Using SPN for recon

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

Whilest on a vendor engagement Craig from professional services of $company advised he had seen many red teams using SPN to do recon - this got me thinking and scripting

https://github.com/liamsomerville/Powershell_SPN_list_servers_in_AD

This really simple script will provide a list of different services such as http/dns/glocal catalog etc

If you want to add more services in this script merely amend the following

$array = @("HTTP", "DNS", "SMTPSVC", "MSSQLSvc", "GC", "ldap", "vnc", "nfs", "CESREMOTE", "POP", "IMAP", "SMTP")