Skip to main content

Install

# Python version — no PyPI package; clone the repo
git clone https://github.com/ropnop/windapsearch.git && cd windapsearch
pip install python-ldap

# Go version (faster)
# https://github.com/ropnop/go-windapsearch/releases

Basic Usage

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u '[email protected]' -p 'password'

Enumerate Users

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' -U
windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' -U --full

Enumerate Groups

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' -G

Enumerate Computers

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' -C

Privileged Users

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' --da        # Domain Admins
windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' --admin-objects  # Objects with protected ACLs
windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' -PU         # Privileged users

Unconstrained Delegation

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' --unconstrained-users
windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' --unconstrained-computers

Custom LDAP Filter

windapsearch -d DOMAIN.LOCAL --dc-ip DC_IP -u 'user' -p 'pass' --custom "(servicePrincipalName=*)"

Anonymous Bind

windapsearch --dc-ip DC_IP -d DOMAIN.LOCAL

Go Version (go-windapsearch)

./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m users
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m computers
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m groups
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m privileged-users

Quick Reference

TaskFlag
Users-U
Groups-G
Computers-C
Domain Admins--da
Privileged-PU
Unconstrained--unconstrained-users / --unconstrained-computers (Go: -m unconstrained)