ADReaper is a tool written in Golang which enumerates an Active Directory environment with LDAP queries within few seconds
You can download precompiled executable binaries for Windows/Linux from latest releases
To build from source, clone the repo and build it with GO
$ git clone https://github.com/AidenPearce369/ADReaper
$ cd ADReaper/
$ go buildADReaper performs enumeration with various commands that performs LDAP queries with respective to it
PS C:\Users\redteamer\Desktop\shared> .\ADReaper.exe
-command string
Command to run
dc - to list domain controllers
domain-trust - to list domain trust
users - to list all users
computers - to list all computers
groups - to list all groups with members
spn - to list service principal objects
never-loggedon - to list users never logged on
gpo - to list group policy objects
ou - to list organizational units
ms-sql - to list MS-SQL servers
asreproast - to list AS-REP roastable accounts
unconstrained - to list Unconstrained Delegated accounts
admin-priv - to list AD objects with admin privilege
-dc string
Enter the DC
-filter string
Filters to use for users/groups/computers
list - lists all objects only
full-data - list all objects with properties
membership - lists all members from an object
(default "list")
-name string
Pass object name of user/group/computer
-password string
Enter the Password
-user string
Enter the UsernameTo query the properties of Domain Controller of the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command dcTo query the Trust Attributes of the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command domain-trustTo list all Users from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command usersTo list all Users with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -filter full-dataTo list attributes of Specific Users from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -name <user>To list the membership of the Specific User,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -name <user> -filter membershipTo list all available Computers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computersTo list all Computers with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computers -filter full-dataTo list attributes of Specific Computer from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computers -name <computer name>To list all available Groups from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groupsTo list all Groups with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -filter full-dataTo list attributes of Specific Group from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -name <group name>To list members of Specific Group from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -name <group name> -filter membershipTo list users Never Logged On from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command never-loggedonTo list GPOs from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command gpoTo list OUs from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ouTo list AD objects with higher privileges,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command admin-privTo list MS-SQL Servers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sqlTo list all attributes of MS-SQL Servers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sql -filter full-dataTo list all attributes of specific MS-SQL Server from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sql -name <computer name> To list SPNs available in the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command spnTo list all attributes of Specific SPN from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command spn -name <sam of spn>To list AD objects with Unconstrained Delegation enabled,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command unconstrained Looking forward for contributors to build the next version
Planned features,
- Custom LDAP querying
- Filters LDAP attributes with existing commands
- LAPS enumeration
- Kerberoasting SPNs
- AS-REP Roasting SPNs
- Local admin access hunting
- ACL enumeration
- Exporting JSON data for BloodHound
If interested, ping me :)