impacket-getuserspns

View documentation for the original command

$ tldr GetUserSPNs.py

impacket-getuserspns [options] target

-dc-ip
    IP Address of the domain controller. If omitted, the script will try to find one automatically.

-request
    Requests the TGS for the SPNs found. If not specified, the SPNs are just listed.

-outputfile
    Base output filename to store the cracked tickets. Extensions will be .ccache or .krb5 depending on the format used.

-ts
    Adds timestamp to the output filename.

-format
    Format for the tickets. (KRB5|CCACHE) Default: KRB5.

-userfile
    File containing list of users to query for SPNs (one account per line).

-spnfile
    File containing list of SPNs to query (one SPN per line).

-debug
    Turn DEBUG output ON

target
    [[domain/]username[:password]@]

impacket-getuserspns is a Python script, part of the Impacket library, designed to query a domain controller and retrieve a list of Service Principal Names (SPNs) associated with user accounts. This is a crucial step in Kerberoasting attacks, as it allows attackers to identify accounts running services and subsequently attempt to crack the Kerberos tickets associated with those SPNs.

The script leverages the Directory Service Remote Protocol (DS-RPC) to enumerate user accounts and their corresponding SPNs. By default, it attempts to retrieve all SPNs, but it can be filtered to target specific user accounts or SPNs. The retrieved SPNs can then be used to request Kerberos tickets for those services, which can be cracked offline to obtain the account passwords.

This tool is essential for penetration testers and security researchers to assess the Kerberos configuration of a domain and identify potential vulnerabilities related to weak or default passwords. It aids in discovering accounts that are suitable targets for Kerberoasting attacks and helps in mitigating those risks. Proper use of this tool and timely password updates are essential to ensure enterprise security.

This script requires valid domain credentials and proper permissions to query Active Directory. Excessive use without proper rate limiting may trigger account lockout policies. It's crucial to only target environments where you have explicit authorization to perform penetration testing.

A Service Principal Name (SPN) is a unique identifier for a service instance. Kerberos uses SPNs to associate a service instance with a service logon account. This allows client applications to request authentication for a service without needing to know the actual service account name. Incorrectly configured SPNs or weak service account passwords can lead to security vulnerabilities.

Kerberoasting is an attack technique where an attacker requests Kerberos tickets for service accounts (identified via SPNs) and then attempts to crack the offline password hash within the ticket. This allows attackers to potentially gain access to service accounts and escalate privileges within a domain. impacket-getuserspns facilitates the initial reconnaissance phase of Kerberoasting by identifying available SPNs.

impacket-getuserspns is part of the Impacket suite, a collection of Python classes for working with network protocols. The script was developed to automate the discovery of SPNs, facilitating Kerberoasting attacks for penetration testing purposes. It has evolved over time with improvements in efficiency and features related to ticket requesting and format handling. Its usage has become widespread among security professionals for auditing and exploiting Kerberos configurations.

impacket-GetUserSPNs(1), impacket-ticketer(1)