ADWSDomainDump

July 9, 2026 · View on GitHub

Active Directory information dumper via ADWS (Active Directory Web Services).
image

Install

Recommended install:

pipx install git+https://github.com/mverschu/adwsdomaindump
# or
pipx install .

Usage

adwsdomaindump -u 'corp.local\jsmith' -p 'password' -n 10.0.0.1 dc01.corp.local
[*] Connecting to ADWS host...
[+] ADWS port 9389 is reachable
[*] Binding to ADWS host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Use --force to skip the ADWS port connectivity check.

Collection

Everything is queried over ADWS (port 9389), not LDAP.

DataDefaultWith --allBloodHound extras
Users, groups, computersYesYes--bloodhound
Domain policy, trustsYesYes--bloodhound
GPOs, OUs, containersNoYes--bloodhound --all
DACL / object-control edgesNoYes (with --bloodhound and/or --markdown)--bloodhound or --markdown --acl
AD CS (templates, enterprise CAs, …)NoYes*--bloodhound --all or --adcs

* AD CS requires --bloodhound. --all enables --adcs automatically.

Not collected (ADWS / directory data only — unlike SharpHound): logon sessions, local group membership, AdminTo, RDP/PSRemote, CA registry flags (ESC6/11/16), or HTTP enrollment checks (ESC8).

Output formats

FormatFlagUse for
HTMLdefaultBrowse users, groups, computers, policy, trusts in a browser
JSONdefaultScripting and automation on raw AD attributes
Greppabledefaultgrep / cut pipelines (-d sets delimiter)
Markdown--markdownNotes or docs from the same data as HTML
Markdown ACLs--markdown --allHuman-readable DACL / ACE tables (domain_*_aces.md)
BloodHound--bloodhoundImport into BloodHound CE (bloodhound_<domain>.zip)

Disable defaults with --no-html, --no-json, or --no-grep. Use --all for GPOs, OUs, containers, AD CS (with --bloodhound), and DACL parsing. Use --acl without --all for ACL-only collection on the default object set.

BloodHound example (ACLs + AD CS, all via ADWS):

adwsdomaindump -u 'corp.local\Administrator' -p 'password' dc01.corp.local \
  --all --bloodhound -o ./out

Markdown ACL example (no BloodHound):

adwsdomaindump -u 'corp.local\Administrator' -p 'password' dc01.corp.local \
  --markdown --all -o ./out

More detail (flags, file list, BloodHound/AD CS): wiki.

Full OS Build Numbers (--full-build)

Active Directory only stores the major build in operatingSystemVersion (e.g. 10.0 (14393)). Use --full-build to enrich each computer with the full cumulative-update build number (e.g. 14393.8246) by querying the Remote Registry over SMB.

adwsdomaindump -u 'corp.local\jsmith' -p 'password' dc01.corp.local --full-build

The operatingSystemBuildNumber column (labelled OS Build in HTML/Markdown) will then show values like:

OSoperatingSystemVersionoperatingSystemBuildNumber
Windows Server 201610.0 (14393)14393.8246
Windows Server 201910.0 (17763)17763.8644
Windows Server 202210.0 (20348)20348.5020
Windows Server 202510.0 (26100)26100.32690

No admin requiredHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion grants read access to all Authenticated Users by default. Any standard domain user account can perform this lookup.

Requirements:

  • RemoteRegistry service must be running on each target (default on Windows Server; often disabled on workstations)
  • SMB port 445 reachable from the scanning host
  • Included in HTML, JSON, greppable, and Markdown output — not in the BloodHound export

Hosts where the lookup fails (unreachable, RemoteRegistry stopped) are silently skipped; the operatingSystemBuildNumber column will simply be absent for those entries.

Evasion

Currently tested against:

EDRBypassed
Microsoft Defender for EndpointYes
CrowdStrike FalconYes

Credits

This project is a fork/adaptation of ldapdomaindump by Dirk-jan Mollema, converted to use ADWS instead of LDAP.

Original work: Copyright (c) 2017 Dirk-jan Mollema

License

MIT