windapsearch is a fast, Go-based LDAP enumeration tool for Active Directory reconnaissance. It provides modular queries for discovering users, groups, computers, privilege escalation vectors, and domain structure without requiring domain membership or special tools.
# Download latest release
wget https://github.com/ropnop/go-windapsearch/releases/download/v0.4.0/windapsearch-0.4.0-linux-amd64.zip
unzip windapsearch-0.4.0-linux-amd64.zip
chmod +x windapsearch
go install github.com/ropnop/go-windapsearch@latest
git clone https://github.com/ropnop/go-windapsearch.git
cd go-windapsearch
go build -o windapsearch
# Basic enumeration of domain users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users
# List all domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins
# Search for computers with output to file
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -o results.txt
# JSON output for processing
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -j > users.json
| Flag | Description |
|---|
--dc | Domain Controller IP or hostname |
-d, --domain | Domain name (e.g., domain.local) |
-u, --user | Username for authentication |
-p, --password | Password for authentication |
--hash | NTLM hash instead of password (format: LM:NTLM) |
--secure | Use LDAPS (LDAP over SSL/TLS, port 636) |
--port | Custom LDAP port (default: 389) |
-D, --dn | Full Distinguished Name for binding |
# List all domain users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users
# Get full attributes for all users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --full
# Specify custom attributes to retrieve
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --attrs sAMAccountName,mail,userAccountControl
# List all groups with members
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups
# Get members of specific group
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m members --group "Domain Admins"
# Show nested group membership
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups --full
# Find all domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins
# Find privileged users (multiple admin groups)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users
# Get enterprise admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users --full
# List all domain computers
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers
# Get OS and delegation information
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers --full
# Export to JSON for further analysis
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -j > computers.json
# Find unconstrained delegation machines
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained
# Find constrained delegation configurations
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained --full
# List all Group Policy Objects
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m gpos
# List Organizational Units
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m ous
# Get full OU details with paths
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m ous --full
# List DNS hosts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m dns-names
# Enumerate DNS zones
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m dns-zones
# Get domain information (functional level, etc.)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata
# Search with raw LDAP filter for all users with mail attribute
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(mail=*))"
# Find disabled accounts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
# Find accounts without password expiration
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
# Combine filter with custom attributes
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(pwdLastSet=0))" --attrs sAMAccountName,userAccountControl,pwdLastSet
| Flag | Description |
|---|
-o, --output | Write results to file instead of stdout |
-j, --json | Output in JSON format |
--full | Include all available attributes |
--attrs | Comma-separated list of specific attributes to retrieve |
--no-color | Disable colored output |
# Write results to file
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -o users.txt
# JSON output with specific attributes
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers --attrs sAMAccountName,operatingSystem,dNSHostName -j > computers.json
# Full output with no color (for piping)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins --full --no-color | tee admins.txt
# Step 1: Get domain metadata
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata
# Step 2: Enumerate all users
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -o users.txt
# Step 3: List all computers
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m computers -o computers.txt
# Step 1: Find domain admins
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m domain-admins
# Step 2: Find privileged users across multiple groups
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m privileged-users --full
# Step 3: Identify unconstrained delegation targets
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m unconstrained
# Step 4: Find kerberoastable accounts
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(servicePrincipalName=*))" --attrs sAMAccountName,servicePrincipalName
# Step 5: Find AS-REP roastable accounts (no pre-auth)
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attrs sAMAccountName
# Get group structure
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m groups --full -o groups.txt
# Extract members of target group
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m members --group "Domain Admins"
# Analyze resource-based constrained delegation
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m custom --filter "(msDS-AllowedToActOnBehalfOfOtherIdentity=*)" --attrs sAMAccountName,msDS-AllowedToActOnBehalfOfOtherIdentity
# Test connectivity to DC
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata
# Verify LDAPS support
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass --secure -m metadata
# Use FQDN instead of IP
windapsearch --dc dc1.domain.local -d domain.local -u user -p pass -m users
# Verify credentials with simpler query
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m metadata
# Use NTLM hash instead of password
windapsearch --dc 192.168.1.10 -d domain.local -u domain\\user --hash LM:NTLM -m users
# Specify full DN
windapsearch --dc 192.168.1.10 -d domain.local -D "CN=user,CN=Users,DC=domain,DC=local" -p pass -m users
# For large domains, use JSON output and piping
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users -j | jq '.[] | select(.mail != null)'
# Write to file to manage output
windapsearch --dc 192.168.1.10 -d domain.local -u user -p pass -m users --full -o large_results.txt
- Use service accounts: Run windapsearch with dedicated service account credentials for auditing.
- Log all queries: Redirect output to files (
-o) for documentation and evidence.
- Minimize attributes: Use
--attrs to specify only needed attributes for faster queries on large domains.
- Combine with JSON: Use
-j flag with jq for complex filtering and analysis.
- Use LDAPS: Employ
--secure for encrypted communications in sensitive environments.
- Test connectivity first: Always verify DC connectivity with
-m metadata before running complex queries.
- Document your LDAP filters: Include filter explanations in your reports for reproducibility.
| Tool | Purpose |
|---|
| ldapsearch | Native LDAP query tool (cross-platform) |
| ldapdomaindump | LDAP domain dumping with HTML report generation |
| AdFind | Windows-native AD enumeration tool |
| BloodHound | Graph-based AD attack path analysis |
| PowerView | PowerShell Active Directory enumeration |
| Impacket | Python AD exploitation framework |
| ADCSTemplate | ADCS certificate template enumeration |
