A tool written for cobalt-strike’s execute-assembly command that allows for more efficent querying of AD
ADSearch.exe [OPTIONS]
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
Query Active Directory remotely or locally:
ADSearch --domain ldap.example.com --password AdminPass1 --username admin --users
-f, --full If set will show all attributes for the returned item.
-o, --output File path to output the results to.
--json (Default: false) Output results in json format.
--supress-banner When set banner will be disabled.
-G, --groups Enumerate and return all groups from AD.
-U, --users Enumerate and return all users from AD.
-C, --computers Enumerate and return all computers joined to the AD.
-S, --spns Enumerate and return all SPNS from AD.
--attributes (Default: cn) Attributes to be returned from the results in csv format.
-s, --search Perform a custom search on the AD server.
--domain-admins Attempt to retreive all Domain Admin accounts.
-u, --username Attempts to authenticate to AD with the given username.
-p, --password Attempts to authenticate to AD with the given password.
-h, --hostname If set will attempt a remote bind to the hostname. This option requires the domain option to be
set to a valid DC on the hostname. Will allow an IP address to be used as well.
-p, --port (Default: 636) If set will attempt a remote bind to the port based on the IP.
-d, --domain The domain controller we are connecting to in the FQDN format. If left blank then all other
connection options are ignored and the lookups are done locally.
--insecure (Default: false) If set will communicate over port 389 and not use SSL
--help Display this help screen.
--version Display version information.
.\ADSearch.exe --domain-admins -d offsec.nl
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] LDAP://DC=offsec,DC=nl
[*] ALL DOMAIN ADMINS:
[*] TOTAL NUMBER OF DOMAIN ADMINS: 4
[+] cn : SQL Server DB
[+] cn : SCCM
[+] cn : sa_backup
[+] cn : JohnDo_adm