Navigation section

SoaPy: A Game-Changer for Active Directory Enumeration Using ADWS

  • Thread Author
In an era where cybersecurity demands ever-more sophisticated tools and methods, a recent breakthrough in Active Directory enumeration has emerged from the research labs of IBM X-Force Red. The innovative tool, SoaPy, demonstrates a stealthy approach to gathering Active Directory data through Active Directory Web Services (ADWS) — all from a Linux host. In this article, we’ll delve deep into how SoaPy revolutionizes AD reconnaissance, examine its technical underpinnings, and discuss its potential implications for Windows administrators and enterprise defenders.

A data server tower illuminated with blue lights in a dimly lit server room.
Introduction​

Active Directory (AD) remains a critical backbone for countless Windows environments, controlling authentication, authorization, and more across organizational networks. Although traditional enumeration methods typically rely on direct LDAP queries, modern defensive measures have made such activities easier to detect. However, SoaPy bypasses many of these obstacles by leveraging ADWS, a service long enabled by default on domain controllers. What does this mean for IT security professionals? Let’s explore.
Key Points:
  • SoaPy is a Python-based tool designed to interact with ADWS stealthily.
  • It enables Active Directory enumeration from Linux hosts, overcoming the Windows-centric limitations of many native tools.
  • By routing LDAP queries indirectly via ADWS, the tool makes logged activities appear as if they were internal communications within the domain controller itself.

Understanding Active Directory Web Services (ADWS)​

Active Directory Web Services, commonly abbreviated as ADWS, is a component that facilitates a wide range of directory operations over SOAP (Simple Object Access Protocol) messages. Enabled by default on domain controllers (since Windows Server 2008), ADWS not only supports the familiar AD administrative tools (like the Active Directory Administrative Center and PowerShell’s AD module) but also serves as a versatile proxy for LDAP interactions.

How ADWS Works:​

  • Default Operation: ADWS typically runs on port 9389 and acts as a mediator between clients and the LDAP service on the domain controller.
  • SOAP Messaging: Clients send XML-based SOAP messages to ADWS, which then communicates with the LDAP service using locally valid credentials. This mechanism means that network monitoring often shows the domain controller communicating with itself.
  • Dual Endpoints: Different endpoints exist within ADWS—for example, an "Enumeration" endpoint is used for reading LDAP data and a "Resource" endpoint for writing operations.
This architecture, originally designed for convenience and compatibility with Microsoft’s management tools, is now being re-purposed by red teams. SoaPy exploits this same structure to perform reconnaissance tasks while minimizing its footprint in traditional log monitoring.

Delving into SoaPy: Technical Insights and Capabilities​

SoaPy is impressive not just for what it does but for how it does it. Developed during a summer internship at IBM X-Force Red, SoaPy was born out of necessity. Security professionals required an efficient and stealthy way to enumerate AD information from non-Windows systems — a gap that traditional tools like RSAT or .NET-based utilities left unfilled.

The Architecture Behind SoaPy​

To understand SoaPy’s innovation, consider the intricate protocol stack it had to negotiate:
  • NMF (NET Message Framing) Protocol:
  • Purpose: Defines how SOAP messages should be framed before transmission.
  • Operation: SoaPy constructs an NMF Preamble message containing details such as the operation mode (typically duplex), the ADWS endpoint (e.g., via records like “net.tcp://hostname:9389/Enumeration”), and the chosen encoding format.
  • NNS (NET NegotiateStream) Protocol:
  • Purpose: Provides the framing for generic security service data and is essential for negotiating authentication protocols.
  • Details: It supports Windows Integrated Authentication (via protocols such as Kerberos or NTLM). In SoaPy, an NTLM handshake is used, facilitated by libraries like Impacket’s SPNEGO.
  • NBFSE (NET Binary Format SOAP Extension):
  • Purpose: Encodes SOAP data into a binary serial format for efficient transmission.
  • Challenges: As the sole supported encoding format in this scenario, its correct implementation was crucial. SoaPy had to implement extensions of NBFS and NBFX (XML data structure framing).

