Connection Issues with Impacket-GetUserSPNs on Active Directory Enumeration

Hello everyone,

I’ve been working on the Active machine and encountered a problem while trying to use Impacket’s GetUserSPNs tool. Here’s a brief overview of what I’ve done and where I’m stuck:

  1. Initial Setup and Enumeration: I successfully ran an Nmap scan on the target and identified several open ports and services, including Kerberos, LDAP, and SMB. I added the domain to my hosts file and used smbclient to access the Replication share, where I found the Groups.xml file containing encrypted credentials.

  2. Credentials Decryption: Using the decrypted credentials from the Groups.xml file, I was able to authenticate and perform further enumeration with smbmap and ldapsearch.

  3. Using GetUserSPNs: The problem arose when I attempted to use GetUserSPNs to extract service principal names and their corresponding hashes. The command I used was:

    sudo impacket-GetUserSPNs active.htb/svc_tgs -dc-ip -request

    However, I received the following error:

    [-] Principal: active.htb\Administrator - [Errno 104] Connection reset by peer

This error seems to indicate a network-level issue where the connection to the domain controller was unexpectedly closed by the server.

What I’m looking for:

  • Insights into why this error might be occurring and how to resolve it.
  • Recommendations for other tools or methods that could be used to achieve the same goal if Impacket’s GetUserSPNs continues to fail.

Any help or suggestions from the community would be greatly appreciated!

Thank you in advance for your assistance!