SkillAgentSearch skills...

Adar

Active Directory reconnaissance & attack tool for authorized pentesting — LDAP, Kerberos, user enum, Kerberoasting, AS-REP Roasting, risk scoring. T1–T4 techniques.

GenerateConvertImprove

Install / Use

/learn @cumakurt/Adar
About this skill

Quality Score

0/100

Supported Platforms

Zed

README

ADAR — Active Directory Attack & Reconnaissance Tool

License: AGPL v3 Python 3.10+

For authorized penetration testing use only. Unauthorized use against systems you do not own or have permission to test may be illegal.
Turkish documentation: README.tr.md

Architecture Overview

adar/
├── core/
│   ├── engine.py              # Main orchestration engine (ScanEngine)
│   ├── result_store.py        # Async-safe user aggregation & dedup
│   └── noise_controller.py   # Adaptive rate limiting & jitter
├── techniques/
│   ├── base.py                # Abstract BaseTechnique
│   ├── dns_enum.py            # [T1] DNS SRV record queries
│   ├── ldap_enum.py           # [T1] LDAP anonymous bind + paged dump
│   ├── kerberos_enum.py       # [T1] Kerberos AS-REQ user probing (wordlist or built-in)
│   ├── smb_enum.py            # [T1] SMB null session probe
│   ├── samr_enum.py           # [T2] MS-SAMR user enumeration
│   ├── rid_cycling.py         # [T2] SID+RID brute-force (500-2000)
│   ├── oxid_resolver.py       # [T2] OXID ServerAlive2 interface enum
│   ├── ldap_auth_enum.py      # [T3] Authenticated LDAP full attribute dump
│   ├── asreproast_enum.py     # [T3] AS-REP Roasting — hashcat hash dump
│   ├── kerberoast_enum.py     # [T3] Kerberoasting SPN accounts
│   ├── sysvol_enum.py         # [T3] SYSVOL/GPO script & Groups.xml parse
│   ├── adcs_enum.py           # [T4] ADCS cert template enum + ESC1/2/3/4 vuln detection
│   ├── azure_enum.py          # [T4] Azure AD GetCredentialType user enum
│   ├── smtp_enum.py           # [T4] SMTP VRFY/EXPN user validation
│   ├── owa_timing.py          # [T4] OWA/EWS HTTP timing side-channel
│   ├── printer_spooler.py     # [T4] MS-RPRN job owner enum + PrinterBug detection
│   └── ldap_referral.py       # [T2] Forest/trust referral chase
├── intelligence/
│   ├── dc_fingerprint.py      # DC service & capability detection
│   └── technique_selector.py  # Tier-aware technique pipeline builder
├── output/
│   └── reporter.py            # Rich terminal + JSON + CSV + HTML
├── types_/
│   └── models.py              # Pydantic v2 models & enums
└── adar.py                    # Click CLI entry point

Installation

From GitHub (recommended):

git clone https://github.com/cumakurt/adar.git
cd adar
python3 -m venv .venv
source .venv/bin/activate   # Windows: .venv\Scripts\activate
pip install -e .
adar --help

From source (requirements only):

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python adar.py --help

Requires Python 3.10+. See requirements.txt for dependencies.

Usage

Basic scan (no credentials)

Domain is auto-discovered if omitted (LDAP/SMB/Kerberos/rDNS).

python adar.py -t 192.168.1.10
python adar.py -t 192.168.1.10 -d corp.local

Without credentials, all unauthenticated tactics run: Tier 1–2 and credential-free Tier 4 (DNS, LDAP anon, Kerberos AS-REQ, SMB null, LLMNR/passive listener, OXID, SAMR, RID cycling, DNS LDAP dump, Global Catalog, SCCM, MS-RPRN). With default --noise high, techniques run at maximum speed unless you explicitly lower the noise budget.

Kerberos, Azure and OWA user enumeration

If no wordlist (-w) is given, Kerberos uses the embedded smart list (administrator, guest, krbtgt, etc.); Azure enum and OWA timing also use the embedded list when no wordlist is provided (see Tier 4 details below).

python adar.py -t 192.168.1.10 -d corp.local -w /path/to/users.txt

Authenticated scan

python adar.py -t dc01.corp.local -d corp.local \
  -u admin -p 'Password1!' \
  -f json -f html -o ./reports/

Note: Tier 3 techniques (ldap_auth, kerberoast, etc.) are required for full user discovery. They run only with --profile default or --profile full. --profile stealth uses only Tier 1–2; no user enum even when credentials are provided.

Stealth mode (IDS evasion)

python adar.py -t 10.0.0.5 -d lab.test \
  --noise very_low --timeout 15 -w users.txt

Pass-the-Hash (NT hash)

python adar.py -t 10.0.0.5 -d corp.local \
  -u admin --hash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

CLI Parameters

| Parameter | Short | Default | Description | |-----------|-------|---------|-------------| | --target | -t | required | DC IP or hostname | | --domain | -d | — | AD domain (auto-discovered if omitted) | | --username | -u | — | Username | | --password | -p | — | Password | | --hash | — | — | NTLM hash | | --wordlist | -w | — | User list for Kerberos, Azure AD, OWA timing, SMTP VRFY | | --profile | — | default | default (all tiers), stealth (T1–2 only), full, soc-full | | --noise | — | high | very_low / low / medium / high | | --timeout | — | 10 | Connection timeout (seconds) | | --output-dir | -o | . | Report output directory | | --format | -f | terminal,json,html | Output format (repeatable) | | --concurrent | — | 3 | Concurrent techniques per tier | | --listen-time | — | 60 (stealth: 300) | Passive listener duration (seconds) | | --verbose | -v | false | Debug logging |

