A groundbreaking tool revolutionizing Active Directory reconnaissance for Red Teams.

By leveraging the obscure Active Directory Web Services (ADWS) protocol, SharpADWS enables discreet data collection and manipulation, evading traditional detection methods.

Explore its unique advantages and protocol implementation, empowering Red Teams with unparalleled precision in post-exploitation operations.

Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).

Overview

SharpADWS is an Active Directory reconnaissance and exploitation tool for Red Teams that collects and modifies Active Directory data via the Active Directory Web Services (ADWS) protocol.

Typically, enumeration or manipulation of Active Directory occurs through the LDAP protocol. SharpADWS has the ability to extract or modify Active Directory data without communicating directly with the LDAP server.

Under ADWS, LDAP queries are wrapped in a series of SOAP messages and then sent to the ADWS server using a NET TCP Binding encrypted channel.

The ADWS server then unpacks the LDAP query locally and forwards it to the LDAP server running on the same domain controller.

Active Directory Web Services (ADWS) is automatically turned on when Active Directory Domain Services (ADDS) is installed, making SharpADWS universal across all domain environments.

Good Point

One of the main benefits of using ADWS for LDAP post-exploitation is that it is relatively unknown, and since LDAP traffic is not sent over the network, it is not easily detected by common monitoring tools.

ADWS runs a completely different service than LDAP, is available on TCP port 9389, and uses the SOAP protocol as its interface.

While researching ADWS, we noticed that since it is a SOAP web service, the actual execution of the LDAP query is done locally on the domain controller.

This provides a number of interesting side effects that turn out to be beneficial. For example, when analyzing LDAP queries on a domain controller, you may notice that the queries originate from 127.0.0.1 logs, which in many cases will be ignored.

A secondary benefit of this is that the activity does not show up in DeviceEvents under the LDAPSearch action type, which means very little telemetry data is available.

Protocol Implementation

SharpADWS implements MS-ADDMMS-WSTIM and MS-WSDS protocol, you can use the source code of this project to easily implement the following operations on Active Directory Web Services:

  • Enumerate:Creates a context that maps to the specified search query filter.
  • Pull:Retrieve the result object in the context of a specific enumeration.
  • Renew:Updates the expiration time of the specified enumeration context.
  • GetStatus:Gets the expiration time of the specified enumeration context.
  • Release:Releases the specified enumeration context.
  • Delete:Delete existing objects.
  • Get:Retrieve one or more properties from an object.
  • Put:Modify the contents of one or more properties on an object.
    • Add:Adds the specified property value to the specified property’s value set, or creates the property if it does not already exist on the target object.
    • Replace:Replaces the set of values in the specified property with the values specified in the operation, or creates the property if it does not already exist on the target object. If no value is specified in the operation, all values on the currently specified attribute will be deleted.
    • Delete:Removes the specified attribute value from the specified attribute. If no value is specified, all values will be deleted. If the specified property does not exist on the target object, the PUT request fails.
  • Create:Create a new object.

Usage

The command line argument -h can be used to display the following usage information:

C:\Users\Marcus>SharpADWS.exe -h

SharpADWS 1.0.0-beta - Copyright (c) 2024 WHOAMI (whoamianony.top)

  -h                      Display this help screen

Connection options:
  -d                      Specify domain for enumeration
  -u                      Username to use for ADWS Connection
  -p                      Password to use for ADWS Connection

Supported methods:
  Cache                   Dump all objectSids to cache file for Acl methods
  Acl                     Enumerate and analyze DACLs for specified objects, specifically Users, Computers, Groups, Domains, DomainControllers and GPOs
  DCSync                  Enumerate all DCSync-capable accounts and can set DCSync backdoors
  DontReqPreAuth          Enumerates all accounts that do not require kerberos preauthentication, and can enable this option for accounts
  Kerberoastable          Enumerates all Kerberoastable accounts, and can write SPNs for accounts
  AddComputer             Add a machine account within the scope of ms-DS-MachineAccountQuota for RBCD attack
  RBCD                    Read, write and remove msDS-AllowedToActOnBehalfOfOtherIdentity attributes for Resource-Based Constrained Delegation attack
  Certify                 Enumerate all ADCS data like Certify.exe, and can write template attributes
  Whisker                 List, add and remove msDS-KeyCredentialLink attribute like Whisker.exe for ShadowCredentials attack
  FindDelegation          Enumerate all delegation relationships for the target domain

Acl options:
  -dn                     RFC 2253 DN to base search from
  -scope                  Set your Scope, support Base (Default), Onelevel, Subtree
  -trustee                The sAMAccountName of a security principal to check for its effective permissions
  -right                  Filter DACL for a specific AD rights
  -rid                    Specify a rid value and filter out DACL that security principal's rid is greater than it
  -user                   Enumerate DACL for all user objects
  -computer               Enumerate DACL for all computer objects
  -group                  Enumerate DACL for all group objects
  -domain                 Enumerate DACL for all domain objects
  -domaincontroller       Enumerate DACL for all domain controller objects
  -gpo                    Enumerate DACL for all gpo objects

DCSync options:
  -action [{list, write}] Action to operate on DCSync method
          list            List all accounts with DCSync permissions
          write           Escalate accounts with DCSync permissions
  -target                 Specify the sAMAccountName of the account

DontReqPreAuth options:
  -action [{list, write}] Action to operate on DontReqPreAuth method
          list            List all accounts that do not require kerberos preauthentication
          write           Enable do not require kerberos preauthentication for an account
  -target                 Specify the sAMAccountName of the account

Kerberoastable options:
  -action [{list, write}] Action to operate on Kerberoastable method
          list            List all kerberoastable accounts
          write           Write SPNs for an account to kerberoast
  -target                 Specify the sAMAccountName of the account

AddComputer options:
  -computer-name          Name of computer to add, without '$' suffix
  -computer-pass          Password to set for the computer

RBCD options:
  -action [{read,write,remove}]
                          Action to operate on RBCD method
          read            Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
          write           Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
          remove          Remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute value of the account added by the write action

Certify options:
  -action [{find, modify}]
                          Action to operate on Certify method
          find            Find all CA and certificate templates
          modify          Modify certificate templates
  -enrolleeSuppliesSubject
                          Enumerate certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for find action,
                          and can enable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for modify action
  -clientAuth             Enumerate certificate templates with client authentication pKIExtendedKeyUsage for find action,
                          and can enable Client Authentication for modify action

Whisker options:
  -action [{list, add, remove}]
                          Action to operate on ShadowCredentials method
          list            List all the values of the msDS-KeyCredentialLink attribute for an account
          add             Add a new value to the msDS-KeyCredentialLink attribute for an account
          remove          Remove a value from the msDS-KeyCredentialLink attribute for an account
  -device-id              Specify the DeviceID to remove
  -target                 Specify the sAMAccountName of the account

FindDelegation options:
  No options, just run!

Cache

When SharpADWS enumerates the ACL, in order not to perform additional ADWS requests for each unknown trustee object, it is necessary to create a complete cache of all account objects in advance through the cache method and save it to a file, thereby avoiding a large number of (unnecessary) flow.

The cache contains a mapping of each account object name within the current domain to its objectSid.

C:\Users\Marcus>SharpADWS.exe Cache

[*] Cache file has been generated: object.cache

For more information click here

LEAVE A REPLY

Please enter your comment!
Please enter your name here