How to modify servicePrincipalName

CravateRouge / bloodyAD

BloodyAD is an Active Directory Privilege Escalation Framework

MIT License

1.19k stars 114 forks source link

How to modify servicePrincipalName #13

Closed Labster22 closed 2 years ago

Labster22 commented 2 years ago

first, I query the spn python3 bloodyAD.py -d redteam.com -u user001 -p '123.com' --host 10.10.1.10 getObjectAttributes 'CN=TEST,CN=Computers,DC=redteam,DC=com' serviceprincipalname

then I try to use this to modify spn, but it's not working python3 bloodyAD.py -d redteam.com -u user001 -p '123.com' --host 10.10.1.10 setAttribute 'CN=TEST,CN=Computers,DC=redteam,DC=com' servicePrincipalName '["RestrictedKrbHost/TEST","HOST/TEST","test1/test2"]'

CravateRouge commented 2 years ago

I see two possibilities:

Your service class (\<service class>/\<host>) isn't known by the AD so it doesn't work
The SPN test1/test2 already exists on another object For more information see: https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names and https://docs.microsoft.com/en-us/windows/win32/ad/name-formats-for-unique-spns