This script will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. You can enable or disable the attributes shown in the final table by changing the values in line 184 and headers in line 190.

https://github.com/fortra/impacket/tree/master

https://github.com/fortra/impacket/blob/master/examples/GetADUsers.py

Password Authentication

1. Download the tool

  • wget https://raw.githubusercontent.com/fortra/impacket/master/examples/GetADUsers.py

2. Run the tool help menu

  • python3 GetADUsers.py -h

3. Get all users from the domain controller

  • python3 GetADUsers.py -all -dc-ip domain-controller-ip ‘vk9-sec/vry4n:Admin.123’
  • python3 GetADUsers.py -all vk9-sec/admin1 -dc-ip 192.168.0.110

4. Post-compromise through a proxy host

  • proxychains -q GetADUsers.py -all -dc-ip domain-controller-ip ‘domain.tld/username:password’

Pass the Hash

If you’ve dumped the SAM or LSASS on host post-compromise, you can pass the hash to dump users.

1. Get all users from the domain controller

  • GetADUsers.py -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash ‘domain.tld/username’

2. Post-compromise through a proxy host

  • proxychains -q GetADUsers.py -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash ‘domain.tld/username’

Sources

https://notes.benheater.com/books/active-directory/page/getaduserspy

https://www.hackingarticles.in/abusing-kerberos-using-impacket/

https://wadcoms.github.io/wadcoms/Impacket-GetADUsers/