A Service Principal Name (SPN) is a unique identifier of a service instance. It is used to link an AD object (service accounts, users, computers etc.) with a service. It can be used as an alternative to a port scan in an Active Directory environment. Some common SPNs are:

• CIFS

• host

• HTTP

• https

• IMAP

• mongod

• mongos

• MSSQL

• MSSQLSvc

• SMTP

• POP

• vnc

• vpn

A comprehensive list of SPNs is available here

How to scan for SPN using ADSI?

In Part 2 of this series we covered how to use filters with ADSI Searcher class. We can use the filter property to search an Active Directory for a particular SPN:

$adsiSearcherObj.Filter = “serviceprincipalname=<spn>”

Using the SPN list above and a bit of Powershell scripting, we can automate this task to search for a vast range of SPNs. The video below demonstrates this and the PowerShell script could be found here