[-] Users with Password Not Expire
[-] LDAPError: {'msgtype': 100, 'msgid': 6, 'result': 4, 'desc': 'Size limit exceeded', 'ctrls': []}

Some kind of LDAP pagging may be needed for large results

ADenum requires a very old version:

https://github.com/SecuProject/ADenum/blob/fbbe14d85cc0fb9e65ac6e4ad8896ad3c8449ff4/requirements.txt#L1C1-L1C4

the pypi package pwn is a very old version (1.0) and abandonned package of pwntools.

The official pypi package is pwntools https://pypi.org/project/pwntools/ and the last version available is 4.10.0.

Hello, this morning I tried to install your tool on my kalilinux (version 2021.4), but I got some errors with the following depedancie :

• python-ldap

So I found a solution :

link : https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html#installing-from-source

apt-get install build-essential python3-dev python2.7-dev libldap2-dev libsasl2-dev slapd ldap-utils tox lcov valgrind

afterthat :

pip3 install -r Requirement.txt

On ubuntu, your little tutorial work perfectly, so maybe update your README for kali linux distro.

Best regards,

Hello, i tried to run the script, but I received this error message:

[-] OPERATIONS_ERROR: {'msgtype': 100, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090A7D, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'}

Please, could you help me.

Regards

When auditing active directory on languages other than english some filters are rarely useful, for example the filter on the description is looking for pwd and password but in french 🇫🇷 it will more likely be mdp or mot? de passe .

It results in false negative where juicy description are missed:

[-] Users with an interesting description                                                                                                                                                                            
[!] No entry found !

It would be nice to have an option --description-regexp where one can pass a custom LDAP regexp to filter for, eg. *mdp* that would be added in addition to the default one.

after run and install all requirements, when i run the script the system give error:

Hi, here have some suggect for the ADenum.py

$python3 ADenum.py -d htb.local -ip 10.129.95.210

<------ Omitted  ------>
[*] Domain name: htb.local
[*] Username:    Anonymous
[*] IP Address:  10.129.95.210
[*] SSL connect: FALSE

[-] Domain Controllers
[*] Computer: FOREST$                  CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
    [V] Windows Server 2016 Standard 10.0 (14393)
<------ Omitted  ------>
[-] Users with Password Not Expire
[*] Username: Guest                    CN=Guest,CN=Users,DC=htb,DC=local
<------ Omitted  ------>
[*] Username: andy                     CN=Andy Hislip,OU=Helpdesk,OU=Information Technology,OU=Employees,DC=htb,DC=local
[*] Username: mark                     CN=Mark Brandt,OU=Sysadmins,OU=Information Technology,OU=Employees,DC=htb,DC=local
[*] Username: santi                    CN=Santi Rodriguez,OU=Developers,OU=Information Technology,OU=Employees,DC=htb,DC=local

====================================================
==================== Attack AD =====================
====================================================


[-] AS-REP Roastable Users
[!] No entry found !

[-] Kerberoastable Users
[!] No entry found !

In the Attack AD sesstion, Would you like to Add user which is Do not require Kerberos preauthentication in AD? This is a good script, also this information is important for attack AD?

GetNPUsers.py -dc-ip xxx.xxx.xxx.xxx htb.local/
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2022-07-11 14:17:30.619145  2019-09-23 12:09:47.931194  0x410200

You can test in the HTB machine: Forest.

Thank you for your ADenum.

Users who have AdminCount=1 are not necessarily domain admins (DA).

So this section should probably be renamed Privileged domain accounts.

The following table lists Active Directory’s default protected object sets, including the groups that may induce an update of the AdminCount attribute on its members:

I would be nice to do another query to find DA only. You can filter the DA group with (&(objectclass=group)(CN=Domain Admins)) and then get all users (&(objectclass=user)(MemberOf=$($_.DistinguishedName))) from that group.

Ref.

• https://learn.microsoft.com/en-us/windows/win32/adschema/a-admincount
• https://blog.netwrix.com/2022/09/30/admincount_attribute/