LDAP Eenumeration
Utility to enumerate users, groups and computers from a Windows domain through LDAP queries.
Getting computer information
Intro
The computers
module can be used to enumerate all AD computers and the results can be saved as JSON with --json
.
Parsing results
Of course the text or JSON results can be used as is but:
Having the DNS hostname (
dNSHostName
) can be nice but having the IP address is important andwindapsearch
doesn't offer it because it's not a LDAP information, it has to be retrieved from the DNS server. Having the IP address can be useful to quickly understand in which VLAN the machine is.The AD is often bloated with old objects like computers that doesn't exist anymore. So
windapsearch
will retrieve a lot of computers that don't have a DNS hostname or have one but that can't be resolved since the DNS entry was removed. As an auditor/pentester we mostly care about computers that are existing and reachable, old entries is noise to us.
So here is a Ruby script that can:
displays the same output as
windapsearch
(dns hostname, cn, dn, OS infos) but with the IP address(es) on top (full
command)displays only cn and ip address(es) (
cnip
command)displays only computers with a resolvable DNS host name
<dns_1>
and <dns_2>
need to be replaced with the DNS servers IP address (often the DC) and <domain>
with the search domain.
Example of output for one computer with the full
command:
Ref.:
Last updated