ADSearch : A Tool To Help Query AD Via The LDAP Protocol

ADSearch is a tool written for cobalt-strike’s execute-assembly command that allows for more efficent querying of AD.

Key Features

• List all Domain Admins
• Custom LDAP Search
• Connect to LDAPS Servers
• Output JSON data from AD instances
• Retrieve custom attributes from a generic query (i.e. All computers)

Usage

ADSearch 1.0.0.0
Copyright c 2020
USAGE:
Query Active Directory remotely or locally:
ADSearch –domain ldap.example.com –password AdminPass1 –username admin –users

-f, –full If set will show all attributes for the returned item.
-o, –output File path to output the results to.
–json (Default: false) Output results in json format.
–supress-banner When set banner will be disabled.
-G, –groups Enumerate and return all groups from AD.
-U, –users Enumerate and return all users from AD.
-C, –computers Enumerate and return all computers joined to the AD.
-S, –spns Enumerate and return all SPNS from AD.
–attributes (Default: cn) Attributes to be returned from the results in csv format.
-s, –search Perform a custom search on the AD server.
–domain-admins Attempt to retreive all Domain Admin accounts.
-u, –username Attempts to authenticate to AD with the given username.
-p, –password Attempts to authenticate to AD with the given password.
-h, –hostname If set will attempt a remote bind to the hostname. This option requires the domain option to be set to a valid DC on the hostname. Will allow an IP address to be used as well.
-p, –port (Default: 636) If set will attempt a remote bind to the port based on the IP.
-d, –domain The domain controller we are connecting to in the FQDN format. If left blank then all other connection options are ignored and the lookups are done locally.
–insecure (Default: false) If set will communicate over port 389 and not use SSL
–help Display this help screen.
–version Display version information.

Screenshots

• Display all SPNs

• Display all users

• Get custom attributes back from custom search