SPN Scanning - Stealthy Port Scanning

Microsoft defines Service Principal Name (SPN) as the name by which a Kerberos client identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

There are number of services that support Kerberos authentication.   These services require a SPN.  A few examples of these services are, but are not limited to, Exchange, HTTP, LDAP, and SQL.   When performing an internal penetration test or a red teaming exercise where stealth is important to the engagement, an attacker can query these SPNs from the Domain Controller and not have to perform port scanning across the network.  A port scan will require the attacker to attempt to connect to every port across multiple addresses to enumerate running services which can be very loud on an internal network. Interestingly enough, SPNs are queried almost constantly in an Active Directory environment all the time as clients request access to services. Therefore, an attacker needing to find particular services on the network can utilize these SPNs to perform stealth reconnaissance.  As well, since the domain controller is caching these SPNs the results can be returned much quicker than a port scan would.  Many times results are returned in under a few seconds.  

SPN Format

From Microsoft TechNet the format of an SPN is as follows:

serviceclass/host:port servicename

serviceclass and host are required, but port and service name are optional. The colon between host and port is only required when a port is present.

Examples of SPN registrations:

HTTP/www.contoso.com - Example of a standard port web server. 
HTTP/www.contoso.com:8080 - Example of non-standard port web server. 
HOST/WORKSTATION5 - Any service running on the workstation with NetBIOS
HOST/SERVER7.contoso.com - Example of any service running on the server 
TERMSRV/FRONTRM.contoso.com - Example of Remote Desktop Protocol (RDP)
MSSQLSvc/SQLSERVER2.fabrikam.com:1433 – Example of SQL Server on port 1433
cifs/KHWIN7.fabrikam.com – Example of File Share

Viewing or Checking SPN Registrations

To check the SPNs that are registered for a specific computer using that computer, you can run the following commands from a command prompt:

  • setspn -L hostname - Substitute the actual hostname for the computer for hostname (to see the hostname, type hostname as a command prompt). For example, if you typed hostname at the command prompt and the computer reported the name ContosoDC1, you could then type setspn -L contosoDC1 to see what SPNs are registered for that hostname.
  • setspn -L localhost - This command will check registrations for the account localhost, which is a name indicative of the local computer.
  • If you want to check all the SPN services using setspn, type into powershell or command prompt setspn -Q */*.

An example of an SPN scan in a lab environment looks like the following:  

Source: https://adsecurity.org/wp-content/uploads/2015/04/Discover-PSMSSQLServers-ADSECLab.png

Hopefully this will help on future engagements to scan an internal network without having to perform a lengthy and noisy port scanning.   Until next time, always be collecting data.  

Sources and Inspiration: