diff --git a/src/windows-hardening/active-directory-methodology/adws-enumeration.md b/src/windows-hardening/active-directory-methodology/adws-enumeration.md index 1551ace6e90..9c4ebf36aeb 100644 --- a/src/windows-hardening/active-directory-methodology/adws-enumeration.md +++ b/src/windows-hardening/active-directory-methodology/adws-enumeration.md @@ -49,6 +49,35 @@ Use the same host/credentials to immediately weaponise findings: dump RBCD-capab python3 -m pip install soapy-adws # or git clone && pip install -r requirements.txt ``` +## ADWSDomainDump – LDAPDomainDump over ADWS (Linux/Windows) + +* Fork of `ldapdomaindump` that swaps LDAP queries for ADWS calls on TCP/9389 to reduce LDAP-signature hits. +* Performs an initial reachability check to 9389 unless `--force` is passed (skips the probe if port scans are noisy/filtered). +* Tested against Microsoft Defender for Endpoint and CrowdStrike Falcon with successful bypass in the README. + +### Installation + +```bash +pipx install . +``` + +### Usage + +```bash +adwsdomaindump -u 'thewoods.local\mathijs.verschuuren' -p 'password' -n 10.10.10.1 dc01.thewoods.local +``` + +Typical output logs the 9389 reachability check, ADWS bind, and dump start/finish: + +```text +[*] Connecting to ADWS host... +[+] ADWS port 9389 is reachable +[*] Binding to ADWS host +[+] Bind OK +[*] Starting domain dump +[+] Domain dump finished +``` + ## SOAPHound – High-Volume ADWS Collection (Windows) [FalconForce SOAPHound](https://github.com/FalconForceTeam/SOAPHound) is a .NET collector that keeps all LDAP interactions inside ADWS and emits BloodHound v4-compatible JSON. It builds a complete cache of `objectSid`, `objectGUID`, `distinguishedName` and `objectClass` once (`--buildcache`), then re-uses it for high-volume `--bhdump`, `--certdump` (ADCS), or `--dnsdump` (AD-integrated DNS) passes so only ~35 critical attributes ever leave the DC. AutoSplit (`--autosplit --threshold `) automatically shards queries by CN prefix to stay under the 30-minute EnumerationContext timeout in large forests. @@ -127,6 +156,7 @@ Combine this with `s4u2proxy`/`Rubeus /getticket` for a full **Resource-Based Co * [SpecterOps – Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS](https://specterops.io/blog/2025/07/25/make-sure-to-use-soapy-an-operators-guide-to-stealthy-ad-collection-using-adws/) * [SoaPy GitHub](https://github.com/logangoins/soapy) * [BOFHound GitHub](https://github.com/bohops/BOFHound) +* [ADWSDomainDump GitHub](https://github.com/mverschu/adwsdomaindump) * [Microsoft – MC-NBFX, MC-NBFSE, MS-NNS, MC-NMF specifications](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nbfx/) * [IBM X-Force Red – Stealthy Enumeration of Active Directory Environments Through ADWS](https://logan-goins.com/2025-02-21-stealthy-enum-adws/) * [FalconForce – SOAPHound tool to collect Active Directory data via ADWS](https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/)