Shulou(Shulou.com)06/02 Report--

This article mainly shows you "what is SetSPN", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn this article "what is SetSPN?"

Kerberos is a security protocol that supports ticket authentication. If the client computer authentication request contains valid user credentials and service principal name (SPN), the Kerberos authentication server grants a ticket in response to the request. The client computer then uses the ticket to access network resources. In the internal network, SPN scans perform service discovery to domain controllers through queries. For the red team, it can help them identify hosts running important services, such as terminals, switches, Microsoft SQL, etc., and hide them. In addition, the identification of SPN is also the first step of kerberoasting attack.

Tim Medin explained SPN very well in his Kerberos attack speech. Sean Metcalf also provides some resources about SPN, including a series of resources on the principal name of the Active Directory service, which can be found at the end of this article.

SetSPN

SetSPN is a local windows binary that can be used to retrieve the mapping between user accounts and services. This utility can add, remove or view SPN registrations.

Setspn-T pentestlab-Q * / *

Because the user has chosen a password, services bound to domain user accounts rather than computer accounts are more likely to be configured as weak passwords, and services with standard names for users should be targeted by Kerberoasting attacks. In the following SPN list, the PENTESTLAB_001 service is associated with a user account.

GetUserSPNs

Tim Medin has developed a PowerShell script, which is part of the kerberoast toolkit, that can help us query the active directory to find services associated only with user accounts.

Powershell_import / root/Desktop/GetUserSPNs.ps1

There is also a VBS script that is part of the tool that provides us with the same information. This script can be executed from the Windows command prompt using the native Windows binary cscript.

Cscript.exe GetUserSPNs.vbsPowerShell AD Recon

In addition to the tools developed by Tim Medin, Sean Metcalf also develops a variety of PowerShell scripts to perform Kerberos reconnaissance. These scripts are part of the PowerShell AD Recon repository and can be queried for services such as Exchange,Microsoft SQL,Terminal in Active Directory. Sean binds each script to a specific service, depending on the SPN you want to discover. The following script identifies all Microsoft SQL instances on the network.

Powershell_import / root/Discover-PSMSSQLServers.ps1powershell_execute Discover-PSMSSQLServers

You can also use the PSMSExchangeServers script to find the Microsoft Exchange server.

Powershell_import / root/Discover-PSMSExchangeServers.ps1powershell_execute Discover-PSMSExchangeServers

Enumerating service accounts is important because they may be configured with weak passwords. The PasswordLastSet and LastLogon properties can provide us with service instructions that are more likely to set a weak password.

Powershell_import / root/Find-PSServiceAccounts.ps1powershell_execute Find-PSServiceAccountsEmpire

PowerShell Empire also has a module that displays the service principal name (SPN) of the domain account.

Usemodule situational_awareness/network/get_spn

These services will be presented in the following format.

PowerShellery

Before implementing the Get-SPN module to Empire, Scott Sutherland has created several Powershell scripts as part of PowerShellery to collect SPN for various services. Some of these require PowerShell v2.0 environments, while others require PowerShell v3.0 environments.

Get-SPN-type service-search "*"

As a result, we can also convert it to the form of a table for our browsing.

Get-SPN-type service-search "*"-List yes | Format-Table

Here I will tell you another script that can get UserSID, services and actual users for us.

Import-Module.\ Get-DomainSpn.psm1Get-DomainSpnImpacket

The service principal name (SPN) can also be found in systems that have never joined the domain, and the python version of GetUserSPNs under the impacket toolkit can do this for us. However, token-based authentication cannot be used, so communicating with Active Directory requires valid domain credentials.

. / GetUserSPNs.py-dc-ip 10.0.0.1 pentestlab.local/test

The above is all the content of this article "what is SetSPN?" thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.