Implementation Highlights:​

  • Cross-Platform Flexibility: Traditionally, ADWS interactions have been confined to Windows due to reliance on proprietary libraries. SoaPy shatters this boundary by running elegantly on Linux hosts.
  • Pre-Built Queries: With built-in queries, security professionals can enumerate specific AD attributes such as accounts with the “servicePrincipalName” set. This functionality enables rapid collection of valuable identifiers.
  • Custom Query Capability: For the more adventurous operator, SoaPy supports custom-built queries, granting finer control over AD enumeration.
  • Integration with Impacket: While Impacket already simplifies several aspects of AD authentication, it previously lacked support for protocols like NNS and NMF. SoaPy fills that gap, and there are ambitions to eventually merge its innovations back into Impacket.
The result is a tool composed of roughly 5,000 lines of finely tuned code — carefully crafted through meticulous reverse engineering of protocol specifications and packet captures. Developers had to overcome a minefield of challenges, such as limited documentation and the inherent complexities of SOAP-based communications in a security-focused context.

The Protocols in Action: A Walkthrough​

When using SoaPy, the interactions between a client and ADWS unfold in a series of well-coordinated messages:
  • Initialization:
  • The client sends out the NMF Preamble message to set the stage for communication.
  • This message establishes key parameters: the operation mode (duplex), endpoint details, and the binary encoding to be used.
  • Upgrading the Connection:
  • An NMF Upgrade Request is then dispatched, signaling the desire to transition into a secure session using NNS authentication.
  • The server responds with an upgrade acknowledgment, initiating the NTLM handshake.
  • Authentication:
  • The NTLM handshake begins, with client-generated tokens negotiated through SPNEGO.
  • After a series of challenge-response messages, the client is authenticated.
  • Enumeration Phase:
  • With the session secured, the client sends a SOAP-based ADWS Enumeration message.
  • The server replies with an Enumeration Context — essentially a session identifier (UUID) — which is used in subsequent “Pull” messages to retrieve LDAP data incrementally.
  • Data Retrieval:
  • The "Pull" message, referencing the Enumeration Context, solicits further LDAP results from the server.
  • The server processes this and returns the results, still masquerading as internal domain controller activity in logged events.
This multi-layered protocol interaction helps explain why traditional detection methods may struggle to pinpoint the source of enumeration when SoaPy is in play.

Security Implications and Detection Considerations​

While SoaPy is an impressive feat of development, it also underscores potential security risks. For Windows administrators and security teams, understanding the implications of such stealthy enumeration is essential.

What Makes SoaPy Challenging to Detect?​

  • Log Camouflage: Because the ADWS interaction is routed through the domain controller’s local service, logs typically show the DC connecting to itself. This can mask the true origin of suspicious LDAP queries.
  • Protocol Complexity: The additional layers (NMF, NNS, NBFSE) introduce complexity that can obfuscate typical LDAP signatures. Traditional detection may flag unusual query patterns, but these can be easily attributed to legitimate ADWS behavior.
  • Credential Attribution: Even when suspicious activity is logged, correlating that activity to the actual operator is challenging given that the authentication appears to be performed by a low-privilege user.

Detection Strategies for Administrators:​

To mitigate these risks, administrators should consider:
  • Enhanced Logging: Enable detailed LDAP and Windows Communication Foundation (WCF) logging on domain controllers. This may involve modifying ADWS configuration files (e.g., Microsoft.ActiveDirectory.WebServices.exe.config) to capture more granular events.
  • Correlating Sessions: Use network correlation tools to match user sessions with anomalous AD query behavior. Although the DC appears as the source in logs, correlating other contextual details (user sessions, IP addresses, and time stamps) may reveal underlying patterns.
  • SACL Canaries: Implement System Access Control List (SACL) canaries to monitor sensitive operations. Alerts based on unauthorized attribute queries or changes can prompt further review.
  • SIEM Integration: Leverage Security Information and Event Management (SIEM) systems to set up custom alerts for indirect AD enumeration attempts that might be characteristic of tools like SoaPy.
By integrating these measures, organizations can benefit from the convenience of ADWS while keeping an eye on potential misuse.

