{"id":2535,"date":"2016-01-27T15:53:29","date_gmt":"2016-01-27T20:53:29","guid":{"rendered":"https:\/\/adsecurity.org\/?p=2535"},"modified":"2016-01-27T16:02:43","modified_gmt":"2016-01-27T21:02:43","slug":"active-directory-recon-without-admin-rights","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=2535","title":{"rendered":"Active Directory Recon Without Admin Rights"},"content":{"rendered":"

A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as “Active Directory User and Computers” (dsa.msc) or “Active Directory Administrative Center” (dsac.msc), that others can’t see user data (beyond what is exposed in Outlook’s GAL). This often leads to password data being placed in user object attributes or in SYSVOL<\/a>.<\/p>\n

There is a lot of data that can be gathered from Active Directory which can be used to update documentation or to recon the environment for the next attack stages. It’s important for defenders to understand the different types of data accessible in AD with a regular user account.<\/p>\n

Attacks frequently start with a spear-phishing email to one or more users enabling the attacker to get their code running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course, plunder information (often the “crown jewels” of an organization).<\/p>\n

This post shows how an attacker can recon the Active Directory environment with just domain user rights. Many people are surprised when they learn how much information can be gathered from AD without elevated rights.<\/p>\n

Note: Most of the examples in this post use the Active Directory PowerShell module cmdlets. A good alternative is HarmJ0y’s<\/a> PowerView<\/a> (now part of PowerSploit<\/a>).<\/p>\n

I spoke about some of these techniques at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon)<\/a>. I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them<\/a>“.<\/p>\n

<\/p>\n

Get Active Directory Information<\/strong><\/p>\n

I have covered using .NET in PowerShell to gather AD data<\/a> before, so I won’t reproduce all of the .NET commands here.<\/p>\n

Forest Information:<\/span><\/p>\n

PS C:\\> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()<\/p>\n

Name<\/strong>: lab.adsecurity.org
\nSites<\/strong>: {Default-First-Site-Name}
\nDomains<\/strong>: {lab.adsecurity.org, child.lab.adsecurity.org}
\nGlobalCatalogs<\/strong>: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org}
\nApplicationPartitions<\/strong>: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org,
\nDC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org}
\nForestMode<\/strong>: Windows2008R2Forest
\nRootDomain<\/strong>: lab.adsecurity.org
\nSchema<\/strong>: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org
\nSchemaRoleOwner<\/strong>: ADSDC03.lab.adsecurity.org
\nNamingRoleOwner<\/strong>: ADSDC03.lab.adsecurity.org<\/p><\/blockquote>\n

Domain Information:<\/span><\/p>\n

PS C:\\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()<\/p>\n

Forest<\/strong>: lab.adsecurity.org
\nDomainControllers<\/strong>: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org}
\nChildren<\/strong>: {child.lab.adsecurity.org}
\nDomainMode<\/strong>: Windows2008R2Domain
\nParent<\/strong>:
\nPdcRoleOwner<\/strong>: ADSDC03.lab.adsecurity.org
\nRidRoleOwner<\/strong>: ADSDC03.lab.adsecurity.org
\nInfrastructureRoleOwner<\/strong>: ADSDC03.lab.adsecurity.org
\nName<\/strong>: lab.adsecurity.org<\/p><\/blockquote>\n

Forest Trusts:<\/span><\/p>\n

$ForestRootDomain = ‘lab.adsecurity.org’
\n([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘Forest’, $ForestRootDomain)))).GetAllTrustRelationships()<\/p>\n

 <\/p><\/blockquote>\n

Domain Trusts:<\/span><\/p>\n

PS C:\\> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()<\/p>\n

SourceName<\/strong>:\u00a0 \u00a0\u00a0lab.adsecurity.org
\nTargetName<\/strong>:\u00a0child.lab.adsecurity.org
\nTrustType: \u00a0 <\/strong>ParentChild
\nTrustDirection<\/strong>: Bidirectional<\/p><\/blockquote>\n

