Skip to main content

BloodHound ingestor using ADWS (Active Directory Web Services), with Kerberos support. Official PyPI package maintained by @j4s0nmo0n.

Project description

Description

While reading BloodHound.py, a Linux alternative to SharpHound, we observed that object collection is performed on a case-by-case basis. Specific conditions are evaluated to determine the most relevant information for each collected object, and tailored actions are taken accordingly.

We sought to follow a similar logic while implementing Soaphound.py, aiming to collect the most valuable information during object enumeration through ADWS. In addition, since user sessions on machines are not collected through LDAP, we reused BloodHound.py's approach to perform this collection.

The tool is currently being improved to cover all specific data collection scenarios. At the time of writing, it is capable of collecting Active Directory objects via the ADWS service and retrieving remote session data similar to what BloodHound.py achieves. Alternatively, it can operate in a mode restricted to collecting only AD objects through ADWS using the -c ADWSOnly option.

More information: you may check out the short blog post

Usage

 .oooooo..o                                oooo                                                .o8                             
d8P'    `Y8                                `888                                               "888                             
Y88bo.       .ooooo.   .oooo.   oo.ooooo.   888 .oo.    .ooooo.  oooo  oooo  ooo. .oo.    .oooo888      oo.ooooo.  oooo    ooo 
 `"Y8888o.  d88' `88b `P  )88b   888' `88b  888P"Y88b  d88' `88b `888  `888  `888P"Y88b  d88' `888       888' `88b  `88.  .8'  
     `"Y88b 888   888  .oP"888   888   888  888   888  888   888  888   888   888   888  888   888       888   888   `88..8'   
oo     .d8P 888   888 d8(  888   888   888  888   888  888   888  888   888   888   888  888   888  .o.  888   888    `888'    
8""88888P'  `Y8bod8P' `Y888""8o  888bod8P' o888o o888o `Y8bod8P'  `V88V"V8P' o888o o888o `Y8bod88P" Y8P  888bod8P'     .8'     
                                 888                                                                     888       .o..P'      
                                o888o                                                                   o888o      `Y8P'       
                                                                                                    (made by @belettet1m0ree)


usage: soaphound [-h] [-c COLLECTIONMETHOD] -d DOMAIN [-v] [--ts] -u USERNAME
                 [-p PASSWORD] [--hashes HASHES] [-k] [-aesKey HEXKEY]
                 [-dc-ip HOST] -dc HOST [--zip] [-op PREFIX_NAME]
                 [-wk NUM_WORKERS] [--output-dir OUTPUT_DIR]
                 [--cert-find] [--cert-find-force-epa {auto,enabled,disabled}]
                 [--cert-find-skip-web-probe] [--cert-find-ca-rpc]

Python based ingestor for BloodHound using ADWS

options:
  -h, --help            show this help message and exit
  -c, --collectionmethod COLLECTIONMETHOD
                        Which information to collect: Default or ADWSOnly
                        (no computer connections).
  -d, --domain DOMAIN   Domain to query.
  -v                    Enable verbose output.
  --ts                  Add timestamp to logs.

authentication options:
  NTLM authentication is supported using a username/password or NT hash.
  Kerberos authentication is supported through -k using the ccache pointed to
  by KRB5CCNAME.

  -u, --username USERNAME
                        Username. Format: username[@domain].
                        If the domain is unspecified, the current domain is used.
  -p, --password PASSWORD
                        Password.
  --hashes HASHES       LM:NTLM hashes.
  -k, --kerberos        Use Kerberos authentication through the ticket available
                        in the ccache pointed to by KRB5CCNAME.
  -aesKey, --aes-key HEXKEY
                        AES key, 128 or 256 bits, for Kerberos authentication.
                        Used for SMB collection in Default mode.
  -dc-ip, --kdc-ip HOST
                        KDC IP address or hostname. Useful when the ADWS DC and
                        the KDC differ. Defaults to the value provided with -dc.

