ad-ldap-enum
May 1, 2026 · View on GitHub
ad-ldap-enum is a Python script developed to collect users/computers and their group membership from Active Directory. In large Active Directory environments, tools such as NBTEnum were not quick enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and quickly build out group membership.
Output Files
Domain_Group_Membership.csvExtended_Domain_User_Information.csvExtended_Domain_Computer_Information.csv- Optional: a single Excel workbook when
-x/--excelis used
Installation
This tool has been built and tested with Python 3.10+ on Windows and Linux. It uses the msldap Python package for LDAP connections and queries. To install ad-ldap-enum as a command line tool with uv:
uv tool install git+https://github.com/CroweCybersecurity/ad-ldap-enum
After installation, run ad-ldap-enum with:
ad-ldap-enum --help
Alternatively to uv, you can install/upgrade the requirements with traditional pip:
git clone https://github.com/CroweCybersecurity/ad-ldap-enum && cd ./ad-ldap-enum
python -m pip install -r 'requirements.txt'
Usage
usage: ad-ldap-enum [-h] (-n | -u USERNAME | -dn DISTINGUISHED_NAME) [-k] [-p PASSWORD] [-P] [--ccache CCACHE_FILE]
[--kirbi KIRBI_FILE] [--method {ldap,ldaps}] [--channel-binding {none,tls-server-end-point,tls-unique}]
[-t TIMEOUT] [-ql QUERY_LIMIT] [--debug] [--legacy]
[-x] [-o FILENAME_PREPEND] [--delay DELAY] [--jitter JITTER] [--page-size PAGE_SIZE]
-l LDAP_SERVER [--port PORT] -d DOMAIN [-a ALT_DOMAIN] [-e] [-4] [-6]
Active Directory LDAP Enumerator
optional arguments:
-h, --help show this help message and exit
-n, --null Use anonymous/null authentication
-u USERNAME, --username USERNAME
Username for authentication
-dn DISTINGUISHED_NAME, --distinguished_name DISTINGUISHED_NAME
Distinguished name for simple bind authentication
-k, --kerberos Use Kerberos authentication
-p PASSWORD, --password PASSWORD
Password, "LM:NT" hash, AES-128 key (32 hex), or AES-256 key (64 hex)
-P, --prompt Prompt for password
--ccache CCACHE_FILE Path to Kerberos credential cache file (.ccache)
--kirbi KIRBI_FILE Path to Kerberos ticket file (.kirbi)
--method {ldap,ldaps}
Connection method: ldap (port 389) or ldaps (port 636)
--channel-binding {none,tls-server-end-point,tls-unique}
Channel binding for secure connections (default: tls-server-end-point)
-t TIMEOUT, --timeout TIMEOUT
Connection timeout in seconds (default: 10)
-ql QUERY_LIMIT, --query_limit QUERY_LIMIT
Query timeout in seconds (default: 30)
--debug Enable debug logging (shows detailed msldap internal operations)
--legacy Use legacy TSV format (fewer attributes)
-x, --excel Output Excel file with all worksheets
-o FILENAME_PREPEND, --prepend FILENAME_PREPEND
Prepend string to output filenames (default: ad-ldap-enum_)
OPSEC Parameters:
--delay DELAY Delay in seconds between LDAP queries (default: 0.0)
--jitter JITTER Random jitter percentage for delays (0.0-1.0, e.g., 0.3 = ±30%)
--page-size PAGE_SIZE
LDAP page size (default: 1000)
Server Parameters:
-l LDAP_SERVER, --server LDAP_SERVER
LDAP server FQDN or IP address
--port PORT Custom TCP port
-d DOMAIN, --domain DOMAIN
Domain name (also used as Base DN)
-a ALT_DOMAIN, --alt-domain ALT_DOMAIN
Alternative Base DN for LDAP searches
-e, --nested Expand nested groups
-4, --inet Use IPv4 only
-6, --inet6 Use IPv6 only
Quick examples:
# NTLM with inline password
ad-ldap-enum domain.tld/username:Password123!@dc.domain.tld
# NTLM with password prompt (omit password, do not use -no-pass)
ad-ldap-enum domain.tld/username@dc.domain.tld -p 'Password123!'
# Kerberos with password
ad-ldap-enum domain.tld/username:Password123!@dc.domain.tld -k
# Kerberos with NT hash (LM:NT)
ad-ldap-enum domain.tld/username@dc.domain.tld -k -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# LDAPS + channel binding
ad-ldap-enum domain.tld/username:Password123!@dc.domain.tld --method ldaps --channel-binding tls-server-end-point
Version History
v3.0 - msldap
- New Authentication Methods: Added full Kerberos support alongside existing NTLM
- AES Key Support: AES-128 (32 hex) and AES-256 (64 hex) key authentication for Kerberos
- Advanced Kerberos: Password, NT hash, AES-128, and AES-256 key authentication via
-k,-hashes, and-aesKey - Windows Cached Credentials: Support for Kerberos credential cache (via KRB5CCNAME when available)
- Security Identifier (SID) Support: Automatic retrieval and display of SIDs for users and computers
- Enhanced Computer Attributes: Added lastLogon and pwdLastSet timestamp support for computers
- OPSEC Features: Network-level operational security controls for stealth operations
- Timing Controls:
--delayparameter for introducing pauses between LDAP queries - Randomization:
--jitterparameter for adding randomness to timing patterns - Query Optimization:
--page-sizeparameter for controlling LDAP result batching
- Timing Controls:
- Simplified Interface: Impacket-style TARGET format for credentials and optional DC host
- Enhanced Security: FQDN validation for Kerberos, preventing SPN resolution issues
- Channel Binding: Enhanced security for encrypted connections (RFC 5929)
- Unified Interface: Dedicated auth flags for password, LM:NT hashes, and AES keys
- Improved Reliability: Better error handling and Windows asyncio compatibility
- Library Migration: Migrated from ldap3 to msldap for enhanced functionality
v2.X - ldap3
- Migrated to ldap3
- Added argcomplete
- Added IPv6 support
- Expanded LDAP attributes
- Added CSV and XLSX outputs
- Added PtH and DN authentication
v1.X - Python-LDAP
- Initial commit
- Basic NTLM authentication and anonymous connections
- Used python-ldap
Reference Links
Active Directory Resources
- All Active Directory Attributes
- Membership Ranges in Active Directory
- Active Directory Paging
- Kerberos Authentication Overview