Home
Welcome to the SOAPy wiki! If you have any questions about using this tooling or the tradecraft possible, feel free to message me in the Red Team channel of the BloodHoundGang slack. If you have any trouble using this tooling, please submit an issue so I can improve SOAPy.
SOAPy is a Proof of Concept (PoC) utility for conducting offensive interaction with Active Directory Web Services (ADWS) through a SOCKS5 proxy.
SOAPy includes previously undeveloped and original custom python implementations of a collection of Microsoft protocols required for interaction with the ADWS service. This includes but is not limited to: NNS (.NET NegotiateStream Protocol), NMF (.NET Message Framing Protocol), and NBFSE (.NET Binary Format: SOAP Extension).
SOAPy started as a research project at IBM X-Force Red with Jackson Leverett to rewrite the proprietary Microsoft .NET mechanisms/library that FalconForce’s SOAPHound uses to interact with ADWS, so recon and post-exploitation operations would be possible through a SOCKS5 proxy from Linux on Red Team assessments. After joining SpecterOps, I decided to continue development on the project to bring it up to operational speed.
SOAPy is used for interacting with ADWS over a proxy for stealthy recon into an internal Active Directory environment. SOAPy is intended to be used as an ADWS ingestor for Active Directory, then the resultant data can be transformed to BloodHound compatible JSON using Matt Creel’s BOFHound project. The JSON transformed from BOFHound can then be uploaded into BloodHound for post-processing and visualization of attack paths.
SOAPy can also perform targeted post-exploitation operations in Active Directory, useful in many assessments when evasive LDAP write operations are required.
This includes the following tradecraft at the current time of writing:
- servicePrincipalName writing for targeted kerberoasting
- userAccountControl writing for targeted AS-REProasting
- msDs-AllowedToActOnBehalfOfOtherIdentity writing for Resource-Based Constrained Delegation (RBCD) attacks
- msDs-KeyCredentialLink writing for Shadow Credentials attacks
- DNS record additions for authentication coercion primitives
The protocol structure for interacting with ADWS is shown below:
The blog detailing the original research largely from an engineering perspective can be found here:
SOAPy: Stealthy enumeration of Active Directory environments through ADWS - IBM X-Force Red
A SpecterOps blog detailing new and modern operational guidance for ADWS tradecraft with SOAPy can be found here:
Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS - SpecterOps
Install SOAPy via pipx (recommended):
┌──(kali㉿LG-kali)-[~]
└─$ pipx install git+https://github.com/logangoins/SOAPy
installed package SOAPy 0.1.0, installed using Python 3.13.9
These apps are now globally available
- SOAPy
done! ✨ 🌟 ✨
┌──(kali㉿LG-kali)-[~]
└─$ SOAPy
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
v1.0.0
@_logangoins
github.com/jlevere
usage: SOAPy [-h] [--debug] [-ts] [-nt nthash] [-k] [--users] [--computers] [--groups] [--constrained]
[--unconstrained] [--spns] [--asreproastable] [--admins] [--rbcds] [-q query] [-f attr,attr,...]
[-dn distinguishedname] [-p] [--rbcd source] [--spn value] [--asrep] [--account account] [--remove]
[--addcomputer [MACHINE]] [--computer-pass pass] [--ou ou] [--delete-computer MACHINE]
[--disable-account MACHINE] [--shadow-creds ACTION] [--shadow-target TARGET] [--device-id ID]
[--cert-filename NAME] [--cert-export TYPE] [--cert-password PASS] [--dns-add FQDN] [--dns-modify FQDN]
[--dns-remove FQDN] [--dns-tombstone FQDN] [--dns-resurrect FQDN] [--dns-ip IP] [--ldapdelete]
[--allow-multiple] [--ttl TTL] [--tcp]
[connection]
Perform AD reconnaissance and post-exploitation through ADWS over SOCKS5
positional arguments:
connection domain/username[:password]@<targetName or address>
...[snip]...
Install SOAPy via poetry:
┌──(kali㉿LG-kali)-[~/SOAPy]
└─$ poetry install
Creating virtualenv soapy-wEkVNhkE-py3.13 in /home/kali/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies... (3.9s)
Package operations: 31 installs, 0 updates, 0 removals
- Installing pycparser (3.0)
...[snip]...
- Installing ruff (0.7.4)
Writing lock file
Installing the current project: SOAPy (0.1.0)
┌──(kali㉿LG-kali)-[~/SOAPy]
└─$ poetry run SOAPy
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
v1.0.0
@_logangoins
github.com/jlevere
usage: SOAPy [-h] [--debug] [-ts] [-nt nthash] [-k] [--users] [--computers] [--groups] [--constrained]
[--unconstrained] [--spns] [--asreproastable] [--admins] [--rbcds] [-q query] [-f attr,attr,...]
[-dn distinguishedname] [-p] [--rbcd source] [--spn value] [--asrep] [--account account] [--remove]
[--addcomputer [MACHINE]] [--computer-pass pass] [--ou ou] [--delete-computer MACHINE]
[--disable-account MACHINE] [--shadow-creds ACTION] [--shadow-target TARGET] [--device-id ID]
[--cert-filename NAME] [--cert-export TYPE] [--cert-password PASS] [--dns-add FQDN] [--dns-modify FQDN]
[--dns-remove FQDN] [--dns-tombstone FQDN] [--dns-resurrect FQDN] [--dns-ip IP] [--ldapdelete]
[--allow-multiple] [--ttl TTL] [--tcp]
[connection]
Perform AD reconnaissance and post-exploitation through ADWS over SOCKS5
positional arguments:
connection domain/username[:password]@<targetName or address>
...[snip]...