SharpADWS: Active Directory reconnaissance and exploitation for Red Teams
SharpADWS
SharpADWS is an Active Directory reconnaissance and exploitation tool for Red Teams that collects and modifies Active Directory data via the Active Directory Web Services (ADWS) protocol.
Typically, enumeration or manipulation of Active Directory occurs through the LDAP protocol. SharpADWS can extract or modify Active Directory data without communicating directly with the LDAP server. Under ADWS, LDAP queries are wrapped in a series of SOAP messages and then sent to the ADWS server using a NET TCP Binding encrypted channel. The ADWS server then unpacks the LDAP query locally and forwards it to the LDAP server running on the same domain controller.
Active Directory Web Services (ADWS) is automatically turned on when Active Directory Domain Services (ADDS) is installed, making SharpADWS universal across all domain environments.
Good Point
One of the main benefits of using ADWS for LDAP post-exploitation is that it is relatively unknown, and since LDAP traffic is not sent over the network, it is not easily detected by common monitoring tools. ADWS runs a completely different service than LDAP, is available on TCP port 9389, and uses the SOAP protocol as its interface.
While researching ADWS, we noticed that since it is a SOAP web service, the actual execution of the LDAP query is done locally on the domain controller. This provides several interesting side effects that turn out to be beneficial. For example, when analyzing LDAP queries on a domain controller, you may notice that the queries originate from 127.0.0.1 logs, which in many cases will be ignored.
A secondary benefit of this is that the activity does not show up in DeviceEvents under the LDAPSearch action type, which means very little telemetry data is available.
Protocol Implementation
SharpADWS implements MS-ADDM, MS-WSTIM, and MS-WSDS protocol, you can use the source code of this project to easily implement the following operations on Active Directory Web Services:
- Enumerate: Creates a context that maps to the specified search query filter.
- Pull: Retrieve the result object in the context of a specific enumeration.
- Renew: Updates the expiration time of the specified enumeration context.
- GetStatus: Gets the expiration time of the specified enumeration context.
- Release: Releases the specified enumeration context.
- Delete: Delete existing objects.
- Get: Retrieve one or more properties from an object.
- Put: Modify the contents of one or more properties on an object.
- Add: Adds the specified property value to the specified property’s value set, or creates the property if it does not already exist on the target object.
- Replace: Replaces the set of values in the specified property with the values specified in the operation, or creates the property if it does not already exist on the target object. If no value is specified in the operation, all values on the currently specified attribute will be deleted.
- Delete: Removes the specified attribute value from the specified attribute. If no value is specified, all values will be deleted. If the specified property does not exist on the target object, the PUT request fails.
- Create: Create a new object.
