Skip to content

logangoins/SOAPy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Description

SOAPy is a Proof of Concept (PoC) utility for conducting offensive interaction with Active Directory Web Services (ADWS) through a SOCKS5 proxy.

SOAPy includes previously undeveloped custom python implementations of a collection of Microsoft protocols required for interaction with the ADWS service. This includes but is not limited to: NNS (.NET NegotiateStream Protocol), NMF (.NET Message Framing Protocol), and NBFSE (.NET Binary Format: SOAP Extension).

SOAPy started as a research project at IBM X-Force Red with Jackson Leverett to rewrite the proprietary Microsoft .NET mechanisms/library that FalconForce’s SOAPHound uses to interact with ADWS, so recon and post-exploitation operations would be possible through a SOCKS5 proxy from Linux on Red Team assessments. After joining SpecterOps, I decided to continue development on the project to bring it up to operational speed.

SOAPy is used for interacting with ADWS over a proxy for stealthy recon into an internal Active Directory environment. SOAPy is intended to be used as an ADWS ingestor for Active Directory, then the resultant data can be transformed to BloodHound compatible JSON using Matt Creel’s BOFHound project. The JSON transformed from BOFHound can then be uploaded into BloodHound for post-processing and visualization of attack paths.

SOAPy can also perform targeted post-exploitation operations in Active Directory, useful in many assessments when evasive LDAP write operations are required.

This includes the following tradecraft:

  1. servicePrincipalName writing for targeted kerberoasting
  2. userAccountControl writing for targeted AS-REProasting
  3. msDs-AllowedToActOnBehalfOfOtherIdentity writing for Resource-Based Constrained Delegation (RBCD) attacks
  4. msDs-KeyCredentialLink writing for Shadow Credentials attacks
  5. DNS record additions for authentication coercion primitives

The protocol structure for interacting with ADWS is shown below: ADWS Protocol Diagram

The blog detailing the original research largely from an engineering perspective can be found here:

SOAPy: Stealthy enumeration of Active Directory environments through ADWS - IBM X-Force Red

A SpecterOps blog detailing new and modern operational guidance for ADWS tradecraft with SOAPy can be found here:

Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS - SpecterOps

About

SOAPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) through a SOCKS5 proxy.

Resources

Readme
Activity

Stars

198 stars

Watchers

1 watching

Forks

43 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages