0x01 Introduction
Kerberos is a support ticket authentication security protocols. If the client computer authentication request that contains valid user credentials and Service Principal Name (SPN), the Kerberos authentication server grants a ticket in response to the request. Then, the client computer uses the ticket to access network resources. In the internal network, SPN scan found to perform the service by querying a domain controller. It can help us identify hosts that are running critical services, such as terminals, switches, such as Microsoft SQL, and hide them. In addition, SPN identification is the first step in an attack kerberoasting.
About spn 0x02
Service Principal Name (SPN: Service Principal Names) is a service instance, it can be understood as a service (such as HTTP, MSSQL) unique identifier, the service automatically when joining the domain is registered.
If you install multiple service instances on a computer domain or the entire forest, each instance must have its own SPN. If the client might use multiple names for authentication, the given service instance can have multiple SPN. SPN always includes the name of the host running the service instance, so the service instance can register their host name or alias SPN.
If you use a word to explain the word is SPN is a unique identifier on the server running the service, each service needs to use a Kerberos SPN, if you want to use the Kerberos protocol to authenticate the service, you must configure the SPN correctly.
SPN is divided into two, one register at a machine account in AD (Computers), another registered user account at a domain (the Users)
When a privilege of service for the Local System or Network Service, the SPN registered in the machine account (Computers)
When a privilege of service to a domain user SPN is registered under the domain user account (Users).
SPN format
serviceclass/host:port servicenameMicrosoft officials also gives a detailed explanation and grammar rules
Interested parties can read about:
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspxIn the query SPN time, it will initiate an LDAP query to the domain controller, which is part of the normal behavior of a Kerberos ticket, so this operation is difficult to be detected.
0x03 experiment
Here we have prepared two drone to let everyone know the details SPN queries, the following is a detailed drone situation, you can connect through 3389
Win08_dc_dns
192.168.5.70
zhujian.com
Win7
192.168.5.116We can query all the SPN in the current domain with the following command
setspn –q */*
View all ZHUJIAN domain SPN
···
setspn –T zhujian –q /
···
And content is certainly just the same, because this machine only win7 this domain zhujian.
Which begins with CN, each row represents an account
Both the machine accounts
The following is a domain user account
We can also go to their registered SPN According to Microsoft's official documentation, here we go simulate as much as possible about the real situation, we installed it on MSSQL win7, and then see whether the contents have changed
MSSQL installation package has been provided in the win7 desktop can be installed directly.
Double-click when encounter this situation, it is because the current user is not a domain administrator privileges for this machine
Here we use the following account passwords for authentication
Then there is the normal installation, not to proceed with a detailed, our purpose here is good as long as it is installed
Note: If you encounter this situation can not properly run the installation, switch direct users to install, and then switch back to the domain user after installation, if because of insufficient hard disk, manually expand
After installing, please switch to a domain user
We run the command
···
setspn –q /
···
It can be found in more than one service on SECQUAN_WIN7-PC
This is the MSSQL corresponding to SPN
This will help us quickly get some services domain
Several common spn instance name there
· · ·
AcronisAgent: Acronis backup and recovery software for data
AdtServer: ACS with the Microsoft System Center Operations Manager (2007/2012) management server
afpserver: Apple Filing Protocol
AgpmServer: Microsoft Advanced Group Policy Management (AGPM)
aradminsvc - the main task role server
arssvc - task master role server
bocms: the commercialization of the CMS
Bosso: Business objects
CESREMOTE: associated with Citrix VDI solutions on VMWare, many VDI workstations have this SPN.
cifs: Common Internet File System
CmRcService: Microsoft System Center Configuration Manager (SCCM) remote control
CUSESSIONKEYSVR: CiscoUnity VOIP systems
cvs: CVS repository
DFSR : Distributed File System
DNS: Domain Name Server
E3514235-4B06-11D1-AB04-00C04FC2DCD2: NTDS DC RPC copy
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM: ADAM instance
EDVR: ExacqVision service
exchangeAB: Exchange Address Book service (usually support the NSPI domain controller, it is usually all GC)
exchangeMDB: RPC Client Access server role
exchangeRFR: Address Book exchange service
fcsvr: the Apple FinalCut Server
FileRepService: WSFileRepService.exe
FIMService: MicrosoftForefront Identity Manager (FIM)
the FTP: File Transfer Protocol
GC: domain controller a global catalog service
HDFS: Hadoop ( Ambari)
host: host service on behalf of the host. HOSTSPN used to access the long-term key by using the Kerberos protocol host account when you create a service ticket.
http: supports Kerberos authentication http network services SPN
Hyper-V Replica: MicrosoftHyper-V copy service
IMAP: Internet Message Access Protocol
IMAP4: Internet Message Access Protocol version 4
ipp: Internet Printing Protocol
iSCSITarget: iSCSI configuration
kadmin: Kerberos
ldap: LDAP services, such as a domain controller or ADAM instance.
