ADReaper: fast enumeration tool for Windows Active Directory Pentesting
ADReaper
ADReaper is a tool written in Golang which enumerates an Active Directory environment with LDAP queries within a few seconds.
Use
To query the properties of the Domain Controller of the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command dc
To query the Trust Attributes of the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command domain-trust
To list all Users from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users
To list all Users with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -filter full-data
To list attributes of Specific Users from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -name <user>
To list the membership of the Specific User,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command users -name <user> -filter membership
To list all available Computers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computers
To list all Computers with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computers -filter full-data
To list attributes of Specific Computer from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command computers -name <computer name>
To list all available Groups from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups
To list all Groups with attributes from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -filter full-data
To list attributes of Specific Group from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -name <group name>
To list members of Specific Group from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command groups -name <group name> -filter membership
To list users Never Logged On from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command never-loggedon
To list GPOs from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command gpo
To list OUs from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ou
To list AD objects with higher privileges,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command admin-priv
To list MS-SQL Servers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sql
To list all attributes of MS-SQL Servers from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sql -filter full-data
To list all attributes of specific MS-SQL Server from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command ms-sql -name <computer name>
To list SPNs available in the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command spn
To list all attributes of Specific SPN from the domain,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command spn -name <sam of spn>
To list AD objects with Unconstrained Delegation enabled,
.\ADReaper.exe -dc <dc.domain> -user <username> -password <password> -command unconstrained
