TA0000基础知识-SPN.md

通过SPN查询域内服务

• SPN Scanning – Service Discovery without Network Port Scanning
• Active Directory: PowerShell script to list all SPNs used
• Discovering Service Accounts Without Using Privileges

通过端口扫描的方式发现服务，需要连接服务机器IP，容易被发现。在域环境中，可以通过LDAP查询SPN，获取域内服务信息。

Powershell

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
 
$search.filter = "(servicePrincipalName=*)"
 
$results = $search.Findall()

foreach($result in $results){
 
       $userEntry = $result.GetDirectoryEntry()
 
       Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"
 
       Write-host "DN      =      "  $userEntry.distinguishedName
 
       Write-host "Object Cat. = "  $userEntry.objectCategory
 
       Write-host "servicePrincipalNames"
 
       $i=1
 
       foreach($SPN in $userEntry.servicePrincipalName)
 
       {
 
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
 
       }
 
       Write-host ""
 
}

#Build LDAP Filter to look for users with service account naming conventions
$ldapFilter = "(&(objectclass=Person)(cn=*svc*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"

#Adds list of properties to search for
$objProperties = "name"
Foreach ($i in $objProperties){$search.PropertiesToLoad.Add($i)}

#Execute Search
$results = $search.FindAll()
#Display values from the returned objects
foreach ($result in $results)
{
    $userEntry = $result.GetDirectoryEntry()
    Write-Host "User Name = " $userEntry.name
    Write-Host ""    
}

setspn

Like using setspn to find SPNs linked to a certain computer:

setspn -L

Like using setspn to find SPNs linked to a certain user account:

setspn -L <domain\user>

Ldifde

Ldifde -d "DC=Contoso,DC=Com" -l ServicePrincipalName -F C:\SPN.txt

PowerShell-AD-Recon