collection options:
  -dc, --domain-controller HOST
                        DC to query, hostname or FQDN.
  --zip                 Compress the JSON output files into a zip archive.
  -op, --outputprefix PREFIX_NAME
                        String to prepend to output file names.
  -wk, --worker_num NUM_WORKERS
                        Number of workers, default 100.
  --output-dir OUTPUT_DIR
                        Output folder, default current directory.
  --cert-find           Enumerate AD CS certificate templates and CAs like certipy find.
  --cert-find-force-epa {auto,enabled,disabled}
                        Override HTTPS EPA detection for AD CS Web Enrollment: auto, enabled, or disabled.
  --cert-find-skip-web-probe
                        Do not probe HTTP/HTTPS /certsrv/ endpoints AD CS Web Enrollment and ESC8 will not be evaluated.
  --cert-find-ca-rpc    Enrich CA configuration through Remote Registry/RPC:
                        User Specified SAN, Request Disposition, Enforce
                        Encryption, Active Policy.

Installation

With pipx (recommended)

pipx install git+https://github.com/j4s0nmo0n/Soaphound.py
soaphound --help

With Shadow Credentials support (optional dsinternals dependency):

pipx install "soaphound[shadowcred] @ git+https://github.com/j4s0nmo0n/Soaphound.py"

To upgrade later:

pipx upgrade soaphound

With poetry (development)

git clone https://github.com/j4s0nmo0n/Soaphound.py
cd Soaphound.py
poetry install
poetry run soaphound --help

With pip in a virtualenv

python3 -m venv ~/venvs/soaphound
source ~/venvs/soaphound/bin/activate
pip install git+https://github.com/j4s0nmo0n/Soaphound.py

Example Usage

Perform ADWS collection with session enumeration

soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --output-dir output

Perform ADWS-only collection (no SMB session enumeration)

soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --output-dir output -c ADWSOnly

Perform ADCS information collection

soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --cert-find --cert-find-force-epa auto

Kerberos authentication (-k)

Soaphound supports Kerberos authentication through the -k option and the KRB5CCNAME environment variable.

The ccache may contain a valid TGT or a usable service ticket, depending on the collection mode and the operations being performed.

# Load a Kerberos ticket
export KRB5CCNAME=/tmp/yuji.ccache

# Run Soaphound with Kerberos
soaphound -d jjk.local -u yuji -dc dc-curse.jjk.local -k

# Run ADWS-only collection with Kerberos
soaphound -d jjk.local -u yuji -dc dc-curse.jjk.local -k -c ADWSOnly

# Let Soaphound extract the username and domain from the ccache
soaphound -dc dc-curse.jjk.local -k -c ADWSOnly

# Use a different KDC
soaphound -d jjk.local -u yuji -dc adws.jjk.local -dc-ip kdc.jjk.local -k

References

  • Falcon Force Team for the initial inspiration.
  • BloodHound.py, for this amazing implementation of BloodHound ingestor.
  • SOAPy by @_logangoins, whose Kerberos NNS implementation is the basis of the -k support.
  • Microsoft for the official protocol documentation.
  • ERNW for the initial boost.
  • X-Force Red for their brilliant implementation of NBFX and research insights.
  • Rabobank Red Team for sharing valuable resources and operational insights.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

soaphound_py-1.1.0.tar.gz (165.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

soaphound_py-1.1.0-py3-none-any.whl (189.1 kB view details)

Uploaded Python 3

File details

Details for the file soaphound_py-1.1.0.tar.gz.

File metadata

  • Download URL: soaphound_py-1.1.0.tar.gz
  • Upload date:
  • Size: 165.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for soaphound_py-1.1.0.tar.gz
Algorithm Hash digest
SHA256 aa7a6b9cc282ffd758e573eff802ce094bde449658ed4491905f234b62fe8e0b
MD5 718267f157899e07cfad6d57afed36b8
BLAKE2b-256 1dcf69a81c36bb6250d7ce184e47a6d4c94be6d7a0961e322fdb2b245f172551

See more details on using hashes here.

File details

Details for the file soaphound_py-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: soaphound_py-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 189.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for soaphound_py-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c27a40cd8c5d1a30489ef6891258adfb59fe69b683d15c9877c1347b0c2fd00a
MD5 c110065f137c5e7f10e3dde0a1561b67
BLAKE2b-256 56904f4c32c25dfb3a3fa1ca51c1c04dfba7e3ded94892084aa3428870216e8c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page