Skip to content

Unexpected Behavior in SPN Modification with --additional Flag #52

New issue
New issue
Open
Open
Unexpected Behavior in SPN Modification with --additional Flag#52
@0xmaximus

Description

@0xmaximus
0xmaximus
opened on Mar 17, 2025

Hi Dirk-jan, I'm trying to use addspn.py to add an SPN for a new computer account that I created using a normal user, bob.
After adding the new computer with the Impacket tool, I realized that addspn.py might not be working as expected (maybe!).

First I added new computer:

└─$ addcomputer.py -computer-name 'EXAMPLE$' -computer-pass 'password' -dc-host 192.168.8.10 'lab/bob:password'    
Impacket v0.13.0.dev0+20250206.100953.075f2b10 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account EXAMPLE$ with password password.

Then, I tried to add an SPN for EXAMPLE$ using Bob’s credentials:

└─$ python3 addspn.py '192.168.8.10' -u 'lab.local\bob' -p 'password' -t 'EXAMPLE$' --spn 'cifs/notexist.lab.local' 
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[!] Could not modify object, the server reports a constrained violation
[!] You either supplied a malformed SPN, or you do not have access rights to add this SPN (Validated write only allows adding SPNs matching the hostname)
[!] To add any SPN in the current domain, use --additional to add the SPN via the msDS-AdditionalDnsHostName attribute

This is expected behavior. Bob does not have permission to modify the ServicePrincipalName attribute directly. So we need to use --additional flag to modify msDS-AdditionalDnsHostName attribute:

└─$ python3 addspn.py '192.168.8.10' -u 'lab.local\bob' -p 'password' -t 'EXAMPLE$' --spn 'cifs/notexist.lab.local' -a
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

The output says the SPN was modified, but when checking, there is no SPN set for EXAMPLE$:

Get-DomainComputer EXAMPLE | select samaccountname,serviceprincipalname

samaccountname serviceprincipalname
-------------- --------------------
EXAMPLE$

Trying again without --additional flag:

└─$ python3 addspn.py '192.168.8.10' -u 'lab.local\bob' -p 'password' -t 'EXAMPLE$' --spn 'cifs/notexist.lab.local'   
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

This time, we got no error. Now, when we check, the SPN is actually set for EXAMPLE$:

Get-DomainComputer EXAMPLE | select samaccountname,serviceprincipalname

samaccountname serviceprincipalname
-------------- --------------------
EXAMPLE$       cifs/notexist.lab.local

What I expected was that using the --additional flag would modify the SPN directly. However, as shown above, we had to run the same command again without --additional for the SPN to be set successfully.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions