Skip to content

l4rm4nd/PyADRecon

BranchesTags

Repository files navigation

PyADRecon

Python3 implementation of ADRecon

ADRecon is a tool which gathers information about MS Active Directory and generates an XSLX report to provide a holistic picture of the current state of the target AD environment.

Installation

# clone the repo
git clone https://github.com/l4rm4nd/PyADRecon && cd PyADRecon

# create virtual environment
virtualenv venv && source venv/bin/activate

# installd dependencies
pip install -r requirements.txt

Usage

usage: pyadrecon.py [-h] [--generate-excel-from CSV_DIR] [-dc DOMAIN_CONTROLLER] [-u USERNAME] [-p [PASSWORD]] [-d DOMAIN] [--auth {ntlm,kerberos}] [--tgt-file TGT_FILE] [--tgt-base64 TGT_BASE64]
                    [--ssl] [--port PORT] [-o OUTPUT] [--page-size PAGE_SIZE] [--threads THREADS] [--dormant-days DORMANT_DAYS] [--password-age PASSWORD_AGE] [--only-enabled] [--collect COLLECT]
                    [--no-excel] [-v]

PyADRecon - Python Active Directory Reconnaissance Tool

options:
  -h, --help            show this help message and exit
  --generate-excel-from CSV_DIR
                        Generate Excel report from CSV directory (standalone mode, no AD connection needed)
  -dc, --domain-controller DOMAIN_CONTROLLER
                        Domain Controller IP or hostname
  -u, --username USERNAME
                        Username for authentication
  -p, --password [PASSWORD]
                        Password for authentication (optional if using TGT)
  -d, --domain DOMAIN   Domain name (e.g., DOMAIN.LOCAL) - Required for Kerberos auth
  --auth {ntlm,kerberos}
                        Authentication method (default: ntlm)
  --tgt-file TGT_FILE   Path to Kerberos TGT ccache file (for Kerberos auth)
  --tgt-base64 TGT_BASE64
                        Base64-encoded Kerberos TGT ccache (for Kerberos auth)
  --ssl                 Force SSL/TLS (LDAPS). No LDAP fallback allowed.
  --port PORT           LDAP port (default: 389, use 636 for LDAPS)
  -o, --output OUTPUT   Output directory (default: PyADRecon-Report-<timestamp>)
  --page-size PAGE_SIZE
                        LDAP page size (default: 500)
  --threads THREADS     Number of threads (default: 10)
  --dormant-days DORMANT_DAYS
                        Days for dormant account threshold (default: 90)
  --password-age PASSWORD_AGE
                        Days for password age threshold (default: 180)
  --only-enabled        Only collect enabled objects
  --collect COLLECT     Comma-separated modules to collect (default: all)
  --no-excel            Skip Excel report generation
  -v, --verbose         Verbose output

Examples:
  # Basic usage with NTLM authentication
  pyadrecon.py -dc 192.168.1.1 -u admin -p password123 -d DOMAIN.LOCAL

  # With Kerberos authentication (bypasses channel binding)
  pyadrecon.py -dc dc01.domain.local -u admin -p password123 -d DOMAIN.LOCAL --auth kerberos

  # With Kerberos using TGT from file (bypasses channel binding)
  pyadrecon.py -dc dc01.domain.local -u admin -d DOMAIN.LOCAL --auth kerberos --tgt-file /tmp/admin.ccache

  # With Kerberos using TGT from base64 string (bypasses channel binding)
  pyadrecon.py -dc dc01.domain.local -u admin -d DOMAIN.LOCAL --auth kerberos --tgt-base64 BQQAAAw...

  # Only collect specific modules
  pyadrecon.py -dc 192.168.1.1 -u admin -p pass -d DOMAIN.LOCAL --collect users,groups,computers

  # Output to specific directory
  pyadrecon.py -dc 192.168.1.1 -u admin -p pass -d DOMAIN.LOCAL -o /tmp/adrecon_output

  # Generate Excel report from existing CSV files (standalone mode)
  pyadrecon.py --generate-excel-from /path/to/CSV-Files -o report.xlsx

Tip

PyADRecon always tries LDAPS on TCP/636 first.

If flag --ssl is not used, LDAP on TCP/389 may be tried as fallback.

Caution

If LDAP channel binding is enabled, this script will fail with automatic bind not successful - strongerAuthRequired as ldap3 does not support it. You would have to use Kerberos authentication instead.

If you use Kerberos auth, please create a valid /etc/krb5.conf and DC hostname entry in /etc/hosts. May read this. Note that you can provide an already existing TGT ticket to the script via --tgt-file or --tgt-base64. For example obtained via Netexec and netexec smb --generate-tgt my-tgt-file.

Docker

There is also a Docker image available on GHCR.IO.

docker run --rm -v ./:/tmp/pyadrecon_output ghcr.io/l4rm4nd/pyadrecon -dc 192.168.1.1 -u admin -p pass -d DOMAIN.LOCAL -o /tmp/pyadrecon_output

Collection Modules

  • default or all

Forest & Domain

  • forest
  • domain
  • trusts
  • sites
  • subnets
  • schema or schemahistory

Domain Controllers

  • dcs or domaincontrollers

Users & Groups

  • users
  • userspns
  • groups
  • groupmembers

Computers & Printers

  • computers
  • computerspns
  • printers

OUs & Group Policy

  • ous
  • gpos
  • gplinks

Security

  • passwordpolicy
  • fgpp or finegrainedpasswordpolicy
  • laps
  • bitlocker

DNS

  • dnszones
  • dnsrecords

Acknowledgements

Many thanks to S3cur3Th1sSh1t and Claude for a first version.

About

Python3 implementation of ADRecon

github.com/l4rm4nd/PyADRecon

Topics

auditing ldap active-directory python3 enumeration pentesting post-exploitation ethical-hacking information-gathering reconnaissance red-teaming ldap3 domain-enumeration blue-teaming active-directory-security active-directory-audit ad-users ad-computers adrecon

Resources

Readme
Activity

Stars

7 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 11

v0.4.0 Latest
Feb 6, 2026
+ 10 releases

Packages

 
 
 

Contributors 2

  •  
  •  

Languages