SOAPHound: Open-source tool to collect Active Directory data via ADWS
SOAPHound is an open-source data collection tool capable of enumerating Active Directory environments through the Active Directory Web Services (ADWS) protocol.
How SOAPHound works
SOAPHound is a substitute for various open-source security tools typically employed for extracting data from Active Directory via the LDAP protocol. It achieves the same data extraction without directly interfacing with the LDAP server. This is accomplished by encapsulating LDAP queries within a sequence of SOAP messages transmitted to the ADWS server through a NetTCPBinding communication channel.
The ADWS server decodes these LDAP queries and relays them to the LDAP server located on the same domain controller. This approach ensures that LDAP traffic is not transmitted overtly, making it less detectable by standard monitoring tools.
SOAPHound supports the following authentication methods:
- Using the existing authentication token of the current user. This is the default option if no username and password are supplied.
- Supplying a username and password on the command line.
SOAPHound features
“SOAPHound is mainly a BloodHound data ingestor tool. However, it uses a number of features that make it stand out. First of all, it collects all AD data without directly touching LDAP. Instead, all communication and data exfiltration is performed via the ADWS protocol, which is running on TCP port 9389 of Domain Controllers. LDAP traffic is wrapped within SOAP XML messages, which is encrypted using a NetTCPBinding communication channel. As a result, LDAP data are never sent unencrypted on the wire and therefore it is much more difficult to detect on the network level. Moreover, no previously documented attack was targeting the ADWS service for similar enumeration techniques and therefore it might have been overlooked by detection rules,” Nikos Karouzos, Red Teamer at FalconForce, the developer of SOAPHound, told Help Net Security.
Karouzos told us that another SOAPHound feature of interest is the actual LDAP queries it sends. Instead of performing multiple LDAP queries to obtain information about different objects, it obtains all data with one query and then parses the data offline on the client side. This significantly reduces the volume of LDAP queries being sent, as well as the underlying volume of relevant LDAP logs.
Finally, SOAPHound supports additional collection methods for specific internal services of interest, such as Active Directory Certificate Services (ADCS) and Active Directory integrated DNS records.
Future plans
“SOAPHound is currently compliant with Bloodhound version 4. We plan to create a version that also supports the latest version of Bloodhound (i.e. Community Edition) and also keep SOAPHound up to date with any new discoveries regarding abusable trust relationships within Active Directory environments. We open-sourced the tool so that additional interesting features can also be added by the community, and we would like to invite anyone with nice ideas to contribute in expanding the tool’s capabilities,” Karouzos explained.
SOAPHound is available for free on GitHub.
Must read:
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time