Skip to content

Instantly share code, notes, and snippets.

@jaredcatkinson

jaredcatkinson/Test-Ticket.ps1

Created September 20, 2017 21:51
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save jaredcatkinson/af0fb3c5c718e0cc5370808537b34a91 to your computer and use it in GitHub Desktop.
Save jaredcatkinson/af0fb3c5c718e0cc5370808537b34a91 to your computer and use it in GitHub Desktop.
Download ZIP
Script to test if a Ticket Granting Ticket (TGT) is forged (a Golden Ticket).
Raw
Test-Ticket.ps1
function Test-Condition
{
param
(
[Parameter(Mandatory = $true)]
[bool]
$Result,
[Parameter(Mandatory = $true)]
[string]
$Message
)
if( $Result )
{
Write-Success -Message $Message
}
else
{
Write-Fail -Message $Message
}
}
function Write-Context
{
param
(
[Parameter(Mandatory = $true)]
[string]
$Message
)
Write-Host " Context: $($Message)" -ForegroundColor Magenta
}
function Write-Success
{
param
(
[Parameter(Mandatory = $true)]
[string]
$Message
)
Write-Host " [+] $($Message)" -ForegroundColor Green
}
function Write-Fail
{
param
(
[Parameter(Mandatory = $true)]
[string]
$Message
)
Write-Host " [-] $($Message)" -ForegroundColor Red
}
function Test-Ticket
{
param
(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[psobject]
$Ticket
)
process
{
foreach($ticket in $Ticket)
{
Write-Host -ForegroundColor Magenta "Describing Ticket Granting Ticket (TGT)"
Write-Context -Message 'Encryption Type'
Test-Condition -Result ($ticket.SessionKeyType -eq 'aes256_cts_hmac_sha1_96') -Message 'should be aes256_cts_hmac_sha1_96'
Write-Context -Message 'Ticket Validity'
Test-Condition -Result (($ticket.EndTime - $ticket.StartTime).TotalHours -le 10) -Message 'should be valid for 10 hours'
Test-Condition -Result (($ticket.RenewUntil - $ticket.StartTime).TotalDays -le 8) -Message 'should renew for approx. 7 days'
Write-Context -Message 'Ticket Client (User)'
Test-Condition -Result ($ticket.ClientName -eq $ticket.SessionUserName) -Message 'should match the Session User Name'
if($ticket.SessionUserPrincipalName -ne '')
{
Test-Condition -Result ("$($ticket.ClientName)@$($ticket.DomainName)" -eq $ticket.SessionUserPrincipalName) -Message 'should match the Session User Principal Name'
}
Write-Context -Message 'Session Authentication Package'
if($ticket.SessionLogonId -eq 999 -or $ticket.SessionLogonId -eq 996)
{
Test-Condition -Result ($ticket.SessionAuthenticationPackage -eq 'Negotiate') -Message 'should be Negotiate'
}
else
{
Test-Condition -Result ($ticket.SessionAuthenticationPackage -eq 'Kerberos') -Message 'should be Kerberos'
}
Write-Output $ticket
}
}
}
@t94j0
Copy link

t94j0 commented Sep 29, 2017

Awesome! Thanks for sharing

Demo of script given by Jared Atkinson himself: https://youtu.be/VCF8EpQbRTs?t=38m52s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment