⚙️ Services
In a domain many machines are used to offer services to the users, so it is necessary for Active Directory to keep a track of those services in order to allow the users to find and authenticate against them.
Active Directory service can be tricky since is not the same as a computer service. A service in Windows or Linux machine can be understood as a background process that is continuously executing a task, for example a database. However it is not necessary for a computer service to be listening on a port, like for example a service that checks for available updates for the system.
On the other hand, an Active Directory service is an identifier that indicates what remote services are or can be available (listening on a port) on a machine. Not all the remote services are registered in the domain database, however, the registration is required for those services that need to authenticate domain users through Kerberos.
Each registered service in Active Directory provides the following information:
- The user that runs the computer service.
- The service class, that indicates what kind of service is, for example web servers are registered like www class.
- The machine where the service is hosted.
- (Optional) The service port on the machine.
- (Optional) A path for the service.
In order to store this information, each service is identified by an Service Principal Name (SPN), which has the following format:
The machine_name can be the hostname or the FQDN (Fully Qualified Domain Name: the hostname and domain name joined). It is normal that both formats are stored for Kerberos compatibility. For example:
LDAP service SPNs
The SPN will be stored in a user (or computer) object, that way the service user can be identified.
PS C:\> Get-ADComputer ws01-10 -Properties ServicePrincipalName | select -ExpandProperty ServicePrincipalName
TERMSRV/WS01-10
TERMSRV/ws01-10.etherdrake.local
RestrictedKrbHost/ws01-10.etherdrake.local
HOST/ws01-10.etherdrake.local
RestrictedKrbHost/WS01-10
HOST/WS01-10
services of ws01-10 computer
It also important to note that even if the service is currently not being executed, it can be still registered in the Active Directory database. This is important cause old services can lead to account takeover by using Kerberoast.
To sum up Kerberoast, you can ask for a Kerberos ticket for any service registered in the domain. The Kerberos ticket for the service will have a part encrypted with the service user secret (that can be the NT hash or Kerberos keys) derived from the password. Then you can save the ticket and try to crack it to recover the user password. For computer services this is unfeasible cause the password is too complex, but for user services that can have a weak password this could be possible to achieve.
Host service
Moreover, because by default Windows systems deploy a lot of services, in the machines by default a HOST service class is registered. That HOST class is an alias for several services.
PS C:\Users\Administrator> Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,$((Get-ADDomain).DistinguishedName)" -properties sPNMappings
DistinguishedName : CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=etherdrake,DC=local
Name : Directory Service
ObjectClass : nTDSService
ObjectGUID : 70502b18-010f-4d33-bbb9-ff85a88c6156
sPNMappings : {host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyage
nt,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,p
lugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog
on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,
msdtc}
Services classes identified by HOST