Merge pull request #1189 from HackTricks-wiki/update_Make_Sure_to_Use_SOAP_y____An_Operators_Guide_to_S_20250726_012531

carlospolop · web-flow · commit da5a15e54abe · 2025-07-28T14:02:34.000+02:00
Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD...
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -260,6 +260,7 @@
   - [Ad Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
   - [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
   - [AD DNS Records](windows-hardening/active-directory-methodology/ad-dns-records.md)
+  - [Adws Enumeration](windows-hardening/active-directory-methodology/adws-enumeration.md)
   - [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
   - [BloodHound & Other AD Enum Tools](windows-hardening/active-directory-methodology/bloodhound.md)
   - [Constrained Delegation](windows-hardening/active-directory-methodology/constrained-delegation.md)
diff --git a/src/windows-hardening/active-directory-methodology/adws-enumeration.md b/src/windows-hardening/active-directory-methodology/adws-enumeration.md
@@ -0,0 +1,120 @@
+# Active Directory Web Services (ADWS) Enumeration & Stealth Collection
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## What is ADWS?
+
+Active Directory Web Services (ADWS) is **enabled by default on every Domain Controller since Windows Server 2008 R2** and listens on TCP **9389**.  Despite the name, **no HTTP is involved**.  Instead, the service exposes LDAP-style data through a stack of proprietary .NET framing protocols:
+
+* MC-NBFX → MC-NBFSE → MS-NNS → MC-NMF
+
+Because the traffic is encapsulated inside these binary SOAP frames and travels over an uncommon port, **enumeration through ADWS is far less likely to be inspected, filtered or signatured than classic LDAP/389 & 636 traffic**.  For operators this means:
+
+* Stealthier recon – Blue teams often concentrate on LDAP queries.
+* Freedom to collect from **non-Windows hosts (Linux, macOS)** by tunnelling 9389/TCP through a SOCKS proxy.
+* The same data you would obtain via LDAP (users, groups, ACLs, schema, etc.) and the ability to perform **writes** (e.g. `msDs-AllowedToActOnBehalfOfOtherIdentity` for **RBCD**).
+
+> NOTE: ADWS is also used by many RSAT GUI/PowerShell tools, so traffic may blend with legitimate admin activity.
+
+## SoaPy – Native Python Client
+
+[SoaPy](https://github.com/logangoins/soapy) is a **full re-implementation of the ADWS protocol stack in pure Python**.  It crafts the NBFX/NBFSE/NNS/NMF frames byte-for-byte, allowing collection from Unix-like systems without touching the .NET runtime.
+
+### Key Features
+
+* Supports **proxying through SOCKS** (useful from C2 implants).
+* Fine-grained search filters identical to LDAP `-q '(objectClass=user)'`.
+* Optional **write** operations ( `--set` / `--delete` ).
+* **BOFHound output mode** for direct ingestion into BloodHound.
+* `--parse` flag to prettify timestamps / `userAccountControl` when human readability is required.
+
+### Installation (operator host)
+
+```bash
+python3 -m pip install soapy-adws   # or git clone && pip install -r requirements.txt
+```
+
+## Stealth AD Collection Workflow
+
+The following workflow shows how to enumerate **domain & ADCS objects** over ADWS, convert them to BloodHound JSON and hunt for certificate-based attack paths – all from Linux:
+
+1. **Tunnel 9389/TCP** from the target network to your box (e.g. via Chisel, Meterpreter, SSH dynamic port-forward, etc.).  Export `export HTTPS_PROXY=socks5://127.0.0.1:1080` or use SoaPy’s `--proxyHost/--proxyPort`.
+
+2. **Collect the root domain object:**
+
+```bash
+soapy ludus.domain/jdoe:'P@ssw0rd'@10.2.10.10 \
+      -q '(objectClass=domain)' \
+      | tee data/domain.log
+```
+
+3. **Collect ADCS-related objects from the Configuration NC:**
+
+```bash
+soapy ludus.domain/jdoe:'P@ssw0rd'@10.2.10.10 \
