameter(ParameterSetName='List')][Switch]$Export    
)
 
$start = Get-Date
 
#$TimeToCheck = 36000000 # 1h
#$TimeToCheck = 6000000 # 10m
#$TimeToCheck = 600000 # 1m
$TimeToCheck = $Seconds * 10000
 
$xmlFilter = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4768 or EventID=4769) and TimeCreated[timediff(@SystemTime) &lt;= $TimeToCheck]]]</Select>
  </Query>
</QueryList>
"@
 
$htDigests = [ordered]@{
0x1='des-cbc-crc'; 
0x2='des-cbc-md4'; 
0x3='des-cbc-md5'; 
0x4='[reserved]'; 
0x5='des3-cbc-md5'; 
0x6='[reserved]'; 
0x7='des3-cbc-sha1';
0x9='dsaWithSHA1-CmsOID'; 
0xa='md5WithRSAEncryption-CmsOID';
0xb='sha1WithRSAEncryption-CmsOID';
0xc='rc2CBC-EnvOID';
0xd='rsaEncryption-EnvOID';
0xe='rsaES-OAEP-ENV-OID';
0xf='des-ede3-cbc-Env-OID'; 
0x10='des3-cbc-sha1-kd';
0x11='aes128-cts-hmac-sha1-96';
0x12='aes256-cts-hmac-sha1-96';
0x17='rc4-hmac';
0x18='rc4-hmac-exp';
0x41='subkey-keymaterial'
}
 
$sb = {
    try {
        $CollectedEvents = @(Get-WinEvent -FilterXml $using:xmlfilter -ErrorAction SilentlyContinue)
    }
    catch {
        $CollectedEvents = @()
    }
    foreach ($KerberosEvent in $CollectedEvents){
        $objEvent = New-Object System.Object | Select-Object -Property Request,User,ServiceName,DigestID,DigestName,IpAddress
        switch ($KerberosEvent.Id)
        {
            4768 {
                $objEvent.request = "TGT"
                $objEvent.user = $KerberosEvent.Properties[0].Value
                $objEvent.ServiceName = $KerberosEvent.Properties[3].Value
                $objEvent.DigestID = $KerberosEvent.Properties[7].Value
                $objEvent.DigestName = ($using:htDigests).Item($KerberosEvent.Properties[7].Value)
                $objEvent.IpAddress = ($KerberosEvent.Properties[9].Value -split ":")[3]
            }
            4769 {
                $objEvent.request = "TGS"
                $objEvent.user = $KerberosEvent.Properties[0].Value
                $objEvent.ServiceName = $KerberosEvent.Properties[2].Value
                $objEvent.DigestID = $KerberosEvent.Properties[5].Value
                $objEvent.DigestName = ($using:htDigests).Item($KerberosEvent.Properties[5].Value)
                $objEvent.IpAddress = ($KerberosEvent.Properties[6].Value -split ":")[3]
            }
        }
        if($objEvent.DigestID -in @(1,2,3)){
            $objEvent
        }
    }
}
 
Write-Verbose "Using XML Filter`n$xmlFilter"
 
Write-Verbose $pscmdlet.ParameterSetName
 
Write-Verbose "Starting jobs"
 
switch ($pscmdlet.ParameterSetName)
{
    'local' {
        $job = Start-Job -ScriptBlock $sb
        break
    }
    'Domain' {
        Write-Verbose "Enumerating servers to query"
        $Computers = (Get-ADDomain).ReplicaDirectoryServers
        Write-Verbose "Querying the following servers`n$Computers"
        Write-Verbose "Starting jobs"
        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
        break
    }
    'List' {
        $Computers = $Computer
        Write-Verbose "Querying the following servers`n$Computers"
        Write-Verbose "Starting jobs"
        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
        break
    }
}
 
 
Write-Verbose "Job $($job.name) startet"
Write-Verbose "Create $(($job.ChildJobs).count) subjobs"
#break
Write-Verbose "Waiting for completion"
wait-job $job
 
$KerberosEvents = @()
 
Write-Verbose "Jobs completed, getting data"
 
foreach ($subjob in $job.ChildJobs){
    Write-Verbose "Receiving child job `n$subjob"
    $CollectedEvents = Receive-Job $subjob
    if($CollectedEvents -like "*WinRM cannot complete the operation*"){
        Write-Verbose "Error collecting events"
    }
    else{
        Write-Verbose "Received $($CollectedEvents.count) events"
        $KerberosEvents += $CollectedEvents
    }
}
Write-Verbose "Data received removing job"
Remove-Job $job
 
If($Export){
    $KerberosEvents | Export-Csv -Path .\DES-Events.csv -Delimiter ";" -Force -Append
}
else {
    $KerberosEvents
}
 
$end = get-date
Write-Verbose ("Check took {0}" -f ($end - $start))
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
powershell/security/huntingdes.txt · Last modified: 2017/02/27 09:43 by marcus