VK9 Security

[How to] windapsearch

by | Aug 8, 2023 | Active Directory, Tools | 0 comments

windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information.

https://github.com/ropnop/windapsearch

Installation

Requirements

windapsearch requires the python-ldap module. Run the follow commands to execute the script

  • git clone https://github.com/ropnop/windapsearch.git
  • cd windapsearch
  • sudo apt-get install -y libldap2-dev libsasl2-dev libssl-dev
  • sudo apt-get install python3-dev
  • pip install –upgrade pip setuptools
  • pip install python-ldap
  • python3 windapsearch.py

How to use

1. Display menu

  • python3 windapsearch.py -h
  • python3 windapsearch.py –help

2. Basic query, to verify credentials are valid

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123

2. Query users & save output in a file (just specify the destination folder)

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -U -o ~/Desktop

3. Query groups

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -G -o ~/Desktop

4. Get Member from a group

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -m <group_name>
  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -m IR-gra-distlist1

5. Find unconstrained computers, usually Domain Controller is unconstrained

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –unconstrained-computers

6. Find uncontrained users

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –unconstrained-users

7. Get computers

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -C

8. Get privilege users

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -PU

9. Get users members of domain admins

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –da

10. Enumerate all objects with protected ACLs (admins)

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –admin-objects

11. Enumerate all user objects with Service Principal Names (for kerberoasting)

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –user-spns

12. Enumerate Group Policy Objects

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –gpos

13. Fuzzy search for all matching LDAP entries

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -s administrator

14. Get full attribute data

  • python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -G -o ~/Desktop –full

468

Submit a Comment