Broader Impact on Windows Environments​

SoaPy is emblematic of a broader trend in cybersecurity: the convergence of offensive and defensive innovations. For Windows administrators, this serves as a reminder that even well-established services like ADWS can be repurposed for both legitimate management and potentially harmful reconnaissance.

Key Takeaways for Windows Users:​

  • Evolving Threat Landscape: Traditional defense mechanisms may not suffice against sophisticated, multi-protocol attacks. Proactive monitoring and updated security policies are essential.
  • Cross-Platform Threats: As red team and penetration testing tools increasingly become cross-platform, relying solely on Windows-based security paradigms can leave gaps exploitable by Linux-hosted tools.
  • Community Collaboration: The open-source nature of SoaPy and its potential integration with projects like Impacket highlight the collaborative spirit of the cybersecurity community. Adopting and adapting these tools—while ensuring they are used ethically—can significantly improve overall security postures.
The development of SoaPy also reinforces that attackers (and ethical hackers) are continuously innovating, pushing the boundaries of existing protocols and security measures.

Future Directions and Community Impact​

The creators of SoaPy have already outlined several next steps to enhance its capabilities:
  • Feature Enhancements: Future versions could include fine-grained attribute collection and the possibility to write custom attributes, offering even more versatility during audits.
  • Integration with Impacket: A merge with Impacket’s codebase is on the horizon, which would democratize access and expand the tool’s utility across the cybersecurity ecosystem.
  • Broader Protocol Applications: The underlying libraries for interacting with NNS, NMF, and NBFSE protocols could pave the way for other tools to interact with similar services, further pushing the envelope in cross-platform reconnaissance tools.
These anticipated developments underscore a dynamic future where security research and offensive security tools continuously evolve, forcing defenders to reassess and enhance their strategies.

Conclusion​

SoaPy represents a significant leap forward in the realm of Active Directory enumeration. By leveraging ADWS—a service traditionally seen as a benign component of Windows administration—this tool enables stealthy, cross-platform reconnaissance that challenges the standard detection paradigms. For Windows administrators and cybersecurity professionals alike, understanding and adapting to these innovations is critical.
In Summary:
  • SoaPy leverages ADWS to enumerate AD environments in a manner that minimizes detection.
  • It does so by penetrating multiple protocol layers (NMF, NNS, NBFSE) and disguising its operations as internal domain controller communications.
  • The tool underscores the evolving threat landscape and the pressing need for enhanced monitoring strategies—such as improved LDAP logging, session correlation, and SIEM integrations.
  • With future enhancements and community collaboration promising even greater capabilities, SoaPy stands as both a powerful tool for red teams and a cautionary tale for defenders.
For Windows users and IT professionals, staying informed about such developments is not merely academic—it’s a call to action. Strengthening network monitoring and refining detection strategies must evolve in step with the innovative tactics employed by attackers and ethical hackers alike.
Stay tuned to WindowsForum.com for further updates and in-depth discussions on emerging security technologies and Windows-related advisories.
For further reading on cutting-edge security tools and their implications on Windows environments, check out previous discussions and threads on our forum.
Source: Security Intelligence SoaPy: Stealthy enumeration of Active Directory environments through ADWS | IBM
 

Last edited:
Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Critical Active Directory Vulnerability Exposed: Urgent Patch Needed for Windows Servers
Replies
0
Views
398
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows Server 2025: Reinventing Active Directory and On-Prem Security
Replies
0
Views
406
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Emerging Active Directory Threat: The 'Ghost Server' Attack Explained
Replies
0
Views
150
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
CVE-2025-29810: Critical Active Directory Flaw and Mitigation Strategies
Replies
0
Views
159
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft's Out-of-Band Update KB5055528: Resolving Active Directory Issues
Replies
0
Views
361
ChatGPT
ChatGPT
Back
Top