Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:security:huntingdes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

powershell:security:huntingdes [2017/02/27 09:43] (current)
marcus created
Line 1: Line 1:
 +====== Hunting down DES in order to securely deploy Kerberos ======
  
 +[[https://​blogs.technet.microsoft.com/​askds/​2010/​10/​19/​hunting-down-des-in-order-to-securely-deploy-kerberos/​|Hunting down DES in order to securely deploy Kerberos ]]
 +
 +<code PowerShell Get-KerberosEvents.ps1>​
 +[cmdletbinding(DefaultParameterSetName='​local'​)]
 +param(
 +   ​[Parameter(ParameterSetName='​Domain'​)][switch]$Domain,​
 +   ​[Parameter(ParameterSetName='​List'​)]$Computer,​
 +   ​[Parameter(ParameterSetName='​local'​)][Parameter(ParameterSetName='​Domain'​)][Parameter(ParameterSetName='​List'​)][long]$Seconds=60,​
 +   ​[Parameter(ParameterSetName='​local'​)][Parameter(ParameterSetName='​Domain'​)][Parameter(ParameterSetName='​List'​)][Switch]$Export ​   ​
 +)
 +
 +$start = Get-Date
 +
 +#​$TimeToCheck = 36000000 # 1h
 +#​$TimeToCheck = 6000000 # 10m
 +#​$TimeToCheck = 600000 # 1m
 +$TimeToCheck = $Seconds * 10000
 +
 +$xmlFilter = @"
 +<​QueryList>​
 +  <Query Id="​0"​ Path="​Security">​
 +    <Select Path="​Security">​*[System[(EventID=4768 or EventID=4769) and TimeCreated[timediff(@SystemTime) &lt;= $TimeToCheck]]]</​Select>​
 +  </​Query>​
 +</​QueryList>​
 +"@
 +
 +$htDigests = [ordered]@{
 +0x1='​des-cbc-crc'; ​
 +0x2='​des-cbc-md4'; ​
 +0x3='​des-cbc-md5'; ​
 +0x4='​[reserved]'; ​
 +0x5='​des3-cbc-md5'; ​
 +0x6='​[reserved]'; ​
 +0x7='​des3-cbc-sha1';​
 +0x9='​dsaWithSHA1-CmsOID'; ​
 +0xa='​md5WithRSAEncryption-CmsOID';​
 +0xb='​sha1WithRSAEncryption-CmsOID';​
 +0xc='​rc2CBC-EnvOID';​
 +0xd='​rsaEncryption-EnvOID';​
 +0xe='​rsaES-OAEP-ENV-OID';​
 +0xf='​des-ede3-cbc-Env-OID'; ​
 +0x10='​des3-cbc-sha1-kd';​
 +0x11='​aes128-cts-hmac-sha1-96';​
 +0x12='​aes256-cts-hmac-sha1-96';​
 +0x17='​rc4-hmac';​
 +0x18='​rc4-hmac-exp';​
 +0x41='​subkey-keymaterial'​
 +}
 +
 +$sb = {
 +    try {
 +        $CollectedEvents = @(Get-WinEvent -FilterXml $using:​xmlfilter -ErrorAction SilentlyContinue)
 +    }
 +    catch {
 +        $CollectedEvents = @()
 +    }
 +    foreach ($KerberosEvent in $CollectedEvents){
 +        $objEvent = New-Object System.Object | Select-Object -Property Request,​User,​ServiceName,​DigestID,​DigestName,​IpAddress
 +        switch ($KerberosEvent.Id)
 +        {
 +            4768 {
 +                $objEvent.request = "​TGT"​
 +                $objEvent.user = $KerberosEvent.Properties[0].Value
 +                $objEvent.ServiceName = $KerberosEvent.Properties[3].Value
 +                $objEvent.DigestID = $KerberosEvent.Properties[7].Value
 +                $objEvent.DigestName = ($using:​htDigests).Item($KerberosEvent.Properties[7].Value)
 +                $objEvent.IpAddress = ($KerberosEvent.Properties[9].Value -split ":"​)[3]
 +            }
 +            4769 {
 +                $objEvent.request = "​TGS"​
 +                $objEvent.user = $KerberosEvent.Properties[0].Value
 +                $objEvent.ServiceName = $KerberosEvent.Properties[2].Value
 +                $objEvent.DigestID = $KerberosEvent.Properties[5].Value
 +                $objEvent.DigestName = ($using:​htDigests).Item($KerberosEvent.Properties[5].Value)
 +                $objEvent.IpAddress = ($KerberosEvent.Properties[6].Value -split ":"​)[3]
 +            }
 +        }
 +        if($objEvent.DigestID -in @(1,2,3)){
 +            $objEvent
 +        }
 +    }
 +}
 +
 +Write-Verbose "Using XML Filter`n$xmlFilter"​
 +
 +Write-Verbose $pscmdlet.ParameterSetName
 +
 +Write-Verbose "​Starting jobs"
 +
 +switch ($pscmdlet.ParameterSetName)
 +{
 +    '​local'​ {
 +        $job = Start-Job -ScriptBlock $sb
 +        break
 +    }
 +    '​Domain'​ {
 +        Write-Verbose "​Enumerating servers to query"
 +        $Computers = (Get-ADDomain).ReplicaDirectoryServers
 +        Write-Verbose "​Querying the following servers`n$Computers"​
 +        Write-Verbose "​Starting jobs"
 +        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
 +        break
 +    }
 +    '​List'​ {
 +        $Computers = $Computer
 +        Write-Verbose "​Querying the following servers`n$Computers"​
 +        Write-Verbose "​Starting jobs"
 +        $job = Invoke-Command -ComputerName $Computers -ScriptBlock $sb -AsJob
 +        break
 +    }
 +}
 +
 +
 +Write-Verbose "Job $($job.name) startet"​
 +Write-Verbose "​Create $(($job.ChildJobs).count) subjobs"​
 +#break
 +Write-Verbose "​Waiting for completion"​
 +wait-job $job
 +
 +$KerberosEvents = @()
 +
 +Write-Verbose "Jobs completed, getting data"
 +
 +foreach ($subjob in $job.ChildJobs){
 +    Write-Verbose "​Receiving child job `n$subjob"​
 +    $CollectedEvents = Receive-Job $subjob
 +    if($CollectedEvents -like "​*WinRM cannot complete the operation*"​){
 +        Write-Verbose "Error collecting events"​
 +    }
 +    else{
 +        Write-Verbose "​Received $($CollectedEvents.count) events"​
 +        $KerberosEvents += $CollectedEvents
 +    }
 +}
 +Write-Verbose "Data received removing job"
 +Remove-Job $job
 +
 +If($Export){
 +    $KerberosEvents | Export-Csv -Path .\DES-Events.csv -Delimiter ";"​ -Force -Append
 +}
 +else {
 +    $KerberosEvents
 +}
 +
 +$end = get-date
 +Write-Verbose ("​Check took {0}" -f ($end - $start))
 +
 +</​code>​
powershell/security/huntingdes.txt ยท Last modified: 2017/02/27 09:43 by marcus