SOAPHound: enumerate Active Directory environments via ADWS protocol

collects Active Directory data

SOAPHound

SOAPHound is a .NET data collector tool, which collects Active Directory data via the Active Directory Web Services (ADWS) protocol.

SOAPHound is an alternative to several open-source security tools that are commonly used to extract Active Directory data via LDAP protocol. SOAPHound can extract the same information without directly communicating with the LDAP server. Instead, LDAP queries are wrapped within a series of SOAP messages, which are sent to the ADWS server using the NET TCP Binding communication channel. Following, the ADWS server unwraps the LDAP queries and forwards them to the LDAP server running on the same Domain Controller. As a result, LDAP traffic is not sent via the wire and therefore is not easily detected by common monitoring tools.

Note that this is a proof-of-concept tool and is not intended for production use. The tool is provided as is, without warranty of any kind.

Connection and authentication options

Authentication

SOAPHound supports the following authentication methods:

  • Using the existing authentication token of the current user. This is the default option if no username and password are supplied.
  • Supplying a username and password on the command line.

Domain Connection Information

When SOAPHound runs in a domain-joined machine, it will automatically attempt to connect to the Domain Controller of the domain the machine is joined to. This can be overridden by supplying the –dc and –domain command line arguments.

Supported collection methods

One of the following collection methods must be specified:

  • –buildcache: Only build cache and not perform further actions
  • –bhdump: Dump BloodHound data
  • –certdump: Dump AD Certificate Services (ADCS) data
  • –dnsdump: Dump AD Integrated DNS data

Install & Use

Copyright (C) 2024 FalconForceTeam