GetADUsers.py

When to Use

Helpful in post-compromise enumeration. If you've compromised a domain-joined host, and you've dumped and / or cracked hashes, you can pass the hashes or passwords to the domain controller (even as a low-level domain user) to list users in the directory.

Usage Examples

Password Authentication

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke GetADUsers.py by running impacket-GetADUsers

# Get all users from the domain controller
impacket-GetADUsers -all -dc-ip domain-controller-ip 'domain.tld/username:password'

# Post-compromise through a proxy host
proxychains -q impacket-GetADUsers -all -dc-ip domain-controller-ip 'domain.tld/username:password'

impacket-GetADUsers wrapper on Kali Linux invokes GetADUsers.py with user-supplied arguments

Pass the Hash

If you've dumped the SAM or LSASS on host post-compromise, you can pass the hash to dump users

# Get all users from the domain controller
impacket-GetADUsers -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

# Post-compromise through a proxy host
proxychains -q impacket-GetADUsers -all -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

impacket-GetADUsers wrapper on Kali Linux invokes GetADUsers.py with user-supplied arguments