windapsearch Cheatsheet

Python tool for enumerating Active Directory via LDAP queries. Simplifies common AD enumeration tasks.

GitHub: https://github.com/ropnop/windapsearch

Basic Syntax

./windapsearch.py [options]

Connection Options

Option	Description	Example
`--dc-ip IP`	Domain Controller IP	`--dc-ip 172.16.5.5`
`-d DOMAIN`	Domain name	`-d domain.local`
`-u USER`	Username (blank for anonymous)	`-u "admin"` or `-u ""`
`-p PASS`	Password	`-p Password123`
`--full`	Return full LDAP attributes
`-o FILE`	Output to file	`-o results.txt`

Enumeration Flags

Flag	Description
`-U`	Enumerate all users
`-G`	Enumerate all groups
`-C`	Enumerate all computers
`-m GROUP`	Enumerate members of a group
`--da`	Enumerate Domain Admins group members
`--admin-objects`	Enumerate objects with admin count > 0
`-PU`	Enumerate privileged users
`--functionality`	Enumerate domain functionality level
`--user-spns`	Find users with SPNs (Kerberoastable)
`--unconstrained-users`	Users with unconstrained delegation
`--unconstrained-computers`	Computers with unconstrained delegation
`--gpos`	Enumerate GPOs
`-s SEARCH`	Custom LDAP search term
`--custom FILTER`	Custom LDAP filter
`--attrs ATTRS`	Attributes to return (comma-separated)

Anonymous Bind Examples

Enumerate All Users (Anonymous)

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

Enumerate All Groups (Anonymous)

./windapsearch.py --dc-ip 172.16.5.5 -u "" -G

Enumerate Computers (Anonymous)

./windapsearch.py --dc-ip 172.16.5.5 -u "" -C

Authenticated Examples

Enumerate Domain Admins

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 --da

Enumerate Privileged Users

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 -PU

Enumerate Members of Specific Group

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 -m "IT Admins"

Full Output with All Attributes

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 -U --full

Custom Search

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 -s "admin"

Additional Enumeration

Kerberoastable Users

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 --user-spns

Unconstrained Delegation

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 --unconstrained-users
./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 --unconstrained-computers

GPO Enumeration

./windapsearch.py --dc-ip 172.16.5.5 -d domain.local -u user@domain.local -p Password123 --gpos

Tips

Blank -u "" triggers anonymous bind (only works if LDAP anonymous bind is enabled)
Use --full to get all attributes for deeper analysis
-PU performs recursive lookups for nested group membership — reveals users with excess privileges through group nesting (useful for reporting)
Simpler than raw ldapsearch for common AD enumeration tasks
Output can be saved with -o for post-processing

Keyboard shortcuts

notebook