Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals

Information

Service Principal Names map Kerberos service tickets to the account that runs a service. When a client requests a TGS for cifs/ws01.ootw.local, the KDC looks up that SPN in AD and encrypts the service ticket with the key of the account that owns it.

We use SPNs to answer three operational questions: what services exist, which account owns the service key, and what ticket should be requested for the action we want. The exact SPN matters. SMB wants cifs/host, LDAP wants ldap/dc, SQL wants MSSQLSvc/host:port, WinRM commonly uses HTTP/host, and RDP uses TERMSRV/host.

SPNs connect several AD attack paths. Kerberoasting requests service tickets for user-owned SPNs and cracks them offline. Targeted Kerberoasting temporarily adds an SPN to a controlled user. Silver Tickets forge service tickets when the service account key is known. Delegation and RBCD depend on requesting usable service tickets to specific SPNs. Service-name substitution abuses cases where one service class can be swapped for another service class on the same host or same account key.

Tools used in this section include setspn, Impacket, Rubeus, PowerView, bloodyAD, targetedKerberoast, NetExec, and BloodHound.