cfalta · March 21, 2022 20:58
diff --git a/Verify-KeyLink.ps1 b/Verify-KeyLink.ps1
 #Requires –Modules ActiveDirectory
 #Requires –Modules dsinternals

 param([string]$Computername)

 #Binary grep function, stolen from stackoverflow https://stackoverflow.com/questions/62400436/powershell-binary-grep
 Function Find-Bytes([byte[]]$Bytes, [byte[]]$Search, [int]$Start, [Switch]$All) {
    For ($Index = $Start; $Index -le $Bytes.Length - $Search.Length ; $Index++) {
        For ($i = 0; $i -lt $Search.Length -and $Bytes[$Index + $i] -eq $Search[$i]; $i++) {}
        If ($i -ge $Search.Length) { 
            $Index
            If (!$All) { Return }
        } 
    }
 }

 #This script will try to match the content of the msds-KeyCredentialLink attribute with the content of the MachineBoundCertificate registry value on the same host.

 Write-Output "`n[+] Verifying msds-KeyCredentialLink for host $($Computername)"

 $adkey = Get-ADComputer -Identity $Computername -Properties * | select -expand msds-keycredentiallink | get-adkeycredential | select -expand rawkeymaterial

 if($adkey)
 {
    Write-Output "[+] Found a key in Active Directory. Checking network connection with the host."

    if((Test-Connection -ComputerName $Computername -Count 1))
    {
        Write-Output "[+] Network connection OK. Trying to acquire MBC from registry."

        $mbc = Invoke-Command -ComputerName $Computername -ScriptBlock {get-itemproperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -name machineboundcertificate}| select -expand machineboundcertificate

        if($mbc)
        {
            Write-Output "[+] Found MBC, trying to match."

            $offset = Find-Bytes -Bytes $mbc -Search $adkey
            if($offset)
            {
                Write-Output "[+] Match found: msds-KeyCredentialLink -> MachineBoundCertificate"
                Write-Output "[+] Key extracted from AD is:`n"
                $adkey | format-hex
                Write-Output "`n[+] Key extracted from host is:`n"
                $mbc[$offset..($offset + $adkey.length - 1)] | format-hex
            }

        }
        else
        {
            Write-Warning "[!] Unable to extract machineboundcertificate. Verify it exists in registry --> HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MachineBoundCertificate."
        }
    }
    else
    {
        Write-Warning "[!] Unable to ping $($Computername). Verify network connection."
    }
 }
 else
 {
    Write-Warning "[!] Could not extract the key from Active Directory. Make sure $($Computername) exists and has the msds-KeyCredentialLink attribute set."
 }
	#Requires –Modules ActiveDirectory
	#Requires –Modules dsinternals

	param([string]$Computername)

	#Binary grep function, stolen from stackoverflow https://stackoverflow.com/questions/62400436/powershell-binary-grep
	Function Find-Bytes([byte[]]$Bytes, [byte[]]$Search, [int]$Start, [Switch]$All) {
	For ($Index = $Start; $Index -le $Bytes.Length - $Search.Length ; $Index++) {
	For ($i = 0; $i -lt $Search.Length -and $Bytes[$Index + $i] -eq $Search[$i]; $i++) {}
	If ($i -ge $Search.Length) {
	$Index
	If (!$All) { Return }
	}
	}
	}

	#This script will try to match the content of the msds-KeyCredentialLink attribute with the content of the MachineBoundCertificate registry value on the same host.

	Write-Output "`n[+] Verifying msds-KeyCredentialLink for host $($Computername)"

	$adkey = Get-ADComputer -Identity $Computername -Properties * \| select -expand msds-keycredentiallink \| get-adkeycredential \| select -expand rawkeymaterial

	if($adkey)
	{
	Write-Output "[+] Found a key in Active Directory. Checking network connection with the host."

	if((Test-Connection -ComputerName $Computername -Count 1))
	{
	Write-Output "[+] Network connection OK. Trying to acquire MBC from registry."

	$mbc = Invoke-Command -ComputerName $Computername -ScriptBlock {get-itemproperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -name machineboundcertificate}\| select -expand machineboundcertificate

	if($mbc)
	{
	Write-Output "[+] Found MBC, trying to match."

	$offset = Find-Bytes -Bytes $mbc -Search $adkey
	if($offset)
	{
	Write-Output "[+] Match found: msds-KeyCredentialLink -> MachineBoundCertificate"
	Write-Output "[+] Key extracted from AD is:`n"
	$adkey \| format-hex
	Write-Output "`n[+] Key extracted from host is:`n"
	$mbc[$offset..($offset + $adkey.length - 1)] \| format-hex
	}

	}
	else
	{
	Write-Warning "[!] Unable to extract machineboundcertificate. Verify it exists in registry --> HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MachineBoundCertificate."
	}
	}
	else
	{
	Write-Warning "[!] Unable to ping $($Computername). Verify network connection."
	}
	}
	else
	{
	Write-Warning "[!] Could not extract the key from Active Directory. Make sure $($Computername) exists and has the msds-KeyCredentialLink attribute set."
	}