Get Forest Global Catalogs (typically every Domain Controller is also a GC):<\/span><\/p>\n

PS C:\\> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs<\/p>\n

Forest\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : lab.adsecurity.org
\nCurrentTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/27\/2016 5:31:36 PM
\nHighestCommittedUsn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 305210
\nOSVersion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2008 R2 Datacenter<\/strong>
\nRoles\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {}
\nDomain\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : lab.adsecurity.org<\/strong>
\nIPAddress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 172.16.11.11
\nSiteName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Default-First-Site-Name
\nSyncFromAllServersCallback :
\nInboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bb
\nOutboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC01.lab.adsecurity.org
\nPartitions\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,
\nCN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…<\/p>\n

Forest\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : lab.adsecurity.org
\nCurrentTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/27\/2016 5:31:37 PM
\nHighestCommittedUsn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 274976
\nOSVersion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2012 R2 Datacenter<\/strong>
\nRoles\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {SchemaRole, NamingRole, PdcRole, RidRole…}<\/strong>
\nDomain\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : lab.adsecurity.org<\/strong>
\nIPAddress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : fe80::1881:40d5:fc2e:e744%12
\nSiteName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Default-First-Site-Name
\nSyncFromAllServersCallback :
\nInboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765}
\nOutboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f}
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC03.lab.adsecurity.org
\nPartitions\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org,
\nCN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org…<\/p>\n

Forest\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : lab.adsecurity.org
\nCurrentTime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/27\/2016 5:31:38 PM
\nHighestCommittedUsn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 161898
\nOSVersion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2012 R2 Datacenter<\/strong>
\nRoles\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {PdcRole, RidRole, InfrastructureRole}<\/strong>
\nDomain\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : child.lab.adsecurity.org<\/strong>
\nIPAddress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 172.16.11.21
\nSiteName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Default-First-Site-Name
\nSyncFromAllServersCallback :
\nInboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda}
\nOutboundConnections\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f}
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC11.child.lab.adsecurity.org
\nPartitions\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org,
\nDC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org…}<\/p><\/blockquote>\n


\nMitigation:<\/span><\/p>\n

There is no reasonable mitigation. This information can not and should not be obfuscated or hidden.<\/p>\n

 <\/p>\n

Discover Enterprise Services without Network Scanning
\n<\/strong><\/p>\n

The simplest recon method is to use what I call “SPN Scanning<\/a>” which asks the Domain Controller for all Service Principal Names (SPNs) of a specific type. This enables the attacker to discover all SQL servers, Exchange servers, etc. I maintain a SPN directory list which includes the most common SPNs<\/a> found in an enterprise.<\/p>\n

SPN scanning can also discover what Windows computers have RDP enabled (TERMSERV), WinRM enabled (WSMAN), etc.<\/p>\n

Note: In order to discover all enteprise services, target both computers and users (service accounts).<\/p>\n

