Active Directory (AD) remains a critical component in enterprise IT environments, and security professionals are constantly seeking better tools for enumeration and assessment. Enter SoaPy, a powerful new tool developed by IBM X-Force Red that leverages Active Directory Web Services (ADWS) to revolutionize AD enumeration.

What Is SoaPy?

SoaPy is an open-source Python tool designed to interact with Active Directory via ADWS, Microsoft's SOAP-based web service interface. Unlike traditional LDAP-based tools, SoaPy provides a more efficient and stealthy way to query AD environments, making it invaluable for penetration testers and red teamers.

Why ADWS Matters

Active Directory Web Services (ADWS) is a lesser-known protocol that enables remote management of AD using SOAP (Simple Object Access Protocol). While LDAP has been the go-to for AD queries, ADWS offers several advantages:

  • Reduced network noise: ADWS operates over HTTP/HTTPS, blending in with normal web traffic.
  • Bypasses common detections: Many security tools focus on LDAP anomalies, leaving ADWS queries less monitored.
  • Supports modern authentication: Works seamlessly with Kerberos and NTLM.

Key Features of SoaPy

SoaPy stands out with its unique capabilities:

  • SOAP-based enumeration: Queries AD without relying on LDAP, reducing detection risks.
  • Flexible authentication: Supports both Kerberos and NTLM authentication methods.
  • Comprehensive data extraction: Retrieves users, groups, computers, and trust relationships.
  • Stealthy operations: Mimics legitimate ADWS traffic to avoid triggering alerts.

How SoaPy Works

SoaPy interacts with ADWS by sending SOAP requests to the ADWS endpoint (typically https://<domain>/adws). Here’s a simplified breakdown of its workflow:

  1. Authentication: Uses Kerberos or NTLM to authenticate to the ADWS service.
  2. SOAP request crafting: Constructs SOAP messages to query AD objects.
  3. Response parsing: Extracts and formats the returned data for analysis.

Use Cases for Security Professionals

SoaPy is particularly useful for:

  • Red team engagements: Enumerate AD without triggering LDAP-based detections.
  • Penetration testing: Identify misconfigurations and weak points in AD environments.
  • Incident response: Quickly assess AD exposure during security breaches.

Installation and Usage

Getting started with SoaPy is straightforward:

git clone https://github.com/IBM/SoaPy
cd SoaPy
pip install -r requirements.txt
python SoaPy.py -d <domain> -u <username> -p <password>

Comparing SoaPy to Traditional Tools

Unlike tools like BloodHound or PowerView, which rely on LDAP, SoaPy’s ADWS approach offers:

  • Lower detection rates: Many SIEMs don’t monitor ADWS traffic as closely as LDAP.
  • Better compatibility: Works in environments where LDAP ports are restricted.
  • Efficiency: SOAP-based queries can be faster in certain scenarios.

Limitations and Considerations

While SoaPy is powerful, it has some limitations:

  • ADWS dependency: Only works if ADWS is enabled (common in modern AD setups).
  • Python requirements: Needs specific libraries (requests-ntlm, requests-kerberos).
  • Not a full replacement: Best used alongside LDAP-based tools for comprehensive assessments.

The Future of AD Enumeration

SoaPy represents a shift toward leveraging lesser-known protocols like ADWS for security testing. As defenders improve LDAP monitoring, tools like SoaPy will become essential for offensive security professionals.

Getting Involved

SoaPy is open-source and available on GitHub. Contributions and feedback from the community are encouraged to enhance its capabilities.

Final Thoughts

For cybersecurity professionals, SoaPy is a game-changer in Active Directory enumeration. Its innovative use of ADWS provides a stealthier, more efficient way to assess AD environments, making it a must-have tool in modern penetration testing and red teaming arsenals.