Skip to content
Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
Branch: master
Clone or download
Latest commit 495e8d4 May 6, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
ldap_search v0.1.0 May 6, 2019
setup v0.1.0 May 6, 2019
.gitignore v0.1.0 May 6, 2019
LICENSE v0.1.0 May 6, 2019 Update May 6, 2019 v0.1.0 May 6, 2019 v0.1.0 May 6, 2019



LDAP_Search can be used to enumerate Users, Groups, Computers, Domain Policies, and Domain Trusts within a Windows environment. Authentication can be performed using traditional username and password, or NTLM hash. In addition, this tool has been modified to allow brute force/password-spraying via LDAP.

Ldap_Search is compatible with Python 2.7 / 3.6+ and makes use of the Impacket library to perform the main operations.


git clone --recursive
cd ldap_search
sudo python3 install


Password spray with LDAP:

ldap_search -U users.txt -P 'Summer2019!' -d demo.local

Enumerate all active users on a domain:

ldap_search users -u user1 -p Password1 -d demo.local

Lookup a single user and display attributes:

ldap_search users -q AdminUser -u user1 -p Password1 -d demo.local

Enumerate all computers on a domain and resolve IP addresses:

ldap_search computers -r -u user1 -p Password1 -d demo.local

Search for end of life systems on the domain:

ldap_search computers -q eol -u user1 -p Password1 -d demo.local -s DC01.demo.local

Query group members:

ldap_search groups -q "Domain Admins" -u user1 -p Password1 -d demo.local

Domain password policy:

ldap_search domain -u user1 -p Password1 -d demo.local

Write a custom query:

ldap_search custom -q '(objectClass=*)' -a 'objectName' -u user1 -p Password1 -d demo.local

Query Types

  active / [None] - All active users (Default)
  all - All users, even disabled
  [specific account or email] - lookup user, ex. "m8r0wn"
  [None] - All domain groups
  [Specific group name] - lookup group members, ex. "Domain Admins"
  [None] - All Domain Computers
  eol - look for all end of life systems on domain

    [None] - Domain's password policy

    [none] - Domain Trust information


  -q QUERY          Specify user or group to query
  -a ATTRS          Specify attrs to query
  -u USER           Single username
  -U USER           Users.txt file
  -p PASSWD         Single password
  -P PASSWD         Password.txt file
  -H HASH           Use Hash for Authentication
  -d DOMAIN         Domain (Ex. demo.local)
  -s SRV, -srv SRV  LDAP Server (optional)
  -r                Use DNS to resolve records
  -t TIMEOUT        Connection Timeout (Default: 4)
  -v                Show attribute fields and values
  -vv               Show connection attempts and errors
You can’t perform that action at this time.