LinuxCommandLibrary

impacket-getuserspns

Request and retrieve Service Principal Names (SPNs)

TLDR

View documentation for the original command

$ tldr GetUserSPNs.py
copy

SYNOPSIS

impacket-getuserspns [options] domain/user[:password]

PARAMETERS

--kdcHost KDC_HOST
    KDC hostname or IP (defaults to domain DNS)

-dc-ip IP
    Domain controller IP address

-target-ip IP
    Target machine IP address

-request
    Request and output TGS tickets/hashes

--format {hashcat,john,easy}
    Hash output format

-outputfile FILE
    Base output filename for tickets/hashes

-usersfile FILE
    File listing specific usernames to query

-nthash NTHASH
    NTLM hash for pass-the-hash authentication

-aesKey HEXKEY
    AES-256 key in hex for Kerberos auth

DESCRIPTION

impacket-getuserspns is a penetration testing tool from the Impacket suite for discovering user accounts in Active Directory with configured Service Principal Names (SPNs). SPNs link service instances to accounts, commonly used for services running under user credentials.

It queries LDAP against a domain controller to list users and their SPNs, aiding Kerberoasting attacks. With valid domain credentials (username/password or hash), attackers request TGS tickets for these SPNs, which use the user's password hash for encryption, enabling offline cracking with tools like Hashcat or John.

Usage involves specifying a target as domain/user:password, optionally filtering users or requesting tickets directly. Outputs include SPN details and, with -request, crackable hash strings in specified formats. Essential for red teaming AD environments but requires network access to a DC.

CAVEATS

Requires valid AD credentials or hash; network access to DC port 88/389/636; intended for authorized pentesting only; may trigger EDR alerts.

EXAMPLE USAGE

Enumerate SPNs: impacket-getuserspns domain.com/user:Pass123
Request hashes: impacket-getuserspns -request --format hashcat -dc-ip 10.10.10.10 domain.com/user:Pass123

KERBEROASTING WORKFLOW

1. Run tool to list SPNs.
2. Use -request for $krb5tgs$ hashes.
3. Crack with hashcat -m 13100 hashes.txt wordlist.txt.

HISTORY

Developed as part of Impacket by SecureAuth (now Fox-IT); GetUserSPNs.py introduced ~2014 alongside Kerberoasting technique popularized by researchers like Tim Tomes; evolved with Impacket v0.9+ for binary wrappers like impacket-getuserspns.

SEE ALSO

ldapsearch(1), wbinfo(1), kinit(1)

Copied to clipboard