BloodHound ingestor using ADWS (Active Directory Web Services), with Kerberos support. Official PyPI package maintained by @j4s0nmo0n.
Project description
Description
While reading BloodHound.py, a Linux alternative to SharpHound, we observed that object collection is performed on a case-by-case basis. Specific conditions are evaluated to determine the most relevant information for each collected object, and tailored actions are taken accordingly.
We sought to follow a similar logic while implementing Soaphound.py, aiming to collect the most valuable information during object enumeration through ADWS. In addition, since user sessions on machines are not collected through LDAP, we reused BloodHound.py's approach to perform this collection.
The tool is currently being improved to cover all specific data collection scenarios. At the time of writing, it is capable of collecting Active Directory objects via the ADWS service and retrieving remote session data similar to what BloodHound.py achieves. Alternatively, it can operate in a mode restricted to collecting only AD objects through ADWS using the -c ADWSOnly option.
More information: you may check out the short blog post
Usage
.oooooo..o oooo .o8
d8P' `Y8 `888 "888
Y88bo. .ooooo. .oooo. oo.ooooo. 888 .oo. .ooooo. oooo oooo ooo. .oo. .oooo888 oo.ooooo. oooo ooo
`"Y8888o. d88' `88b `P )88b 888' `88b 888P"Y88b d88' `88b `888 `888 `888P"Y88b d88' `888 888' `88b `88. .8'
`"Y88b 888 888 .oP"888 888 888 888 888 888 888 888 888 888 888 888 888 888 888 `88..8'
oo .d8P 888 888 d8( 888 888 888 888 888 888 888 888 888 888 888 888 888 .o. 888 888 `888'
8""88888P' `Y8bod8P' `Y888""8o 888bod8P' o888o o888o `Y8bod8P' `V88V"V8P' o888o o888o `Y8bod88P" Y8P 888bod8P' .8'
888 888 .o..P'
o888o o888o `Y8P'
(made by @belettet1m0ree)
usage: soaphound [-h] [-c COLLECTIONMETHOD] -d DOMAIN [-v] [--ts] -u USERNAME
[-p PASSWORD] [--hashes HASHES] [-k] [-aesKey HEXKEY]
[-dc-ip HOST] -dc HOST [--zip] [-op PREFIX_NAME]
[-wk NUM_WORKERS] [--output-dir OUTPUT_DIR]
[--cert-find] [--cert-find-force-epa {auto,enabled,disabled}]
[--cert-find-skip-web-probe] [--cert-find-ca-rpc]
Python based ingestor for BloodHound using ADWS
options:
-h, --help show this help message and exit
-c, --collectionmethod COLLECTIONMETHOD
Which information to collect: Default or ADWSOnly
(no computer connections).
-d, --domain DOMAIN Domain to query.
-v Enable verbose output.
--ts Add timestamp to logs.
authentication options:
NTLM authentication is supported using a username/password or NT hash.
Kerberos authentication is supported through -k using the ccache pointed to
by KRB5CCNAME.
-u, --username USERNAME
Username. Format: username[@domain].
If the domain is unspecified, the current domain is used.
-p, --password PASSWORD
Password.
--hashes HASHES LM:NTLM hashes.
-k, --kerberos Use Kerberos authentication through the ticket available
in the ccache pointed to by KRB5CCNAME.
-aesKey, --aes-key HEXKEY
AES key, 128 or 256 bits, for Kerberos authentication.
Used for SMB collection in Default mode.
-dc-ip, --kdc-ip HOST
KDC IP address or hostname. Useful when the ADWS DC and
the KDC differ. Defaults to the value provided with -dc.
collection options:
-dc, --domain-controller HOST
DC to query, hostname or FQDN.
--zip Compress the JSON output files into a zip archive.
-op, --outputprefix PREFIX_NAME
String to prepend to output file names.
-wk, --worker_num NUM_WORKERS
Number of workers, default 100.
--output-dir OUTPUT_DIR
Output folder, default current directory.
