ITSEC Newsletter 2025-02-27

When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from a machine, including user hashes, the base secret for the DPAPI encryption mechanism, service accounts cleartext credentials, and more. As years passed, security products began to effectively detect and block the execution of this script, which led us to have a closer look at the inner workings of secretsdump and devise a new version that is currently less prone to detection.

Active Directory Web Services, or ADWS, has been a default-enabled service on Domain Controllers since Windows Server 2008, and it allows us to interact with LDAP, making queries on our behalf and proxying our queries. We noticed interaction with ADWS was previously not possible through a Linux host, which motivated us to create SoaPy. SoaPy came with its own difficulties during development, requiring us to create custom protocol implementations with little assistance from Microsoft specifications. SoaPy also has its own accompanying detection considerations, being a significantly stealthier method of LDAP enumeration instead of interacting directly with the LDAP service.