-
Notifications
You must be signed in to change notification settings - Fork 463
SQL Server Service Principal Name Formats
Scott Sutherland edited this page Jul 9, 2022
·
3 revisions
This page provides a list of the common Service Principal Name (SPN) formats associated with SQL Server.
Note: Many products will create both SPN records for a single instance.
- Default / named instance: MSSQLSvc/server:1433
- Default / named instance: MSSQLSvc/server.domain.com:1433
Note: The TCP port isn't required. The SPN may not have a port for instances configured with Named Pipes or Shared Memory.
However, all formats are supported and may be used by vendors.
- Default instance: MSSQLSvc/server
- Default instance: MSSQLSvc/server.domain.com
- Named instance: MSSQLSvc/server:InstanceName
- Named instance: MSSQLSvc/server.domain.com:InstanceName
- Optional format: MSSQLSvc/server:1433
- Optional format: MSSQLSvc/server.domain.com:1433
setspn -s MSSQLSvc/server DOMAIN\SQLServiceAccount setspn -s MSSQLSvc/server:1433 DOMAIN\SQLServiceAccount setspn -s MSSQLSvc/server:InstanceName DOMAIN\SQLServiceAccount setspn -s MSSQLSvc/server.domain.com DOMAIN\SQLServiceAccount setspn -s MSSQLSvc/server.domain.com:1433 DOMAIN\SQLServiceAccount setspn -s MSSQLSvc/server.domain.com:InstanceName DOMAIN\SQLServiceAccount
- https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017
- https://docs.microsoft.com/en-us/sql/relational-databases/native-client/features/service-principal-name-spn-support-in-client-connections?view=sql-server-ver16
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar