impacket-getuserspns

impacket-getuserspns is a specialized script within the Impacket toolkit designed to perform the Kerberoasting attack against Microsoft Active Directory. It leverages legitimate Kerberos functionality to request Ticket Granting Service (TGS) tickets for Service Principal Names (SPNs) that are associated with user accounts.

When a TGS ticket is successfully requested for an SPN, a portion of the ticket is encrypted with the NTLM hash of the service account's password. impacket-getuserspns extracts this encrypted hash, which can then be saved to a file (often in a format compatible with tools like Hashcat or John the Ripper) and subjected to offline password cracking.

This attack is highly effective because it allows an attacker, possessing even low-privileged domain credentials, to obtain potentially crackable password hashes without requiring direct interaction with the target service account's machine or elevated privileges on a Domain Controller. It exploits a common misconfiguration where service accounts are given weak or reused passwords.

• Requires valid domain credentials (even low-privileged) to perform the initial Kerberos TGS request.
• Generates network traffic that can be detected by network monitoring solutions (e.g., IDS/IPS, SIEMs) looking for suspicious Kerberos activity.
• Repeated attempts with incorrect credentials can lead to account lockouts, especially if targeting specific users with -request-user.
• Only targets SPNs associated with user accounts, not computer accounts, as computer account passwords are typically long and random, making them uncrackable.
• Offline cracking of the extracted hashes can be computationally intensive and time-consuming, depending on password complexity and available cracking resources.

Kerberoasting is an attack where an attacker attempts to extract Active Directory user password hashes from Kerberos service tickets (TGS-REP messages). It exploits the fact that any authenticated domain user can request a TGS ticket for any registered Service Principal Name (SPN). If an SPN is associated with a user account, the TGS ticket is encrypted with the NTLM hash of that user's password. The attacker can then take this encrypted portion offline and brute-force or dictionary-attack the hash to recover the plaintext password.

The hashes extracted by impacket-getuserspns are typically output in a format suitable for widely-used password cracking tools. For Hashcat, this often means a format similar to $krb5tgs$23$*user$service$domain$hash, where the various fields provide context for the cracking process.

To defend against Kerberoasting, organizations should:

• Enforce strong, unique passwords for all service accounts, especially those associated with SPNs.
• Regularly rotate service account passwords.
• Monitor for anomalous Kerberos Ticket Granting Service (TGS) requests, particularly those from unusual sources or for a large number of SPNs.
• Where possible, utilize Group Managed Service Accounts (gMSAs) or Managed Service Accounts (MSAs) for services. These account types have automatically managed, complex passwords that are difficult to compromise via Kerberoasting.
• Ensure service accounts have the 'Do not require Kerberos preauthentication' setting disabled unless absolutely necessary for specific legacy services.

impacket-getuserspns is a component of the widely-used Impacket Python library, developed by SecureAuth Corporation. Impacket is a collection of tools and classes for programmatically working with network protocols. This specific script implements the Kerberoasting attack, a technique that gained significant attention and widespread adoption in offensive security, particularly after public presentations and tools by researchers like Harmj0y. Its development reflects the ongoing evolution of attack vectors against Active Directory, providing a robust and accessible method for extracting password hashes from service accounts.

impacket-getnpusers, hashcat, john, setspn(8)