SharpADWS is a tool designed for Red Team operations that focuses on reconnaissance and exploitation of Active Directory (AD) environments through the Active Directory Web Services (ADWS) protocol. Unlike traditional methods of interacting with Active Directory, which often use the Lightweight Directory Access Protocol (LDAP), SharpADWS leverages ADWS to perform its operations.
ADWS is a web service that is automatically enabled when Active Directory Domain Services (ADDS) is installed, making it universally available across domain environments. It operates on TCP port 9389 and uses the SOAP protocol for communication. One of the key advantages of using ADWS is that it is relatively unknown and underutilized for LDAP post-exploitation, which can make activities carried out through it less detectable by common monitoring tools.
SharpADWS can perform various actions without directly communicating with the LDAP server. Instead, LDAP queries are wrapped in SOAP messages and sent to the ADWS server, which then unpacks and forwards them to the LDAP server. This can result in LDAP queries appearing to originate from the local address 127.0.0.1 in logs, which might be overlooked by security systems.
The tool implements several protocols, including MS-ADDM, MS-WSTIM, and MS-WSDS, and allows for operations such as enumeration, pulling results, renewing, getting status, and releasing enumeration contexts. SharpADWS can also be used to modify Active Directory data, such as granting DCSync privileges to an account for domain persistence or enabling the ”Do not require kerberos preauthentication” option for an account to perform an AS-REP Roasting attack.
So, SharpADWS is a sophisticated tool for Red Teams that provides an alternative way to interact with Active Directory using ADWS, potentially allowing for stealthier reconnaissance and exploitation activities within a target domain environment