4. Service Principal Names

• Isolated applications can use a set of predefined service accounts, such as: LocalSystem, LocalService, and NetworkService
• When applications such as Exchange and MS SQL are integrated in AD, the Service Principal Name (SPN) associates each service to a specific service account
• By enumerating SPNs in the domain one can see running applications and ports
• This could be done using the setspn.exe lolbin or using PowerView
  Usage:

#Using setspn.exe:
setspn -L <user>

#Using PowerView:
Get-NetUser -SPN | select samaccountname,serviceprincipalname

Then perform lookup for the host results to see on which IPs the services are running:

nslookup.exe <hostname>