--cert-find Enumerate AD CS certificate templates and CAs like certipy find.
--cert-find-force-epa {auto,enabled,disabled}
Override HTTPS EPA detection for AD CS Web Enrollment: auto, enabled, or disabled.
--cert-find-skip-web-probe
Do not probe HTTP/HTTPS /certsrv/ endpoints AD CS Web Enrollment and ESC8 will not be evaluated.
--cert-find-ca-rpc Enrich CA configuration through Remote Registry/RPC:
User Specified SAN, Request Disposition, Enforce
Encryption, Active Policy.
Installation
With pipx (recommended)
pipx install git+https://github.com/j4s0nmo0n/Soaphound.py
soaphound --help
With Shadow Credentials support (optional dsinternals dependency):
pipx install "soaphound[shadowcred] @ git+https://github.com/j4s0nmo0n/Soaphound.py"
To upgrade later:
pipx upgrade soaphound
With poetry (development)
git clone https://github.com/j4s0nmo0n/Soaphound.py
cd Soaphound.py
poetry install
poetry run soaphound --help
With pip in a virtualenv
python3 -m venv ~/venvs/soaphound
source ~/venvs/soaphound/bin/activate
pip install git+https://github.com/j4s0nmo0n/Soaphound.py
Example Usage
Perform ADWS collection with session enumeration
soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --output-dir output
Perform ADWS-only collection (no SMB session enumeration)
soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --output-dir output -c ADWSOnly
Perform ADCS information collection
soaphound -d jjk.local -u yuji -p SukunaIsAbitch -dc dc-curse --cert-find --cert-find-force-epa auto
Kerberos authentication (-k)
Soaphound supports Kerberos authentication through the -k option and the KRB5CCNAME environment variable.
The ccache may contain a valid TGT or a usable service ticket, depending on the collection mode and the operations being performed.
# Load a Kerberos ticket
export KRB5CCNAME=/tmp/yuji.ccache
# Run Soaphound with Kerberos
soaphound -d jjk.local -u yuji -dc dc-curse.jjk.local -k
# Run ADWS-only collection with Kerberos
soaphound -d jjk.local -u yuji -dc dc-curse.jjk.local -k -c ADWSOnly
# Let Soaphound extract the username and domain from the ccache
soaphound -dc dc-curse.jjk.local -k -c ADWSOnly
# Use a different KDC
soaphound -d jjk.local -u yuji -dc adws.jjk.local -dc-ip kdc.jjk.local -k
References
- Falcon Force Team for the initial inspiration.
- BloodHound.py, for this amazing implementation of BloodHound ingestor.
- SOAPy by @_logangoins, whose Kerberos NNS implementation is the basis of the
-ksupport. - Microsoft for the official protocol documentation.
- ERNW for the initial boost.
- X-Force Red for their brilliant implementation of NBFX and research insights.
- Rabobank Red Team for sharing valuable resources and operational insights.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file soaphound_py-1.1.0.tar.gz.
File metadata
- Download URL: soaphound_py-1.1.0.tar.gz
- Upload date:
- Size: 165.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aa7a6b9cc282ffd758e573eff802ce094bde449658ed4491905f234b62fe8e0b
|
|
| MD5 |
718267f157899e07cfad6d57afed36b8
|
|
| BLAKE2b-256 |
1dcf69a81c36bb6250d7ce184e47a6d4c94be6d7a0961e322fdb2b245f172551
|
File details
Details for the file soaphound_py-1.1.0-py3-none-any.whl.
File metadata
- Download URL: soaphound_py-1.1.0-py3-none-any.whl
- Upload date:
- Size: 189.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c27a40cd8c5d1a30489ef6891258adfb59fe69b683d15c9877c1347b0c2fd00a
|
|
| MD5 |
c110065f137c5e7f10e3dde0a1561b67
|
|
| BLAKE2b-256 |
56904f4c32c25dfb3a3fa1ca51c1c04dfba7e3ded94892084aa3428870216e8c
|