windapsearch is a fast LDAP recon wrapper for common AD queries. It is useful when we want clean lists of users, groups, computers, Domain Admins, SPN accounts, delegation targets, and AS-REP roastable users.
export DC=10.10.10.200
export DOMAIN=ootw.local
export USER='student'
export PASS='student'
Basic authenticated enumeration:
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --users
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --groups
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --computers
Privilege and attack surface:
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --da
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --spns
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --delegate
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --asreproast
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --trusted
Kerberos:
kinit $USER@OOTW.LOCAL
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --kerberos --users
Custom LDAP filter:
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --custom '(&(objectCategory=computer)(operatingSystem=*Server*))'
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --custom '(servicePrincipalName=MSSQLSvc*)'
Output:
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --users --json users.json
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --groups --csv groups.csv