SoaPy: The Ultimate Stealthy Active Directory Enumeration Tool via ADWS

By: Mehul Dubey

Follow me on

LinkedIN: https://www.linkedin.com/in/er-mehul-dubey/

Introduction

Active Directory (AD) is an essential element in most enterprise infrastructures, acting as the foundation for authentication and resource management. Both security professionals and attackers utilize enumeration methods to chart AD infrastructures. Yet, conventional enumeration tools tend to leave traces that can initiate security alerts. That is where SoaPy comes in, a new tool that conducts stealthy Active Directory enumeration through Active Directory Web Services (ADWS), all from a Linux platform.

In this article, we will see what SoaPy is, how it functions, its benefits over other enumeration tools, and how to utilize it efficiently for security testing.

Understanding Active Directory Web Services (ADWS)

ADWS is a Windows service offering administration access to the AD data over SOAP-based queries. Although often used by traditional Windows tools, SoaPy uses this facility to conduct undercover enumeration from a Linux system.

Key Functions of ADWS:

• Enables the querying of the AD data with no direct interaction with LDAP or Kerberos.
• Makes use of SOAP (Simple Object Access Protocol) for transferring information.
• Compatible with Windows Server 2008 and subsequent systems.
• Enables PowerShell Remoting and other windows admin features.

This renders ADWS an interesting asset for network teams and penetration testers since it represents an alternative route to enumeration while avoiding normal security measures.

What is SoaPy?

SoaPy is an open-source Linux-based tool that enables security professionals to enumerate Active Directory stealthily via ADWS. Unlike traditional LDAP-based enumeration tools, SoaPy leverages web service queries, making its traffic appear less suspicious to network defenders.

Features of SoaPy:

• Stealthy Enumeration: Avoids noisy LDAP queries.
• Cross-Platform Compatibility: Works on Linux, unlike many AD tools.
• User & Group Extraction: Retrieves user, group, and computer information.
• SOAP-Based Communication: Uses ADWS instead of direct LDAP queries.
• Integration with Other Tools: Can complement BloodHound, CrackMapExec, and other red teaming tools.

How SoaPy Works

SoaPy functions by interacting with ADWS over HTTPS (port 9389) using SOAP-based requests. It can retrieve a wealth of information from an Active Directory domain without triggering typical LDAP-related alerts.

Enumeration Techniques Used by SoaPy:

1. User Enumeration: Extracts usernames, emails, and account attributes.
2. Group Enumeration: Identifies group memberships and privileges.
3. Computer Enumeration: Gathers hostnames and OS versions.
4. Stealth Mode: Runs with minimal network fingerprinting to avoid detection.

Installing SoaPy on Linux

Before using SoaPy, ensure that Python and necessary dependencies are installed.

GitHub repo : https://github.com/xforcered/SoaPy

Installation Steps:

# Clone the SoaPy repository
git clone https://github.com/xforcered/SoaPy.git
cd SoaPy

# Install dependencies
pip install -r requirements.txt

SoaPy is now ready to run on your Linux machine.

Basic Usage of SoaPy

Once installed, SoaPy can be used to enumerate Active Directory objects stealthily.

Enumerate Users:

python soapy.py -u <AD_USERNAME> -p <PASSWORD> -d <DOMAIN> --users

Enumerate Groups:

python soapy.py -u <AD_USERNAME> -p <PASSWORD> -d <DOMAIN> --groups

Enumerate Computers:

python soapy.py -u <AD_USERNAME> -p <PASSWORD> -d <DOMAIN> --computers

These commands allow you to gather AD intelligence without triggering traditional security defenses.

Advanced Features of SoaPy

SoaPy is not just a simple enumeration tool—it offers advanced functionalities for penetration testers and red teamers.

Bypassing Security Measures:

• Mimics legitimate AD queries to avoid detection.
• Does not trigger LDAP logging mechanisms.
• Uses encrypted HTTPS traffic for added stealth.

Extracting Sensitive AD Information:

• Fetches account status, last logon times, and privilege levels.
• Retrieves domain policies and security settings.
• Supports custom query modifications for specific enumeration needs.

Detection and Defense Against SoaPy

While SoaPy is a stealthy tool, there are ways to detect and defend against its usage.

How Security Teams Can Detect SoaPy:

• Monitor ADWS traffic on port 9389 for unusual queries.
• Analyze SOAP request patterns for non-standard access.
• Implement SIEM rules to flag unexpected ADWS usage.

Best Practices for Securing Active Directory:

• Disable ADWS if not needed.
• Restrict access to ADWS to specific administrative accounts.
• Monitor authentication logs for suspicious AD enumeration activities.

Ethical Hacking & Red Teaming with SoaPy

SoaPy is a powerful tool for penetration testers and red teams. However, ethical considerations must always be followed.

Best Practices for Ethical Use:

• Obtain explicit authorization before using SoaPy on any network.
• Use SoaPy as part of a legitimate security assessment.
• Report vulnerabilities responsibly to enhance security.

Conclusion

SoaPy is a game-changer for stealthy Active Directory enumeration via ADWS. It offers low-profile reconnaissance, making it a valuable tool for ethical hackers, penetration testers, and red teams. However, security professionals must also be aware of its capabilities to defend against unauthorized use.

Por favor, deja este campo vacío

¡Mantente Seguro y Actualizado!

Suscríbete para recibir las últimas noticias, nuevos cursos, nuevas vulnerabilidades y herramientas innovadoras en ciberseguridad directamente en tu bandeja de entrada.

¡No hacemos spam! Lee nuestra política de privacidad para obtener más información.

Revisa tu bandeja de entrada o la carpeta de spam para confirmar tu suscripción.