PS C:\\> get-adcomputer -filter {ServicePrincipalName -like “*TERMSRV*”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,
\nPasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC02.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/20\/2016 6:46:18 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC02
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1efe44af-d8d9-420b-a66a-8d771d295085
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2008 R2 Datacenter
\nOperatingSystemServicePack : Service Pack 1
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.1 (7601)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 12\/31\/2015 6:34:15 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC02$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {DNS\/ADSDC02.lab.adsecurity.org, HOST\/ADSDC02\/ADSECLAB, HOST\/ADSDC02.lab.adsecurity.org\/ADSECLAB,
\nGC\/ADSDC02.lab.adsecurity.org\/lab.adsecurity.org…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1103
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC01.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/20\/2016 6:47:21 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC01
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 31b2038d-e63d-4cfe-b7b6-77206c325af9
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2008 R2 Datacenter
\nOperatingSystemServicePack : Service Pack 1
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.1 (7601)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 12\/31\/2015 6:34:14 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC01$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {ldap\/ADSDC01.lab.adsecurity.org\/ForestDnsZones.lab.adsecurity.org,
\nldap\/ADSDC01.lab.adsecurity.org\/DomainDnsZones.lab.adsecurity.org, TERMSRV\/ADSDC01,
\nTERMSRV\/ADSDC01.lab.adsecurity.org…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1000
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC03.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/20\/2016 6:35:16 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC03
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2012 R2 Datacenter
\nOperatingSystemServicePack :
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.3 (9600)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 12\/31\/2015 6:34:16 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSDC03$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {DNS\/ADSDC03.lab.adsecurity.org, HOST\/ADSDC03.lab.adsecurity.org\/ADSECLAB,
\nRPC\/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC\/ADSDC03.lab.adsecurity.org\/lab.adsecurity.org…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1601
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWRKWIN7.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 8\/29\/2015 6:40:16 PM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWRKWIN7
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows 7 Enterprise
\nOperatingSystemServicePack : Service Pack 1
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.1 (7601)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 8\/29\/2015 6:40:12 PM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWRKWIN7$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {TERMSRV\/ADSWRKWin7.lab.adsecurity.org, TERMSRV\/ADSWRKWIN7, RestrictedKrbHost\/ADSWRKWIN7, HOST\/ADSWRKWIN7…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1104
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : False
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP01.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/24\/2016 11:03:41 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP01
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2008 R2 Datacenter
\nOperatingSystemServicePack : Service Pack 1
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.1 (7601)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/4\/2016 6:38:16 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP01$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {WSMAN\/ADSAP01.lab.adsecurity.org, WSMAN\/ADSAP01, TERMSRV\/ADSAP01.lab.adsecurity.org, TERMSRV\/ADSAP01…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1105
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : False
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWKWIN7.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/20\/2016 7:07:11 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWKWIN7
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2f164d63-d721-4b0e-a553-3ca0e272aa96
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows 7 Enterprise
\nOperatingSystemServicePack : Service Pack 1
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.1 (7601)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 12\/31\/2015 8:03:05 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSWKWIN7$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {TERMSRV\/ADSWKWin7.lab.adsecurity.org, TERMSRV\/ADSWKWIN7, RestrictedKrbHost\/ADSWKWIN7, HOST\/ADSWKWIN7…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1602
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : False
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p>\n

DistinguishedName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org
\nDNSHostName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP02.lab.adsecurity.org
\nEnabled\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True
\nLastLogonDate\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/24\/2016 7:39:48 AM
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP02
\nObjectClass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : computer
\nObjectGUID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1006978e-8627-4d01-98b6-3215c4ee4541
\nOperatingSystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Windows Server 2012 R2 Datacenter
\nOperatingSystemServicePack :
\nOperatingSystemVersion\u00a0\u00a0\u00a0\u00a0 : 6.3 (9600)
\nPasswordLastSet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1\/4\/2016 6:39:25 AM
\nSamAccountName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : ADSAP02$
\nServicePrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {WSMAN\/ADSAP02.lab.adsecurity.org, WSMAN\/ADSAP02, TERMSRV\/ADSAP02.lab.adsecurity.org, TERMSRV\/ADSAP02…}
\nSID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : S-1-5-21-1581655573-3923512380-696647894-1603
\nTrustedForDelegation\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : False
\nTrustedToAuthForDelegation : False
\nUserPrincipalName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :<\/p><\/blockquote>\n

Mitigation:<\/span><\/p>\n

There is no mitigation. Service Principal Names are required for Kerberos to work<\/a>.<\/p>\n

 <\/p>\n

Discover Enterprise Services without Network Scanning Part 2
\n<\/strong><\/p>\n

SPN Scanning will discover all enterprise services supporting Kerberos. Other enterprise services that integrate with Active Directory often create a new container in the Domain “System” container (CN=System,DC=<domain<\/i>>). Some enterprise applications that store data in the domain System container include:<\/p>\n