Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Install
# Python version
pip install windapsearch
# Go version (faster)
# https://github.com/ropnop/go-windapsearch/releases
Basic Usage
Enumerate Users
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' -U
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' -U --full
Enumerate Groups
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' -G
Enumerate Computers
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' -C
Privileged Users
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' --da # Domain Admins
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' --admin # All admin accounts
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' -PU # Privileged users
Unconstrained Delegation
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' --unconstrained
Custom LDAP Filter
windapsearch -d DOMAIN.LOCAL --dc DC_IP -u 'user' -p 'pass' --custom "(servicePrincipalName=*)"
Anonymous Bind
windapsearch --dc DC_IP -d DOMAIN.LOCAL
Go Version (go-windapsearch)
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m users
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m computers
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m groups
./windapsearch -d DOMAIN.LOCAL --dc DC_IP -u '[email protected]' -p 'pass' -m privileged-users
Quick Reference
| Task | Flag |
|---|
| Users | -U |
| Groups | -G |
| Computers | -C |
| Domain Admins | --da |
| Privileged | -PU |
| Unconstrained | --unconstrained |