diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e87c30665fe..017c0050960 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -373,6 +373,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/adws-enumeration.md b/src/windows-hardening/active-directory-methodology/adws-enumeration.md index 08fbf6a9660..1551ace6e90 100644 --- a/src/windows-hardening/active-directory-methodology/adws-enumeration.md +++ b/src/windows-hardening/active-directory-methodology/adws-enumeration.md @@ -14,6 +14,8 @@ Because the traffic is encapsulated inside these binary SOAP frames and travels * Freedom to collect from **non-Windows hosts (Linux, macOS)** by tunnelling 9389/TCP through a SOCKS proxy. * The same data you would obtain via LDAP (users, groups, ACLs, schema, etc.) and the ability to perform **writes** (e.g. `msDs-AllowedToActOnBehalfOfOtherIdentity` for **RBCD**). +ADWS interactions are implemented over WS-Enumeration: every query starts with an `Enumerate` message that defines the LDAP filter/attributes and returns an `EnumerationContext` GUID, followed by one or more `Pull` messages that stream up to the server-defined result window. Contexts age out after ~30 minutes, so tooling either needs to page results or split filters (prefix queries per CN) to avoid losing state. When asking for security descriptors, specify the `LDAP_SERVER_SD_FLAGS_OID` control to omit SACLs, otherwise ADWS simply drops the `nTSecurityDescriptor` attribute from its SOAP response. + > NOTE: ADWS is also used by many RSAT GUI/PowerShell tools, so traffic may blend with legitimate admin activity. ## SoaPy – Native Python Client @@ -28,12 +30,47 @@ Because the traffic is encapsulated inside these binary SOAP frames and travels * **BOFHound output mode** for direct ingestion into BloodHound. * `--parse` flag to prettify timestamps / `userAccountControl` when human readability is required. +### Targeted collection flags & write operations + +SoaPy ships with curated switches that replicate the most common LDAP hunting tasks over ADWS: `--users`, `--computers`, `--groups`, `--spns`, `--asreproastable`, `--admins`, `--constrained`, `--unconstrained`, `--rbcds`, plus raw `--query` / `--filter` knobs for custom pulls. Pair those with write primitives such as `--rbcd ` (sets `msDs-AllowedToActOnBehalfOfOtherIdentity`), `--spn ` (SPN staging for targeted Kerberoasting) and `--asrep` (flip `DONT_REQ_PREAUTH` in `userAccountControl`). + +Example targeted SPN hunt that only returns `samAccountName` and `servicePrincipalName`: + +```bash +soapy corp.local/alice:'Winter2025!'@dc01.corp.local \ + --spns -f samAccountName,servicePrincipalName --parse +``` + +Use the same host/credentials to immediately weaponise findings: dump RBCD-capable objects with `--rbcds`, then apply `--rbcd 'WEBSRV01$' --account 'FILE01$'` to stage a Resource-Based Constrained Delegation chain (see [Resource-Based Constrained Delegation](resource-based-constrained-delegation.md) for the full abuse path). + ### Installation (operator host) ```bash python3 -m pip install soapy-adws # or git clone && pip install -r requirements.txt ``` +## SOAPHound – High-Volume ADWS Collection (Windows) + +[FalconForce SOAPHound](https://github.com/FalconForceTeam/SOAPHound) is a .NET collector that keeps all LDAP interactions inside ADWS and emits BloodHound v4-compatible JSON. It builds a complete cache of `objectSid`, `objectGUID`, `distinguishedName` and `objectClass` once (`--buildcache`), then re-uses it for high-volume `--bhdump`, `--certdump` (ADCS), or `--dnsdump` (AD-integrated DNS) passes so only ~35 critical attributes ever leave the DC. AutoSplit (`--autosplit --threshold `) automatically shards queries by CN prefix to stay under the 30-minute EnumerationContext timeout in large forests. + +Typical workflow on a domain-joined operator VM: + +```powershell +# Build cache (JSON map of every object SID/GUID) +SOAPHound.exe --buildcache -c C:\temp\corp-cache.json + +# BloodHound collection in autosplit mode, skipping LAPS noise +SOAPHound.exe -c C:\temp\corp-cache.json --bhdump \ + --autosplit --threshold 1200 --nolaps \ + -o C:\temp\BH-output + +# ADCS & DNS enrichment for ESC chains +SOAPHound.exe -c C:\temp\corp-cache.json --certdump -o C:\temp\BH-output +SOAPHound.exe --dnsdump -o C:\temp\dns-snapshot +``` + +Exported JSON slots directly into SharpHound/BloodHound workflows—see [BloodHound methodology](bloodhound.md) for downstream graphing ideas. AutoSplit makes SOAPHound resilient on multi-million object forests while keeping the query count lower than ADExplorer-style snapshots. + ## Stealth AD Collection Workflow The following workflow shows how to enumerate **domain & ADCS objects** over ADWS, convert them to BloodHound JSON and hunt for certificate-based attack paths – all from Linux: @@ -74,39 +111,14 @@ soapy ludus.domain/jdoe:'P@ssw0rd'@dc.ludus.domain \ msDs-AllowedToActOnBehalfOfOtherIdentity 'B:32:01....' ``` -Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Constrained Delegation** chain. - -## Detection & Hardening - -### Verbose ADDS Logging - -Enable the following registry keys on Domain Controllers to surface expensive / inefficient searches coming from ADWS (and LDAP): - -```powershell -New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '15 Field Engineering' -Value 5 -Type DWORD -New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Expensive Search Results Threshold' -Value 1 -Type DWORD -New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters' -Name 'Search Time Threshold (msecs)' -Value 0 -Type DWORD -``` - -Events will appear under **Directory-Service** with the full LDAP filter, even when the query arrived via ADWS. - -### SACL Canary Objects - -1. Create a dummy object (e.g. disabled user `CanaryUser`). -2. Add an **Audit** ACE for the _Everyone_ principal, audited on **ReadProperty**. -3. Whenever an attacker performs `(servicePrincipalName=*)`, `(objectClass=user)` etc. the DC emits **Event 4662** which contains the real user SID – even when the request is proxied or originates from ADWS. - -Elastic pre-built rule example: - -```kql -(event.code:4662 and not user.id:"S-1-5-18") and winlog.event_data.AccessMask:"0x10" -``` +Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Constrained Delegation** chain (see [Resource-Based Constrained Delegation](resource-based-constrained-delegation.md)). ## Tooling Summary | Purpose | Tool | Notes | |---------|------|-------| | ADWS enumeration | [SoaPy](https://github.com/logangoins/soapy) | Python, SOCKS, read/write | +| High-volume ADWS dump | [SOAPHound](https://github.com/FalconForceTeam/SOAPHound) | .NET, cache-first, BH/ADCS/DNS modes | | BloodHound ingest | [BOFHound](https://github.com/bohops/BOFHound) | Converts SoaPy/ldapsearch logs | | Cert compromise | [Certipy](https://github.com/ly4k/Certipy) | Can be proxied through same SOCKS | @@ -116,5 +128,7 @@ Elastic pre-built rule example: * [SoaPy GitHub](https://github.com/logangoins/soapy) * [BOFHound GitHub](https://github.com/bohops/BOFHound) * [Microsoft – MC-NBFX, MC-NBFSE, MS-NNS, MC-NMF specifications](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nbfx/) +* [IBM X-Force Red – Stealthy Enumeration of Active Directory Environments Through ADWS](https://logan-goins.com/2025-02-21-stealthy-enum-adws/) +* [FalconForce – SOAPHound tool to collect Active Directory data via ADWS](https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}