Example JSON Output

{
  "username": "admin",
  "confidence": "confirmed",
  "found_by": ["kerberos_enum", "ldap_anon"],
  "attributes": {
    "email": "admin@corp.local",
    "display_name": "Admin",
    "groups": ["Domain Users", "IT Staff"],
    "enabled": true
  },
  "timestamp": "2024-01-15T10:23:41Z"
}

Technique Details

Unauthenticated techniques (Tier summary)

| Tier | Technique | Description | |------|-----------|-------------| | T1 | DNS enum | SRV records, zone transfer attempt | | T1 | LDAP anon | Anonymous bind + user search | | T1 | Kerberos enum | AS-REQ user existence check (wordlist or built-in) | | T1 | SMB null | Null session, OS/domain info | | T1 | LLMNR/NBT-NS listener | Passive; name queries and NTLM capture | | T1 | Passive traffic | mDNS/NBNS passive listen | | T2 | LDAP referral | Forest/trust referral chase | | T2 | OXID resolver | RPC endpoint list | | T2 | SAMR | MS-SAMR user list (null/auth) | | T2 | RID cycling | SID+RID account name resolution | | T2 | DNS LDAP dump | ADIDNSdump-style DNS record dump | | T2 | Global Catalog | GC bind + user search | | T2 | SCCM enum | SCCM/MDT MP and NAA discovery | | T4 | Printer Spooler | MS-RPRN job owner enum, PrinterBug check |

Tier 3 (LDAP auth, AS-REP Roasting, Kerberoasting, SYSVOL, vulnerable accounts) requires credentials (-u/-p or --hash). ADCS in T4 requires credentials; Azure enum and OWA timing do not require credentials and use the embedded smart list when no wordlist is given (see “Azure and OWA details” below).

Enumeration Techniques — Detailed

Each technique is described with method (how it works) and rationale (why it is used).

Tier 1 — Unauthenticated, minimal noise

| Technique | Method | Rationale | |-----------|--------|-----------| | dns_enum | Queries standard AD DNS SRV records (_kerberos._tcp, _ldap._tcp, _ldap._tcp.dc._msdcs, _gc._tcp, etc.) via the target as DNS server. Optionally probes TXT and zone transfer. | Confirms DC presence and discovers additional DCs/forest members without any authentication. Purely passive from an AD auth perspective; only DNS traffic. | | ldap_anon | Binds to LDAP (port 389) with anonymous authentication. Tries multiple strategies: (1) paged user search with full attributes, (2) minimal attributes (sAMAccountName) with alternate filters, (3) well-known accounts (Administrator, Guest, krbtgt) by DN, (4) CN=Users subtree. | Many misconfigured or legacy DCs allow anonymous LDAP bind; this yields a direct list of user objects when ACLs permit. Very low noise. | | kerberos_enum | Sends Kerberos AS-REQ (Authentication Service Request) for each candidate username (wordlist or embedded smart list). Interprets KDC response: KDC_ERR_PREAUTH_REQUIRED (25) → user exists; KDC_ERR_C_PRINCIPAL_UNKNOWN (6) → user does not exist. | The KDC reveals user existence without requiring a password. Industry-standard user enumeration method; wordlist-driven and throttleable. | | smb_null | Establishes an unauthenticated (null) SMB session to port 445 (empty username/password). Retrieves NetBIOS domain name, DNS hostname, and OS version via SMB calls. | Confirms that null session is allowed, which is a prerequisite for SAMR/RID cycling on older DCs. Does not enumerate users itself but enriches DC fingerprint. | | llmnr_listener | Passive only (no packet injection). Binds to LLMNR (UDP 5355, multicast 224.0.0.252), NBT-NS (UDP 137), and mDNS (UDP 5353). Captures hostname queries and, when present, NTLM Type-1/2/3 messages (usernames and optionally NTLMv2 hashes). | Equivalent to Responder “analysis” mode: observes what names hosts request and any NTLM traffic on the wire. Zero risk of poisoning; useful for user/hash discovery in shared segments. | | passive_traffic | Fully passive — sends no packets. Sniffs mDNS (UDP 5353) and NBNS (UDP 137) on the local segment. Extracts machine names and infers computer accounts (HOSTNAME$) and possible usernames from naming conventions. | Complements LLMNR listener with multicast/broadcast-only capture. Reveals hostnames and naming patterns that often map to AD users; requires CAP_NET_RAW. |

Tier 2 — Passive / side-channel / low auth

| Technique | Method | Rationale | |-----------|--------|-----------| | ldap_referral | Queries the domain’s trustedDomain objects via LDAP to list forest and external trusts. For INBOUND/BIDIRECTIONAL trusts, follows LDAP referrals to the trusted DC and at

cumakurt

View profile

View on GitHub
GitHub Stars10
CategoryDevelopment
Updated20d ago
Forks1
cumakurt/adar

Languages

Python

Security Score

80/100

Audited on Mar 10, 2026

No findings