A groundbreaking tool revolutionizing Active Directory reconnaissance for Red Teams.
By leveraging the obscure Active Directory Web Services (ADWS) protocol, SharpADWS enables discreet data collection and manipulation, evading traditional detection methods.
Explore its unique advantages and protocol implementation, empowering Red Teams with unparalleled precision in post-exploitation operations.
Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
SharpADWS is an Active Directory reconnaissance and exploitation tool for Red Teams that collects and modifies Active Directory data via the Active Directory Web Services (ADWS) protocol.
Typically, enumeration or manipulation of Active Directory occurs through the LDAP protocol. SharpADWS has the ability to extract or modify Active Directory data without communicating directly with the LDAP server.
Under ADWS, LDAP queries are wrapped in a series of SOAP messages and then sent to the ADWS server using a NET TCP Binding encrypted channel.
The ADWS server then unpacks the LDAP query locally and forwards it to the LDAP server running on the same domain controller.
Active Directory Web Services (ADWS) is automatically turned on when Active Directory Domain Services (ADDS) is installed, making SharpADWS universal across all domain environments.
One of the main benefits of using ADWS for LDAP post-exploitation is that it is relatively unknown, and since LDAP traffic is not sent over the network, it is not easily detected by common monitoring tools.
ADWS runs a completely different service than LDAP, is available on TCP port 9389, and uses the SOAP protocol as its interface.
While researching ADWS, we noticed that since it is a SOAP web service, the actual execution of the LDAP query is done locally on the domain controller.
This provides a number of interesting side effects that turn out to be beneficial. For example, when analyzing LDAP queries on a domain controller, you may notice that the queries originate from 127.0.0.1 logs, which in many cases will be ignored.
A secondary benefit of this is that the activity does not show up in DeviceEvents under the LDAPSearch action type, which means very little telemetry data is available.
SharpADWS implements MS-ADDM, MS-WSTIM and MS-WSDS protocol, you can use the source code of this project to easily implement the following operations on Active Directory Web Services:
The command line argument -h
can be used to display the following usage information:
C:\Users\Marcus>SharpADWS.exe -h
SharpADWS 1.0.0-beta - Copyright (c) 2024 WHOAMI (whoamianony.top)
-h Display this help screen
Connection options:
-d Specify domain for enumeration
-u Username to use for ADWS Connection
-p Password to use for ADWS Connection
Supported methods:
Cache Dump all objectSids to cache file for Acl methods
Acl Enumerate and analyze DACLs for specified objects, specifically Users, Computers, Groups, Domains, DomainControllers and GPOs
DCSync Enumerate all DCSync-capable accounts and can set DCSync backdoors
DontReqPreAuth Enumerates all accounts that do not require kerberos preauthentication, and can enable this option for accounts
Kerberoastable Enumerates all Kerberoastable accounts, and can write SPNs for accounts
AddComputer Add a machine account within the scope of ms-DS-MachineAccountQuota for RBCD attack
RBCD Read, write and remove msDS-AllowedToActOnBehalfOfOtherIdentity attributes for Resource-Based Constrained Delegation attack
Certify Enumerate all ADCS data like Certify.exe, and can write template attributes
Whisker List, add and remove msDS-KeyCredentialLink attribute like Whisker.exe for ShadowCredentials attack
FindDelegation Enumerate all delegation relationships for the target domain
Acl options:
-dn RFC 2253 DN to base search from
-scope Set your Scope, support Base (Default), Onelevel, Subtree
-trustee The sAMAccountName of a security principal to check for its effective permissions
-right Filter DACL for a specific AD rights
-rid Specify a rid value and filter out DACL that security principal's rid is greater than it
-user Enumerate DACL for all user objects
-computer Enumerate DACL for all computer objects
-group Enumerate DACL for all group objects
-domain Enumerate DACL for all domain objects
-domaincontroller Enumerate DACL for all domain controller objects
-gpo Enumerate DACL for all gpo objects
DCSync options:
-action [{list, write}] Action to operate on DCSync method
list List all accounts with DCSync permissions
write Escalate accounts with DCSync permissions
-target Specify the sAMAccountName of the account
DontReqPreAuth options:
-action [{list, write}] Action to operate on DontReqPreAuth method
list List all accounts that do not require kerberos preauthentication
write Enable do not require kerberos preauthentication for an account
-target Specify the sAMAccountName of the account
Kerberoastable options:
-action [{list, write}] Action to operate on Kerberoastable method
list List all kerberoastable accounts
write Write SPNs for an account to kerberoast
-target Specify the sAMAccountName of the account
AddComputer options:
-computer-name Name of computer to add, without '$' suffix
-computer-pass Password to set for the computer
RBCD options:
-action [{read,write,remove}]
Action to operate on RBCD method
read Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
write Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
remove Remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute value of the account added by the write action
Certify options:
-action [{find, modify}]
Action to operate on Certify method
find Find all CA and certificate templates
modify Modify certificate templates
-enrolleeSuppliesSubject
Enumerate certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for find action,
and can enable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for modify action
-clientAuth Enumerate certificate templates with client authentication pKIExtendedKeyUsage for find action,
and can enable Client Authentication for modify action
Whisker options:
-action [{list, add, remove}]
Action to operate on ShadowCredentials method
list List all the values of the msDS-KeyCredentialLink attribute for an account
add Add a new value to the msDS-KeyCredentialLink attribute for an account
remove Remove a value from the msDS-KeyCredentialLink attribute for an account
-device-id Specify the DeviceID to remove
-target Specify the sAMAccountName of the account
FindDelegation options:
No options, just run!
When SharpADWS enumerates the ACL, in order not to perform additional ADWS requests for each unknown trustee object, it is necessary to create a complete cache of all account objects in advance through the cache method and save it to a file, thereby avoiding a large number of (unnecessary) flow.
The cache contains a mapping of each account object name within the current domain to its objectSid.
C:\Users\Marcus>SharpADWS.exe Cache
[*] Cache file has been generated: object.cache
For more information click here
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…