impacket-getadusers

View documentation for the original command

$ tldr GetADUsers.py

impacket-getadusers [[domain/]username[:password]@]target [-h] [-target-ip IP] [-port PORT] [-k] [-no-sspi] [-hashes LMHASH:NTHASH] [-dc-ip IP] [-outputfile FILE] [-users] [-groups] [-all]

target
    Specifies the target host (IP or hostname) and optional authentication credentials. Format: [[domain/]username[:password]@]target

-target-ip IP
    IP address of the target machine, useful when DNS resolution is not available or for direct targeting.

-port PORT
    Port number to connect to on the target (default is 389 for LDAP).

-k
    Use Kerberos authentication instead of NTLM. Requires a Kerberos ticket in the credential cache.

-no-sspi
    Disable SSPI (Security Support Provider Interface) authentication mechanisms.

-hashes LMHASH:NTHASH
    Provide LM and NT hashes for NTLM authentication instead of a plaintext password. Format: LMHASH:NTHASH.

-dc-ip IP
    IP address of the Domain Controller to query. If not specified, the tool attempts to resolve it via DNS.

-outputfile FILE
    Save the gathered information to the specified file.

-users
    Enumerate Active Directory user accounts. This is the default behavior.

-groups
    Enumerate Active Directory groups and their members.

-all
    Enumerate both Active Directory users and groups.

impacket-getadusers is a powerful Python-based utility from the Impacket library, designed for security professionals and penetration testers to enumerate user and group information from Active Directory domains. It leverages LDAP (Lightweight Directory Access Protocol) queries against a specified Domain Controller to gather details such as usernames, user properties, group memberships, and other crucial Active Directory attributes. This tool is invaluable for reconnaissance phases, helping to identify valid user accounts, find privileged users, and build a comprehensive understanding of the target's Active Directory environment before attempting further attacks. It supports various authentication methods, including password-based, NTLM hash-based, and Kerberos.

Using impacket-getadusers can generate network traffic and logs on the Domain Controller, potentially alerting defenders. It requires network connectivity to the target DC and appropriate credentials (or anonymous LDAP access, which is rare in secure environments). Overly aggressive usage or queries for non-existent accounts can lead to account lockouts or detection. Results are dependent on the permissions of the provided credentials.

Typically used in the reconnaissance phase of a penetration test or red team engagement to gather information about users and groups within an Active Directory domain. It helps identify potential targets for credential stuffing, password spraying, or to locate privileged accounts.

Example:
impacket-getadusers 'domain.local/adminuser:Password123@dc01.domain.local' -all -outputfile all_ad_users_groups.txt

impacket-getadusers is part of the widely recognized Impacket library, a collection of Python classes developed by Core Security for programmatic access to network protocols. Impacket originated in the early 2000s and has evolved into a staple tool in offensive security and red teaming for Windows network exploitation and reconnaissance. getadusers specifically provides a specialized interface for Active Directory enumeration, building upon Impacket's robust LDAP and SMB capabilities.

ldapsearch(1), impacket-lookupsid(1), impacket-samrdump(1), impacket-secretsdump(1)