Documentation
Impacket
GetUserSPNs.py

GetUserSPNs.py

Purpose

The GetUserSPNs.py tool from the Impacket suite is used to query a domain for service accounts with Service Principal Names (SPNs). SPNs are unique identifiers for services in Active Directory and can be used for Kerberos authentication. If improperly configured, SPNs can allow attackers to request service tickets and perform offline brute-force attacks to crack passwords. This tool helps identify potential vulnerabilities in SPN configurations.

How It Works

The tool uses LDAP to query the domain for accounts with SPNs and extracts their associated Kerberos hashes. These hashes can then be tested offline to determine weak or compromised credentials. This is known as a Kerberoasting attack.

Steps to Use GetUserSPNs.py

1. Gather Required Information

  • The domain name (e.g., example.com).
  • Valid credentials for a domain user account (username and password).
  • The IP address of a Domain Controller (optional, but recommended).

2. Run the Command

Execute GetUserSPNs.py with the appropriate arguments to retrieve the SPNs and their associated hashes.

Command Syntax 

GetUserSPNs.py <domain>/<username>:<password> [-dc-ip <DomainControllerIP>]```

- <domain>/<username>:<password>: Specifies the domain, username, and password for authentication.
- -dc-ip <DomainControllerIP>: (Optional) Specifies the IP address of a domain controller to use for the query.

## Example Command

Here’s an example command to query SPNs for the example.com domain:

```bash
GetUserSPNs.py example.com/johndoe:Password123 -dc-ip 192.168.1.100

This will authenticate using the provided credentials and query the Domain Controller at 192.168.1.100 for SPNs.

Output

The output will list all service accounts with SPNs, including:

  • Account names.
  • Service Principal Names.
  • Associated Kerberos hashes.

The hashes can then be saved for offline cracking with tools like hashcat or john.

Additional Options

  • -debug: Enables debug output for troubleshooting:
GetUserSPNs.py example.com/johndoe:Password123 -dc-ip 192.168.1.100 -debug

Security Implications

The GetUserSPNs.py tool highlights potential risks in SPN configurations. Best practices include:

  • Using strong, unique passwords for service accounts.
  • Regularly auditing service accounts for SPNs.
  • Monitoring for excessive SPN queries.

By leveraging GetUserSPNs.py, organizations can proactively identify and address Kerberoasting vulnerabilities in their Active Directory environment.

USHE DocsImpacket