Skip to content
1337skills 1337skills

windapsearch

windapsearch is a fast, Go-based LDAP enumeration tool for Active Directory reconnaissance. It provides modular queries for discovering users, groups, computers, privilege escalation vectors, and domain structure without requiring domain membership or special tools.

Installation

From GitHub Releases

# Download latest release
wget https://github.com/ropnop/go-windapsearch/releases/download/v0.4.0/windapsearch-0.4.0-linux-amd64.zip
unzip windapsearch-0.4.0-linux-amd64.zip
chmod +x windapsearch

Using Go Install

go install github.com/ropnop/go-windapsearch@latest

Build from Source

git clone https://github.com/ropnop/go-windapsearch.git
cd go-windapsearch
go build -o windapsearch

Quick Start

# Basic enumeration of domain users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users

# List all domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins

# Search for computers with output to file
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -o results.txt

# JSON output for processing
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -j > users.json

Authentication Options

FlagDescription
--dcDomain Controller IP or hostname
-d, --domainDomain name (e.g., domain.local)
-u, --userUsername for authentication
-p, --passwordPassword for authentication
--hashNTLM hash instead of password (format: LM:NTLM)
--secureUse LDAPS (LDAP over SSL/TLS, port 636)
--portCustom LDAP port (default: 389)
-D, --dnFull Distinguished Name for binding

Module Reference

User Enumeration

# List all domain users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users

# Get full attributes for all users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --full

# Specify custom attributes to retrieve
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --attrs sAMAccountName,mail,userAccountControl

Group Enumeration

# List all groups with members
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups

# Get members of specific group
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m members --group "Domain Admins"

# Show nested group membership
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups --full

Privileged User Discovery

# Find all domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins

# Find privileged users (multiple admin groups)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users

# Get enterprise admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users --full

Computer Enumeration

# List all domain computers
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers

# Get OS and delegation information
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers --full

# Export to JSON for further analysis
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -j > computers.json

Delegation Targets

# Find unconstrained delegation machines
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained

# Find constrained delegation configurations
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained --full

GPO and OU Enumeration

# List all Group Policy Objects
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m gpos

# List Organizational Units
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m ous

# Get full OU details with paths
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m ous --full

DNS Information

# List DNS hosts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m dns-names

# Enumerate DNS zones
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m dns-zones

Domain Metadata

# Get domain information (functional level, etc.)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata

Custom LDAP Queries

Using Custom Filters

# Search with raw LDAP filter for all users with mail attribute
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(mail=*))"

# Find disabled accounts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

# Find accounts without password expiration
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

# Combine filter with custom attributes
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(pwdLastSet=0))" --attrs sAMAccountName,userAccountControl,pwdLastSet

Output Options

FlagDescription
-o, --outputWrite results to file instead of stdout
-j, --jsonOutput in JSON format
--fullInclude all available attributes
--attrsComma-separated list of specific attributes to retrieve
--no-colorDisable colored output

Output Examples

# Write results to file
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -o users.txt

# JSON output with specific attributes
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers --attrs sAMAccountName,operatingSystem,dNSHostName -j > computers.json

# Full output with no color (for piping)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins --full --no-color | tee admins.txt

Common Reconnaissance Workflow

Phase 1: Initial Enumeration

# Step 1: Get domain metadata
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata

# Step 2: Enumerate all users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -o users.txt

# Step 3: List all computers
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -o computers.txt

Phase 2: Privilege Escalation Paths

# Step 1: Find domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins

# Step 2: Find privileged users across multiple groups
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users --full

# Step 3: Identify unconstrained delegation targets
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained

# Step 4: Find kerberoastable accounts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(servicePrincipalName=*))" --attrs sAMAccountName,servicePrincipalName

# Step 5: Find AS-REP roastable accounts (no pre-auth)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attrs sAMAccountName

Phase 3: Group and Delegation Analysis

# Get group structure
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups --full -o groups.txt

# Extract members of target group
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m members --group "Domain Admins"

# Analyze resource-based constrained delegation
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(msDS-AllowedToActOnBehalfOfOtherIdentity=*)" --attrs sAMAccountName,msDS-AllowedToActOnBehalfOfOtherIdentity

Troubleshooting

Connection Issues

# Test connectivity to DC
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata

# Verify LDAPS support
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass --secure -m metadata

# Use FQDN instead of IP
windapsearch --dc dc1.domain.local -d domain.local -u user -p pass -m users

Authentication Failures

# Verify credentials with simpler query
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata

# Use NTLM hash instead of password
windapsearch --dc 192.168.1.10 -d domain.local -u domain\\user --hash LM:NTLM -m users

# Specify full DN
windapsearch --dc 192.168.1.10 -d domain.local -D "CN=user,CN=Users,DC=domain,DC=local" -p pass -m users

Large Result Sets

# For large domains, use JSON output and piping
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -j | jq '.[] | select(.mail != null)'

# Write to file to manage output
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --full -o large_results.txt

Best Practices

  • Use service accounts: Run windapsearch with dedicated service account credentials for auditing.
  • Log all queries: Redirect output to files (-o) for documentation and evidence.
  • Minimize attributes: Use --attrs to specify only needed attributes for faster queries on large domains.
  • Combine with JSON: Use -j flag with jq for complex filtering and analysis.
  • Use LDAPS: Employ --secure for encrypted communications in sensitive environments.
  • Test connectivity first: Always verify DC connectivity with -m metadata before running complex queries.
  • Document your LDAP filters: Include filter explanations in your reports for reproducibility.
ToolPurpose
ldapsearchNative LDAP query tool (cross-platform)
ldapdomaindumpLDAP domain dumping with HTML report generation
AdFindWindows-native AD enumeration tool
BloodHoundGraph-based AD attack path analysis
PowerViewPowerShell Active Directory enumeration
ImpacketPython AD exploitation framework
ADCSTemplateADCS certificate template enumeration