+      -dn 'CN=Configuration,DC=ludus,DC=domain' \
+      -q '(|(objectClass=pkiCertificateTemplate)(objectClass=CertificationAuthority) \\
+           (objectClass=pkiEnrollmentService)(objectClass=msPKI-Enterprise-Oid))' \
+      | tee data/adcs.log
+```
+
+4. **Convert to BloodHound:**
+
+```bash
+bofhound -i data --zip   # produces BloodHound.zip
+```
+
+5. **Upload the ZIP** in the BloodHound GUI and run cypher queries such as `MATCH (u:User)-[:Can_Enroll*1..]->(c:CertTemplate) RETURN u,c` to reveal certificate escalation paths (ESC1, ESC8, etc.).
+
+### Writing `msDs-AllowedToActOnBehalfOfOtherIdentity` (RBCD)
+
+```bash
+soapy ludus.domain/jdoe:'P@ssw0rd'@dc.ludus.domain \
+      --set 'CN=Victim,OU=Servers,DC=ludus,DC=domain' \
+      msDs-AllowedToActOnBehalfOfOtherIdentity 'B:32:01....'
+```
+
+Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Constrained Delegation** chain.
+
+## Detection & Hardening
+
+### Verbose ADDS Logging
+
+Enable the following registry keys on Domain Controllers to surface expensive / inefficient searches coming from ADWS (and LDAP):
+
+```powershell
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value 5 -Type DWORD
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value 1 -Type DWORD
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value 0 -Type DWORD
+```
+
+Events will appear under **Directory-Service** with the full LDAP filter, even when the query arrived via ADWS.
+
+### SACL Canary Objects
+
+1. Create a dummy object (e.g. disabled user `CanaryUser`).
+2. Add an **Audit** ACE for the _Everyone_ principal, audited on **ReadProperty**.
+3. Whenever an attacker performs `(servicePrincipalName=*)`, `(objectClass=user)` etc. the DC emits **Event 4662** which contains the real user SID – even when the request is proxied or originates from ADWS.
+
+Elastic pre-built rule example:
+
+```kql
+(event.code:4662 and not user.id:"S-1-5-18") and winlog.event_data.AccessMask:"0x10"
+```
+
+## Tooling Summary
+
+| Purpose | Tool | Notes |
+|---------|------|-------|
+| ADWS enumeration | [SoaPy](https://github.com/logangoins/soapy) | Python, SOCKS, read/write |
+| BloodHound ingest | [BOFHound](https://github.com/bohops/BOFHound) | Converts SoaPy/ldapsearch logs |
+| Cert compromise | [Certipy](https://github.com/ly4k/Certipy) | Can be proxied through same SOCKS |
+
+## References
+
+* [SpecterOps – Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS](https://specterops.io/blog/2025/07/25/make-sure-to-use-soapy-an-operators-guide-to-stealthy-ad-collection-using-adws/)
+* [SoaPy GitHub](https://github.com/logangoins/soapy)
+* [BOFHound GitHub](https://github.com/bohops/BOFHound)
+* [Microsoft – MC-NBFX, MC-NBFSE, MS-NNS, MC-NMF specifications](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nbfx/)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/active-directory-methodology/bloodhound.md b/src/windows-hardening/active-directory-methodology/bloodhound.md
@@ -1,100 +1,88 @@
-# BloodHound & Other AD Enum Tools
+# BloodHound & Other Active Directory Enumeration Tools
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## AD Explorer
-
-[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) is from Sysinternal Suite:
-
-> An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to navigate an AD database easily, define favourite locations, view object properties, and attributes without opening dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
-
-### Snapshots
-
-AD Explorer can create snapshots of an AD so you can check it offline.\
-It can be used to discover vulns offline, or to compare different states of the AD DB across the time.
-
-You will be requires the username, password, and direction to connect (any AD user is required).
+{{#ref}}
+adws-enumeration.md
+{{#endref}}
 
