Created
May 27, 2021 15:56
-
-
Save davidwallis3101/e81fc70d84e52931c36ed07a6afbb90c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#POC for authenticating via RSA with powershell | |
Function Get-AttributeValue { | |
[CmdletBinding()] | |
Param( | |
$Content, | |
$Token | |
) | |
if ($resp.Content -notmatch ('<.+{0}.+value=\"(.+)\"' -f $Token)) { | |
write-error "Unable to find $(Token)" | |
} | |
write-verbose "Found token:$($Token) with value:$($Matches[1])" | |
return $Matches[1] | |
} | |
$resp = Invoke-WebRequest "https://foo.local/service/auth/rsa/" -SessionVariable fooSession | |
# Get values from returned page | |
$csrf = Get-AttributeValue -Content $resp.Content -token 'csrftoken' -verbose | |
$referrer = Get-AttributeValue -Content $resp.Content -token 'referrer' -verbose | |
$postData = Get-AttributeValue -Content $resp.Content -token 'postdata' -verbose | |
$authnType = Get-AttributeValue -Content $resp.Content -token 'authntype' -verbose | |
$stage = Get-AttributeValue -Content $resp.Content -token 'stage' -verbose | |
$sessionid = Get-AttributeValue -Content $resp.Content -token 'sessionid' -verbose | |
# Use something more secure than read-host (this was a POC) | |
$username = Read-Host "Username" | |
$passcode = Read-Host "Passcode" | |
$body = @{ | |
username = $username; | |
referer = $referrer; | |
sessionid = $sessionid; | |
postdata = $postData; | |
authntype = $authntype; | |
stage = $stage; | |
passcode = $passcode; | |
csrftoken = $csrf | |
} | |
try { | |
$resp1 = Invoke-WebRequest "https://foo.local/bar/IISWebAgentIF.dll" ` | |
-WebSession $fooSession ` | |
-Body $body ` | |
-Headers @{ | |
'Referer' = 'https://foo.local/service/auth/rsa/'; | |
'Origin' = 'https://foo.local/bar' } ` | |
-ContentType 'application/x-www-form-urlencoded' ` | |
-Method POST | |
} catch { | |
# Do something more elegant here and actually go look at the resp. | |
write-error $_.Exception.Message | |
} | |
# Not at all elegant and doesnt cover next token code scenarios.. Did I mention this was a POC? | |
if ($resp1.content -match "Authentication Succeeded") { | |
write-host "Authenticated" | |
} else { | |
write-error "Not Authenticated" -ErrorAction Stop | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment