getuserspns.py

Enumerate user accounts with an SPN and request their Kerberos TGS tickets

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip]

$ GetUserSPNs.py [domain]/[username] -hashes [LM_Hash]:[NT_Hash] -dc-ip [domain_controller_ip]

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -outputfile [path/to/output_file]

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -request

$ GetUserSPNs.py [domain]/[username] -dc-ip [domain_controller_ip] -hashes [LM_Hash]:[NT_Hash] -request

getuserspns.py <DOMAIN>/<USERNAME>[:<PASSWORD>|@<FILE>|:<HASH>] [-options]
getuserspns.py -k <DOMAIN>/<USERNAME> [-options]

<DOMAIN>/<USERNAME>[:<PASSWORD>|@<FILE>|:<HASH>]
    Specifies the domain, username, and authentication method. This can be a password, a file containing the password (prefix with '@'), or an NTLM hash (LMHASH:NTHASH).

-h, --help
    Shows the help message and exits.

-debug
    Turns on debug output for more verbose information.

-hashes LMHASH:NTHASH
    Specifies the NTLM hash (LM hash and NT hash separated by a colon) for authentication instead of a password.

-aesKey <HEXKEY>
    Specifies the AES key to use for Kerberos authentication (e.g., for Pass-the-AES).

-k
    Uses Kerberos authentication. This option implies that a Kerberos ticket is available in the cache or a keytab file is used.

-no-pass
    Don't ask for a password. Useful when using hash, AES key, or Kerberos ticket.

-dc-ip <IP_ADDRESS>
    Specifies the IP address of the Domain Controller to target.

-kdcHost <HOSTNAME>
    Specifies the KDC host to use for Kerberos authentication. Can be an IP address or FQDN. Overrides -dc-ip for Kerberos.

-request-user <USER> | file:<FILE>
    Requests SPNs for a specific user, or for a list of users provided in a file (e.g., file:users.txt). If not specified, the script may try to enumerate common SPNs implicitly.

-outputfile <FILE>
    Saves the retrieved SPN hashes to the specified file.

getuserspns.py is a Python script included in the Impacket toolkit, widely used in penetration testing and security assessments. Its primary function is to enumerate and retrieve Kerberos Service Principal Name (SPN) hashes from a Microsoft Active Directory domain controller.

The script facilitates the 'Kerberoasting' attack by identifying user accounts (typically service accounts) that have an SPN registered. It then requests a Kerberos Ticket Granting Service (TGS) ticket for these SPNs. This TGS ticket, when encrypted with the service account's NTLM hash, can be captured and subsequently cracked offline using tools like Hashcat or John the Ripper.

This allows an attacker to obtain the plaintext password of the service account without direct interaction with the service or its host. The script requires valid domain credentials (username/password or NTLM hash) to authenticate to the domain controller.

Using getuserspns.py generates Kerberos traffic and leaves forensic artifacts (e.g., event ID 4769 for TGS requests) on the Domain Controller, which can be detected by security monitoring solutions. It requires valid domain credentials with sufficient privileges to query Active Directory. Misuse of this tool can lead to legal consequences as it is primarily designed for legitimate security testing and red teaming exercises.

Kerberoasting is a post-exploitation technique used to retrieve service account credentials from Active Directory. The attack leverages the fact that Service Principal Names (SPNs) are registered to user accounts (often service accounts). When a client requests a Kerberos TGS ticket for an SPN, the Domain Controller encrypts the ticket using the NTLM hash of the service account's password. Since this ticket can be obtained by any authenticated domain user, an attacker can request TGS tickets for various SPNs, extract the encrypted portion (the hash), and then attempt to crack it offline to obtain the plaintext password of the service account. The hashes retrieved by getuserspns.py are typically in a format suitable for Hashcat (mode 13100) or John the Ripper.

getuserspns.py is an integral component of the Impacket toolkit, a collection of Python classes for working with network protocols. Originally developed by SecureAuth (now Fortra/Core Security), Impacket has become a de-facto standard in offensive security for interacting with Windows services, including Active Directory and Kerberos. The script has evolved with the toolkit, consistently updated to support various Kerberos attack vectors and keep pace with Windows security enhancements, making it a reliable choice for Kerberoasting attacks.

impacket-getnpusers, impacket-psexec, klist(1), john(1), hashcat(1)