-To take a snapshot of AD, go to `File` --> `Create Snapshot` and enter a name for the snapshot.
+> NOTE: This page groups some of the most useful utilities to **enumerate** and **visualise** Active Directory relationships.  For collection over the stealthy **Active Directory Web Services (ADWS)** channel check the reference above.
 
-## ADRecon
+---
 
-[**ADRecon**](https://github.com/adrecon/ADRecon) is a tool which extracts and combines various artefacts out of an AD environment. The information can be presented in a **specially formatted** Microsoft Excel **report** that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
+## AD Explorer
 
-```bash
-# Run it
-.\ADRecon.ps1
-```
+[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) (Sysinternals) is an advanced **AD viewer & editor** which allows:
 
-## BloodHound
+* GUI browsing of the directory tree
+* Editing of object attributes & security descriptors
+* Snapshot creation / comparison for offline analysis
 
-From [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
+### Quick usage
 
-> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us/), compiled with [Electron](http://electron.atom.io/), with a [Neo4j](https://neo4j.com/) database fed by a C# data collector.
+1. Start the tool and connect to `dc01.corp.local` with any domain credentials.
+2. Create an offline snapshot via `File ➜ Create Snapshot`.
+3. Compare two snapshots with `File ➜ Compare` to spot permission drifts.
 
-BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.
+---
 
-So, [Bloodhound ](https://github.com/BloodHoundAD/BloodHound)is an amazing tool which can enumerate a domain automatically, save all the information, find possible privilege escalation paths and show all the information using graphs.
+## ADRecon
 
-Booldhound is composed of 2 main parts: **ingestors** and the **visualisation application**.
+[ADRecon](https://github.com/adrecon/ADRecon) extracts a large set of artefacts from a domain (ACLs, GPOs, trusts, CA templates …) and produces an **Excel report**.
 
-The **ingestors** are used to **enumerate the domain and extract all the information** in a format that the visualisation application will understand.
+```powershell
+# On a Windows host in the domain
+PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon
+```
 
-The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
+---
 
-### Installation
+## BloodHound (graph visualisation)
 
-After the creation of BloodHound CE, the entire project was updated for ease of use with Docker. The easiest way to get started is to use its pre-configured Docker Compose configuration.
+[BloodHound](https://github.com/BloodHoundAD/BloodHound) uses graph theory + Neo4j to reveal hidden privilege relationships inside on-prem AD & Azure AD.
 
-1. Install Docker Compose. This should be included with the [Docker Desktop](https://www.docker.com/products/docker-desktop/) installation.
-2. Run:
+### Deployment (Docker CE)
 
 ```bash
 curl -L https://ghst.ly/getbhce | docker compose -f - up
+# Web UI ➜ http://localhost:8080  (user: admin / password from logs)
 ```
 
-3. Locate the randomly generated password in the terminal output of Docker Compose.
-4. In a browser, navigate to http://localhost:8080/ui/login. Login with the username **`admin`** and a **`randomly generated password`** you can find in the logs of docker compose.
+### Collectors
 
-After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.
+* `SharpHound.exe` / `Invoke-BloodHound` – native or PowerShell variant
+* `AzureHound` – Azure AD enumeration
+* **SoaPy + BOFHound** – ADWS collection (see link at top)
 
-### SharpHound
+#### Common SharpHound modes
 
-They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
-
-```
-./SharpHound.exe --CollectionMethods All
-Invoke-BloodHound -CollectionMethod All
+```powershell
+SharpHound.exe --CollectionMethods All           # Full sweep (noisy)
+SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
+SharpHound.exe --Stealth --LDAP                      # Low noise LDAP only
 ```
 
-> You can read more about **CollectionMethod** and loop session [here](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481375424795-All-SharpHound-Community-Edition-Flags-Explained)
-
-If you wish to execute SharpHound using different credentials you can create a CMD netonly session and run SharpHound from there:
-
-```
-runas /netonly /user:domain\user "powershell.exe -exec bypass"
-```
+The collectors generate JSON which is ingested via the BloodHound GUI.
 
-[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
+---
 
 ## Group3r
 
-[**Group3r**](https://github.com/Group3r/Group3r) is a tool to find **vulnerabilities** in Active Directory associated **Group Policy**. \
-You need to **run group3r** from a host inside the domain using **any domain user**.
+[Group3r](https://github.com/Group3r/Group3r) enumerates **Group Policy Objects** and highlights misconfigurations.
 
 ```bash
-group3r.exe -f <filepath-name.log>
-# -s sends results to stdin
-# -f send results to file
+# Execute inside the domain
+Group3r.exe -f gpo.log   # -s to stdout
 ```
 
+---
+
 ## PingCastle
 
-[**PingCastle**](https://www.pingcastle.com/documentation/) **evaluates the security posture of an AD environment** and provides a nice **report** with graphs.
+[PingCastle](https://www.pingcastle.com/documentation/) performs a **health-check** of Active Directory and generates an HTML report with risk scoring.
 
-To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**.
+```powershell
+PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"
+```
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
