windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information.
https://github.com/ropnop/windapsearch
Installation
Requirements
windapsearch requires the python-ldap module. Run the follow commands to execute the script
- git clone https://github.com/ropnop/windapsearch.git
- cd windapsearch
- sudo apt-get install -y libldap2-dev libsasl2-dev libssl-dev
- sudo apt-get install python3-dev
- pip install –upgrade pip setuptools
- pip install python-ldap
- python3 windapsearch.py
How to use
1. Display menu
- python3 windapsearch.py -h
- python3 windapsearch.py –help
2. Basic query, to verify credentials are valid
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123
2. Query users & save output in a file (just specify the destination folder)
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -U -o ~/Desktop
3. Query groups
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -G -o ~/Desktop
4. Get Member from a group
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -m <group_name>
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -m IR-gra-distlist1
5. Find unconstrained computers, usually Domain Controller is unconstrained
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –unconstrained-computers
6. Find uncontrained users
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –unconstrained-users
7. Get computers
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -C
8. Get privilege users
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -PU
9. Get users members of domain admins
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –da
10. Enumerate all objects with protected ACLs (admins)
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –admin-objects
11. Enumerate all user objects with Service Principal Names (for kerberoasting)
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –user-spns
12. Enumerate Group Policy Objects
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 –gpos
13. Fuzzy search for all matching LDAP entries
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -s administrator
14. Get full attribute data
- python3 windapsearch.py -d vk9-sec.com –dc-ip 192.168.0.110 -u vk9-sec\\admin1 -p Admin.123 -G -o ~/Desktop –full