automato should help with automating some of the user-focused enumeration tasks during an internal penetration test.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


automato uses native LDAP libraries to automate the collection and enumeration of various directory objects. This is incredibly useful during an internal penetration test.

automato can also conduct password spraying attacks, and identify if a user is a local administrator against any number of systems.

Output files are automatically created for evidence preservation.


$ ruby automato.rb
automato v2.0
Written by: Sanjiv Kawa
Twitter: @kawabungah

  automato.rb all                                          # Run the most popular features. (computers, users, groups, priv, attributes)
  automato.rb attr                                         # Get the account attributes for all domain users.
  automato.rb bad                                          # Get the bad password count for all domain users.
  automato.rb computers                                    # Get all domain computers.
  automato.rb groups                                       # Get all domain groups.
  automato.rb help [COMMAND]                               # Describe available commands or one specific command
  automato.rb laps                                         # Get the laps password for systems in the network
  automato.rb localadmin DOMAIN USERNAME PASSWORD IP_FILE  # Identify if a user is a local admin against a list of IP's with SMB open
  automato.rb member GROUP                                 # List all users in a supplied domain GROUP.
  automato.rb priv                                         # Recurse through administrative groups and get users from all nested groups.
  automato.rb spray USER_FILE PASSWORD                     # Conduct a password spraying attack against the domain using a USER_FILE and common PASSWORD
  automato.rb user USER                                    # Get the group memberships for a supplied USER
  automato.rb users                                        # Get all domain users.


I usually use the following command once domain user credentials have been obtained:

$ ruby automato.rb all

General Use


Retrieve LAPS passwords


Password Spraying


Local Administrator Enumeration