Get-DomainSPNTicket

SYNOPSIS

Request the kerberos ticket for a specified service principal name (SPN).

Author: machosec, Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf

SYNTAX

RawSPN (Default)

Get-DomainSPNTicket [-SPN] <String[]> [-OutputFormat <String>] [-Credential <PSCredential>]

User

Get-DomainSPNTicket [-User] <Object[]> [-OutputFormat <String>] [-Credential <PSCredential>]

DESCRIPTION

This function will either take one/more SPN strings, or one/more PowerView.User objects (the output from Get-DomainUser) and will request a kerberos ticket for the given SPN using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. The encrypted portion of the ticket is then extracted and output in either crackable John or Hashcat format (deafult of John).

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"

Request a kerberos service ticket for the specified SPN.

-------------------------- EXAMPLE 2 --------------------------

"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket

Request kerberos service tickets for all SPNs passed on the pipeline.

-------------------------- EXAMPLE 3 --------------------------

Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat

Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.

PARAMETERS

-SPN

Specifies the service principal name to request the ticket for.

Type: String[]
Parameter Sets: RawSPN
Aliases: ServicePrincipalName

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-User

Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.

Type: Object[]
Parameter Sets: User
Aliases: 

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-OutputFormat

Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. Defaults to 'John'.

Type: String
Parameter Sets: (All)
Aliases: Format

Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False

-Credential

A [Management.Automation.PSCredential] object of alternate credentials for connection to the remote domain using Invoke-UserImpersonation.

Type: PSCredential
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False

INPUTS

• String

Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.

• PowerView.User

Accepts one or more PowerView.User objects on the pipeline with the User parameter set.

OUTPUTS

• PowerView.SPNTicket

Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.