A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
Whilest on a vendor engagement Craig from professional services of $company advised he had seen many red teams using SPN to do recon - this got me thinking and scripting
This really simple script will provide a list of different services such as http/dns/glocal catalog etc
If you want to add more services in this script merely amend the following
$array = @("HTTP", "DNS", "SMTPSVC", "MSSQLSvc", "GC", "ldap", "vnc", "nfs", "CESREMOTE", "POP", "IMAP", "SMTP")