¶ ADCollector
https://github.com/dev-2null/ADCollector
¶ About
ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.
¶ Usage
PS C:\> .\ADCollector.exe --help
_ ____ ____ _ _ _
/ \ | _ \ / ___|___ | | | ___ ___ _| |_ ___ _ __
/ _ \ | | | | | / _ \| | |/ _ \/ __|_ __/ _ \| '__|
/ ___ \| |_| | |__| (_) | | | __/ (__ | || (_) | |
/_/ \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_|
v3.0.1 by dev2null
--Domain Domain to enumerate
--LDAPS (Default: false) LDAP over SSL/TLS
--DisableSigning (Default: false) Disable Kerberos Encryption (with -LDAPS flag)
--UserName Alternative UserName
--Password Alternative Credential
--DC Alternative Domain Controller (Hostname/IP) to connect to
--OU Perform the Search under a specific Organizational Unit
--LDAPONLY Only Enumearte Objects in LDAP
--ACLScan Perform ACL scan for an Identity
--ADCS (Default: false) Only Perform AD Certificate Service Check
--TEMPLATES (Default: false) Only Enumerate All Certificate Templates with their DACL
--SCHEMA (Default: false) Count Schema Attributes in the default naming context
--ADIDNS (Default: false) Only Collect ADIDNS Records
--NGAGP Only enumerate Nested Group Membership and Applied Group Policies on the target object
--DACL Enumerate DACL on the target object (with DistinguishedName)
--SessionEnum (Default: false) Enumerate session information on the target host
--UserEnum (Default: false) Enumerate user information on the target host
--LocalGMEnum (Default: false) Enumerate local group members on the target host
--Host (Default: Localhost) Hostname for Session/User/Groupmember Enumeration
--Group (Default: Administrators) Local Group Name for Local GroupMember Enumeration
--Debug (Default: false) Debug Mode
--help Display this help screen.
Example: .\ADCollector.exe
.\ADCollector.exe --LDAPs --DisableSigning
.\ADCollector.exe --OU IT
.\ADCollector.exe --OU OU=IT,DC=domain,DC=local
.\ADCollector.exe --ADCS
.\ADCollector.exe --TEMPLATES
.\ADCollector.exe --LDAPOnly
.\ADCollector.exe --SCHEMA
.\ADCollector.exe --ADIDNS
.\ADCollector.exe --NGAGP samaccountname
.\ADCollector.exe --DACL DC=domain,DC=net
.\ADCollector.exe --ACLScan user --OU OU=IT,DC=domain,DC=local
.\ADCollector.exe --SessionEnum --Host targetHost
.\ADCollector.exe --UserEnum --Host targetHost
.\ADCollector.exe --LocalGMEnum --Host targetHost --Group 'Remote Desktop Users'
.\ADCollector.exe --Domain domain.local --Username user --Password pass
.\ADCollector.exe --Domain domain.local --DC 10.10.10.1
¶ Screenshots of results
¶ Users
¶ Admins
¶ Groups
¶ Certificates
¶ Other
¶ Host
¶ How to start?
You can find this here.