Windapsearch
Python script to enumerate users, groups and computers from a Windows domain through LDAP queries
Install / Use
/learn @ropnop/WindapsearchREADME
Check out the new and improved windapsearch - rewritten in Go with some new features (including JSON support)!
https://github.com/ropnop/go-windapsearch
windapsearch
windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries.
By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information.
You can always use a tool like ldapsearch to perform custom LDAP queries against a Domain Controller. I found myself running different LDAP commands over and over again, and it was difficult to memorize all the custom LDAP queries. So this tool was born to help automate some of the most useful LDAP queries a pentester would want to perform in an AD environment.
Requirements
windapsearch requires the python-ldap module. You should be able to get up and running with two commands:
$ git clone https://github.com/ropnop/windapsearch.git
$ pip install python-ldap #or apt-get install python-ldap
$ ./windapsearch.py
The latest version is designed to be used with Python 3, but if you are stuck with Python 2, you can use the windapsearch_py2.py script.
Usage
$ python windapsearch.py -h
usage: windapsearch.py [-h] [-d DOMAIN] [--dc-ip DC_IP] [-u USER]
[-p PASSWORD] [--functionality] [-G] [-U] [-C]
[-m GROUP_NAME] [--da] [--admin-objects] [--user-spns]
[--unconstrained-users] [--unconstrained-computers]
[--gpos] [-s SEARCH_TERM] [-l DN]
[--custom CUSTOM_FILTER] [-r] [--attrs ATTRS] [--full]
[-o output_dir]
Script to perform Windows domain enumeration through LDAP queries to a Domain
Controller
optional arguments:
-h, --help show this help message and exit
Domain Options:
-d DOMAIN, --domain DOMAIN
The FQDN of the domain (e.g. 'lab.example.com'). Only
needed if DC-IP not provided
--dc-ip DC_IP The IP address of a domain controller
Bind Options:
Specify bind account. If not specified, anonymous bind will be attempted
-u USER, --user USER The full username with domain to bind with (e.g.
'ropnop@lab.example.com' or 'LAB\ropnop'
-p PASSWORD, --password PASSWORD
Password to use. If not specified, will be prompted
for
Enumeration Options:
Data to enumerate from LDAP
--functionality Enumerate Domain Functionality level. Possible through
anonymous bind
-G, --groups Enumerate all AD Groups
-U, --users Enumerate all AD Users
-PU, --privileged-users
Enumerate All privileged AD Users. Performs recursive
lookups for nested members.
-C, --computers Enumerate all AD Computers
-m GROUP_NAME, --members GROUP_NAME
Enumerate all members of a group
--da Shortcut for enumerate all members of group 'Domain
Admins'. Performs recursive lookups for nested
members.
--admin-objects Enumerate all objects with protected ACLs (i.e.
admins)
--user-spns Enumerate all users objects with Service Principal
Names (for kerberoasting)
--unconstrained-users
Enumerate all user objects with unconstrained
delegation
--unconstrained-computers
Enumerate all computer objects with unconstrained
delegation
--gpos Enumerate Group Policy Objects
-s SEARCH_TERM, --search SEARCH_TERM
Fuzzy search for all matching LDAP entries
-l DN, --lookup DN Search through LDAP and lookup entry. Works with fuzzy
search. Defaults to printing all attributes, but
honors '--attrs'
--custom CUSTOM_FILTER
Perform a search with a custom object filter. Must be
valid LDAP filter syntax
Output Options:
Display and output options for results
-r, --resolve Resolve IP addresses for enumerated computer names.
Will make DNS queries against system NS
--attrs ATTRS Comma separated custom atrribute names to search for
(e.g. 'badPwdCount,lastLogon')
--full Dump all atrributes from LDAP.
-o output_dir, --output output_dir
Save results to TSV files in <OUTPUT_DIR>
Specifying Domain and Account
To begin you need to specify a Domain Controller to connect to with --dc-ip, or a domain with -d.
If no Domain Controller IP address is specified, the script will attempt to do a DNS host lookup on the domain and take the top result.
A valid domain username and password are required for most lookups. If none are specififed the script will attempt an anonymous bind and enumerate the default namingContext, but most additional queries will fail.
The username needs to include the full domain, e.g. ropnop@lap.example.com or EXAMPLE\ropnop
The password can be specified on the command line with -p or if left out it will be prompted for.
Enumerate Users
The -U option performs an LDAP search for all entries where objectCategory=user. By default, it will only display the commonName and the userPrincipalName.
The --attrs option can be used to specify custom or additional attributes to display, or the --full option will display everythin for all users.
WARNING: in a large domain this can get very big, very fast
Example:
$ ./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 -U
[+] No DC IP provided. Will try to discover via DNS lookup.
[+] Using Domain Controller at: 172.16.13.10
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=lab,DC=ropnop,DC=com
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ROPNOP\ldapbind
[+] Enumerating all AD users
[+] Found 2754 users:
cn: Administrator
cn: Guest
cn: krbtgt
cn: Andy Green
userPrincipalName: agreen@lab.ropnop.com
<snipped...>
To save the results to a tab-separated file, use the -o option and specify a directory.
Enumerate Groups and Group Memberships
Use the -G option to enumerate all entries where objectCategory=group. This will output the DN and CN of all groups.
To query group membership, use the -m option with either the DN or CN of the group you wish to query. The tool supports fuzzy search matching so even a partial CN will work. If it matches more than one group, the tool will specify which group to query.
Example:
$ ./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 -m IT
[+] No DC IP provided. Will try to discover via DNS lookup.
[+] Using Domain Controller at: 172.16.13.10
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=lab,DC=ropnop,DC=com
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ROPNOP\ldapbind
[+] Attempting to enumerate full DN for group: IT
[+] Found 2 results:
0: CN=IT Admins,OU=Groups,OU=Lab,DC=lab,DC=ropnop,DC=com
1: CN=Ismael Titus,OU=US,OU=Users,OU=Lab,DC=lab,DC=ropnop,DC=com
Which DN do you want to use? : 0
[+] Found 5 members:
CN=James Doyle,OU=US,OU=Users,OU=Lab,DC=lab,DC=ropnop,DC=com
CN=Edward Sotelo,OU=US,OU=Users,OU=Lab,DC=lab,DC=ropnop,DC=com
CN=Cheryl Perry,OU=US,OU=Users,OU=Lab,DC=lab,DC=ropnop,DC=com
CN=Anthony Gordon,OU=US,OU=Users,OU=Lab,DC=lab,DC=ropnop,DC=com
CN=Desktop Support,OU=Groups,OU=Lab,DC=lab,DC=ropnop,DC=com
[*] Bye!
Domain Admins
You can enumerate Domain Admins through two methods. One is to use -m with "Domain Admins". This will query LDAP for the "Domain Admins" entry and display all the members.
The more thorough way is to do a lookup of all users and determine if they or a group they
Related Skills
node-connect
349.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
109.8kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
349.9kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
349.9kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
