From 97d13d0627a5e41eeef05f3a2babecb6060dc4f2 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 6 Mar 2026 18:45:08 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20sopa=20=E2=80=94=20A=20?= =?UTF-8?q?practical=20client=20for=20ADWS=20in=20Golang?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../adws-enumeration.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/src/windows-hardening/active-directory-methodology/adws-enumeration.md b/src/windows-hardening/active-directory-methodology/adws-enumeration.md index 6bee42cf558..bc71dd1d7a4 100644 --- a/src/windows-hardening/active-directory-methodology/adws-enumeration.md +++ b/src/windows-hardening/active-directory-methodology/adws-enumeration.md @@ -88,6 +88,64 @@ Similarly as soapy, [sopa](https://github.com/Macmod/sopa) implements the ADWS p * **Account management** - `set-password` / `change-password` * and others such as `groups`, `members`, `optfeature`, `info [version|domain|forest|dcs]`, etc. +### Protocol mapping highlights + +* LDAP-style searches are issued via **WS-Enumeration** (`Enumerate` + `Pull`) with attribute projection, scope control (Base/OneLevel/Subtree) and pagination. +* Single-object fetch uses **WS-Transfer** `Get`; attribute changes use `Put`; deletions use `Delete`. +* Built-in object creation uses **WS-Transfer ResourceFactory**; custom objects use an **IMDA AddRequest** driven by YAML templates. +* Password operations are **MS-ADCAP** actions (`SetPassword`, `ChangePassword`). + +### Unauthenticated metadata discovery (mex) + +ADWS exposes WS-MetadataExchange without credentials, which is a quick way to validate exposure before authenticating: + +```bash +sopa mex --dc +``` + +### DNS/DC discovery & Kerberos targeting notes + +Sopa can resolve DCs via SRV if `--dc` is omitted and `--domain` is provided. It queries in this order and uses the highest-priority target: + +```text +_ldap._tcp. +_kerberos._tcp. +``` + +Operationally, prefer a DC-controlled resolver to avoid failures in segmented environments: + +* Use `--dns ` so **all** SRV/PTR/forward lookups go through the DC DNS. +* Use `--dns-tcp` when UDP is blocked or SRV answers are large. +* If Kerberos is enabled and `--dc` is an IP, sopa performs a **reverse PTR** to obtain an FQDN for correct SPN/KDC targeting. If Kerberos is not used, no PTR lookup happens. + +Example (IP + Kerberos, forced DNS via the DC): + +```bash +sopa info version --dc 192.168.1.10 --dns 192.168.1.10 -k --domain corp.local -u user -p pass +``` + +### Auth material options + +Besides plaintext passwords, sopa supports **NT hashes**, **Kerberos AES keys**, **ccache**, and **PKINIT certificates** (PFX or PEM) for ADWS auth. Kerberos is implied when using `--aes-key`, `-c` (ccache) or certificate-based options. + +```bash +# NT hash +sopa --dc -d -u -H query --filter '(objectClass=user)' + +# Kerberos ccache +sopa --dc -d -u -c info domain +``` + +### Custom object creation via templates + +For arbitrary object classes, the `create custom` command consumes a YAML template that maps to an IMDA `AddRequest`: + +* `parentDN` and `rdn` define the container and relative DN. +* `attributes[].name` supports `cn` or namespaced `addata:cn`. +* `attributes[].type` accepts `string|int|bool|base64|hex` or explicit `xsd:*`. +* Do **not** include `ad:relativeDistinguishedName` or `ad:container-hierarchy-parent`; sopa injects them. +* `hex` values are converted to `xsd:base64Binary`; use `value: ""` to set empty strings. + ## SOAPHound – High-Volume ADWS Collection (Windows) [FalconForce SOAPHound](https://github.com/FalconForceTeam/SOAPHound) is a .NET collector that keeps all LDAP interactions inside ADWS and emits BloodHound v4-compatible JSON. It builds a complete cache of `objectSid`, `objectGUID`, `distinguishedName` and `objectClass` once (`--buildcache`), then re-uses it for high-volume `--bhdump`, `--certdump` (ADCS), or `--dnsdump` (AD-integrated DNS) passes so only ~35 critical attributes ever leave the DC. AutoSplit (`--autosplit --threshold `) automatically shards queries by CN prefix to stay under the 30-minute EnumerationContext timeout in large forests. @@ -168,6 +226,7 @@ Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Co * [SoaPy GitHub](https://github.com/logangoins/soapy) * [BOFHound GitHub](https://github.com/bohops/BOFHound) * [ADWSDomainDump GitHub](https://github.com/mverschu/adwsdomaindump) +* [Sopa GitHub](https://github.com/Macmod/sopa) * [Microsoft – MC-NBFX, MC-NBFSE, MS-NNS, MC-NMF specifications](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nbfx/) * [IBM X-Force Red – Stealthy Enumeration of Active Directory Environments Through ADWS](https://logan-goins.com/2025-02-21-stealthy-enum-adws/) * [FalconForce – SOAPHound tool to collect Active Directory data via ADWS](https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/)