A Service Principal Name (SPN) is a unique identifier of a service instance. It is used to link an AD object (service accounts, users, computers etc.) with a service. It can be used as an alternative to a port scan in an Active Directory environment. Some common SPNs are:
- CIFS
- host
- HTTP
- https
- IMAP
- mongod
- mongos
- MSSQL
- MSSQLSvc
- SMTP
- POP
- vnc
- vpn
A comprehensive list of SPNs is available here
How to scan for SPN using ADSI?
In Part 2 of this series we covered how to use filters with ADSI Searcher class. We can use the filter property to search an Active Directory for a particular SPN:
$adsiSearcherObj.Filter = “serviceprincipalname=<spn>”
Using the SPN list above and a bit of Powershell scripting, we can automate this task to search for a vast range of SPNs. The video below demonstrates this and the PowerShell script could be found here
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.
