Skip to content

Instantly share code, notes, and snippets.

@dbroeglin
Created April 17, 2016 17:10
Show Gist options
  • Save dbroeglin/5d2beb826cf86e8a9888e90063a4f008 to your computer and use it in GitHub Desktop.
Save dbroeglin/5d2beb826cf86e8a9888e90063a4f008 to your computer and use it in GitHub Desktop.
Extract domain, principal and SPN from Kerberos TGS-REP messages
[CmdletBinding()]
Param (
[Parameter(ValueFromPipeline = $True, Mandatory = $True)]
[String]$PcapFile,
[String]$WireSharkPath = "C:\Program Files\Wireshark"
)
$TempFile = [System.IO.Path]::GetTempFileName()
try {
& "$WireSharkPath\tshark.exe" -r $PcapFile -T pdml 'kerberos.msg_type == 13' > $TempFile
[xml]$x = Get-Content $TempFile
$x.SelectNodes("//packet") | % {
$Domain = $_.SelectSingleNode(".//field[@name='kerberos.realm']").show
$Principal = $_.SelectSingleNode(".//field[@name='kerberos.cname_element']/field/field[@name='kerberos.KerberosString']").show
$SPN = % { $_.SelectNodes(".//field[@name='kerberos.sname_element']") |
% { ($_.SelectNodes("field/field[@name='kerberos.KerberosString']")).show -join "/" }
}
New-Object -Type PSCustomObject -Property @{
Domain = $Domain
Principal = $Principal
SPN = $SPN
}
}
} finally {
Remove-Item -Force $TempFile
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment