Skip to main content

GetADUsers.py

When to Use

Helpful in post-compromise enumeration. If you've compromised a domain-joined host, and you've dumped the hashes from SAM or LSASS, you can pass the hash to the domain controller (even as a low-level domain user) to list users in the directory.



Usage Examples

Password Authentication

# Get all users from the domain controller
GetADUsers.py -all -dc-ip domain-controller-ip 'domain.tld/username:password'

# Post-compromise through a proxy host
proxychains -q GetADUsers.py -all -dc-ip domain-controller-ip 'domain.tld/username:password'


Pass the Hash

If you've dumped the SAM or LSASS on host post-compromise, you can pass the hash to dump users

# Get all users from the domain controller
GetADUsers.py -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

# Post-compromise through a proxy host
proxychains -q GetADUsers.py -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'
Back to top