ghostSPN is a Python utility for identifying "ghost" Service Principal Names (SPNs) in Active Directory. It helps defenders uncover stale or orphaned SPNs that attackers can abuse for Kerberos-based privilege escalation.
- Enumerates SPNs via LDAP with paging and filtering optimizations.
- Flags high-risk services (HTTP, MSSQL, TERMSRV, and more).
- Optional DNS resolution checks with caching to reduce false positives.
- Parallel host lookups and AD correlation to confirm legitimate targets.
- pipx (recommended)
pipx install git+https://github.com/mverschu/ghostSPN.git
Provide valid Active Directory credentials and target information. The most common invocation is:
python3 ghostSPN.py --server DC01 --domain corp.local --username bear --password Pass123
For LDAPS environments enforcing channel binding, use a UPN-style username together with --use-ssl:
python3 ghostSPN.py --server dc01.corp.local --use-ssl --username bear@corp.com --password Pass123 --no-verify
Run ghostspn --help (or python3 ghostSPN.py --help) for the complete list of arguments.
The script prints severity-grouped tables of potential ghost SPNs. When --output is supplied, results are written as CSV or JSON depending on the file extension.