Magfs: MaginaticsMagFS
mapred: Cloudera
Microsoft Virtual Console service: HyperV host
Microsoft Virtual System Migration Services: P2V support (HyperV)
the mongod: MongoDBEnterprise
mongos: MongoDBEnterprise
MSClusterVirtualServer: Windows Cluster Server
MSOLAPSvc: SQLServer Analysis Services
MSOLAPSvc.3: SQLServer Analysis Services
MSOLAPDisco.3: SQLServer Analysis Services
MSOMHSvc: Microsoft System Center Operations Manager (2007/2012) management server
MSOMSdkSvc: MicrosoftSystem Center Operations Manager (2007 / 2012) management server
MSServerCluster: Windows cluster server
MSServerClusterMgmtAPI: this cluster API requires this SPN order by using Kerberos for the server to verify
MSSQL: in the Microsoft SQLServer
MSSQLSvc: MicrosoftSQL server
MSSQL $ ADOBECONNECT: support for Adobe Connect is in the Microsoft SQL server
MSSQL $ BIZTALK: MicrosoftSQL server supports Microsoft Biztalk server
MSSQL $ BUSINESSOBJECTS: Business Objects support of SQL server in the Microsoft
MSSQL $ DB01NETIQ: support for Microsoft SQL server NetIQ's
nfs: network file system
NPPolicyEvaluator: Dell Quest Auditor
NPRepository 4 (CHANGEAUDITOR): Change Auditor Dell Quest
NPRepository4 (CAAD): Dell Quest auditor
NPRepository4 (default): Dell task auditors
NtFrs : NT File Replication Service
oracle: OracleKerberos authentication
pcast: Apple podcasting people
PCNSCLNT: automatic password synchronization solution (the MIIS 2003 & FIM)
POP: E-mail protocols
POP3: E-mail protocol version 3
PVSSoap: the Citrix ProvisioningServices (7.1)
RestrictedKrbHost: using the service class string equals "RestrictedKrbHost" SPN for the service class, its service voucher to use computer key accounts and shared session key.
RPC: Remote Procedure Call service
SAP: SAP / SAPService
SAS: SAS server
SCVMM: System Center Virtual Machine Manager
secshd: IBMInfoSphere
the SIP: Session Initiation Protocol
SMTP: Simple Mail Transfer Protocol
SMTPSVC: Simple Mail Transfer Protocol
SoftGrid: Microsoft Application Virtualization (App-V) before "the SoftGrid"
STS : VMWare SSO service
SQLAgent $ DB01NETIQ: NetIQ's SQL service
tapinego: associated with the routing application, such as Microsoft firewall (ISA, TMG, etc.)
the TermSrv: Microsoft remote Desktop protocol service, known as terminal services.
tnetd: JuniperKerberos Authentication "Tnetd is a daemon for packet forwarding and routing engine internal communication between the different components of the engine, etc."
VMRC: in the Microsoft VirtualServer 2005
VNC: VNC server
VPN: Virtual Private Network
VProRecovery Backup Exec System Recovery Agent 7.0
VProRecovery Backup Exec system recovery agent 8.0
VProRecovery Backup Exec system recovery agent 9.0
VProRecovery Norton agent 12.0
VProRecovery Norton
Clone agent 14.0 VProRecovery Norton agents 15.0
VProRecovery the Symantec System Recovery Agent 10.0
VProRecovery the Symantec System Recovery Agent 11.0
VProRecovery the Symantec System Recovery Agent 14.0
vssrvc: Microsoft Virtual Server (2005)
WSMAN: Windows Remote Management (based on WS-Management standard) service
xmpp / XMPP : extensible messaging and Presence protocol (Jabber)
Xgrid: Apple distributed (grid) computing / Mac OS X 10.6 server management
YARN: ClouderaMapReduce
· · ·
For more SPN values, to try and collect their own
Finally, we'll provide a script ps probe MSSQL services, similar to the script also there are many, we can go on GitHub to collect and changes
···
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers
···
No public debut article: unintentional balderdash (wuxinmengyi)
This is a record red team learning, Principal notes, personal growth number of public
Concern to scan code
