LinuxCommandLibrary

impacket-getuserspns

finds and requests Kerberos service tickets for user accounts with SPNs

TLDR

Find Kerberoastable accounts

$ impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip]
copy
Request service tickets
$ impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip] -request
copy
Output to file for cracking
$ impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip] -request -outputfile [hashes.txt]
copy
Use NTLM hash
$ impacket-GetUserSPNs -hashes :[hash] [domain]/[user] -dc-ip [dc-ip]
copy

SYNOPSIS

impacket-GetUserSPNs [options] target

DESCRIPTION

impacket-GetUserSPNs finds and requests Kerberos service tickets for user accounts with SPNs (Service Principal Names). Part of the Impacket toolkit. Used for Kerberoasting attacks where TGS tickets can be cracked offline. For authorized security testing only.

PARAMETERS

-dc-ip ip

Domain controller IP.
-request
Request TGS tickets.
-outputfile file
Save tickets to file.
-hashes lm:nt
Use NTLM hashes.
-k
Use Kerberos authentication.

SEE ALSO

impacket-gettgt(1), hashcat(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community