Abusing Service Principal Names

by Vince
in Blog
Hits: 829

"A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name."

I have to be honest, in my many years as an administrator, I've never had to set this up.  Though as a penetration tester, I like to understand both sides of what's going on.  I've used GetUserSPNs a few times but the question that I've asked myself is -- how did this happen?

I've created a service account and I've assigned it a weak password.  Now I'm going to modify the account properties and I'm going to list the account properties to verify that the changes were added.  

We can also check the attributes from the user account:

Now comes the part where we leverage this (mis)configuration.  We need a user account and password, ANY account will do, it does not have to have any sort of privileges.  

What we get back is now a hash that we can crack with Hashcat:

Moments later, the hash is cracked and we have the password for a service account which typically has better than user privileges.