{"id":43795466,"url":"https://github.com/l4rm4nd/pyadrecon","last_synced_at":"2026-02-21T05:01:35.702Z","repository":{"id":336688022,"uuid":"1150759942","full_name":"l4rm4nd/PyADRecon","owner":"l4rm4nd","description":"Python3 implementation of ADRecon with support for NTLM and Kerberos authentication. Generates individual CSV files and a single XSLX report about your AD domain.","archived":false,"fork":false,"pushed_at":"2026-02-12T10:51:00.000Z","size":1420,"stargazers_count":37,"open_issues_count":0,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-12T11:43:09.927Z","etag":null,"topics":["active-directory","active-directory-audit","active-directory-security","ad-computers","ad-users","adrecon","auditing","blue-teaming","domain-enumeration","enumeration","ethical-hacking","information-gathering","ldap","ldap3","pentesting","post-exploitation","python3","reconnaissance","red-teaming"],"latest_commit_sha":null,"homepage":"https://github.com/l4rm4nd/PyADRecon","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l4rm4nd.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["l4rm4nd"],"buy_me_a_coffee":"lrvt"}},"created_at":"2026-02-05T16:53:49.000Z","updated_at":"2026-02-12T10:51:04.000Z","dependencies_parsed_at":"2026-02-11T02:01:16.271Z","dependency_job_id":"5dd59e66-2fe3-4ce2-afbb-f0fcd5e10273","html_url":"https://github.com/l4rm4nd/PyADRecon","commit_stats":null,"previous_names":["l4rm4nd/pyadrecon"],"tags_count":49,"template":false,"template_full_name":null,"purl":"pkg:github/l4rm4nd/PyADRecon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FPyADRecon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FPyADRecon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FPyADRecon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FPyADRecon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l4rm4nd","download_url":"https://codeload.github.com/l4rm4nd/PyADRecon/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l4rm4nd%2FPyADRecon/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29604095,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T04:38:07.383Z","status":"ssl_error","status_checked_at":"2026-02-19T04:35:50.016Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","active-directory-audit","active-directory-security","ad-computers","ad-users","adrecon","auditing","blue-teaming","domain-enumeration","enumeration","ethical-hacking","information-gathering","ldap","ldap3","pentesting","post-exploitation","python3","reconnaissance","red-teaming"],"created_at":"2026-02-05T21:03:30.421Z","updated_at":"2026-02-19T05:00:57.775Z","avatar_url":"https://github.com/l4rm4nd.png","language":"Python","funding_links":["https://github.com/sponsors/l4rm4nd","https://buymeacoffee.com/lrvt"],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"https://raw.githubusercontent.com/l4rm4nd/PyADRecon/refs/heads/main/.github/pyadrecon.png\" alt=\"pyadrecon\" width=\"300\"/\u003e\n\nPython3 implementation of an improved [ADRecon](https://github.com/sense-of-security/ADRecon) for Pentesters and Blue Teams. \n\n\u003e ADRecon is a tool which gathers information about MS Active Directory and generates an XSLX report to provide a holistic picture of the current state of the target AD environment.\n\n\u003e [!TIP]\n\u003e If you are a Red Team, may check out [ADRecon-ADWS](https://github.com/l4rm4nd/PyADRecon-ADWS) instead.\n\n## Table of Contents\n\n- [Installation](#installation)\n- [Usage](#usage)\n- [Docker](#docker)\n- [Collection Modules](#collection-modules)\n- [Acknowledgements](#acknowledgements)\n- [License](#license)\n\n## Installation\n\n````bash\n# stable release from pypi\npipx install pyadrecon\n\n# latest commit from github\npipx install git+https://github.com/l4rm4nd/PyADRecon\n````\n\nThen verify installation:\n\n````bash\npyadrecon --version\n````\n\n\u003e [!TIP]\n\u003e For Windows, a standalone executable is provided. Look [here](https://github.com/l4rm4nd/PyADRecon/tree/main/windows).\n\n## Usage\n\n````py\nusage: pyadrecon.py [-h] [--version] [--generate-excel-from CSV_DIR] [-dc DOMAIN_CONTROLLER] [-u USERNAME] [-p [PASSWORD]] [-d DOMAIN] [--auth {ntlm,kerberos}] [--tgt-file TGT_FILE] [--tgt-base64 TGT_BASE64]\n                    [--ssl] [--port PORT] [-o OUTPUT] [--page-size PAGE_SIZE] [--threads THREADS] [--dormant-days DORMANT_DAYS] [--password-age PASSWORD_AGE] [--only-enabled] [--collect COLLECT]\n                    [--no-excel] [-v]\n\nPyADRecon - Python Active Directory Reconnaissance Tool\n\noptions:\n  -h, --help            show this help message and exit\n  --version             show program's version number and exit  \n  --generate-excel-from CSV_DIR\n                        Generate Excel report from CSV directory (standalone mode, no AD connection needed)\n  -dc, --domain-controller DOMAIN_CONTROLLER\n                        Domain Controller IP or hostname\n  -u, --username USERNAME\n                        Username for authentication\n  -p, --password [PASSWORD]\n                        Password for authentication (optional if using TGT)\n  -d, --domain DOMAIN   Domain name (e.g., DOMAIN.LOCAL) - Required for Kerberos auth\n  --auth {ntlm,kerberos}\n                        Authentication method (default: ntlm)\n  --tgt-file TGT_FILE   Path to Kerberos TGT ccache file (for Kerberos auth)\n  --tgt-base64 TGT_BASE64\n                        Base64-encoded Kerberos TGT ccache (for Kerberos auth)\n  --ssl                 Force SSL/TLS (LDAPS). No LDAP fallback allowed.\n  --port PORT           LDAP port (default: 389, use 636 for LDAPS)\n  -o, --output OUTPUT   Output directory (default: PyADRecon-Report-\u003ctimestamp\u003e)\n  --page-size PAGE_SIZE\n                        LDAP page size (default: 500)\n  --dormant-days DORMANT_DAYS\n                        Days for dormant account threshold (default: 90)\n  --password-age PASSWORD_AGE\n                        Days for password age threshold (default: 180)\n  --only-enabled        Only collect enabled objects\n  --collect COLLECT     Comma-separated modules to collect (default: all)\n  --workstation WORKSTATION\n                        Explicitly spoof workstation name for NTLM authentication (default: empty string, bypasses userWorkstations restrictions)  \n  --no-excel            Skip Excel report generation\n  -v, --verbose         Verbose output\n\nExamples:\n  # Basic usage with NTLM authentication\n  pyadrecon.py -dc 192.168.1.1 -u admin -p password123 -d DOMAIN.LOCAL\n\n  # With Kerberos authentication (bypasses channel binding)\n  pyadrecon.py -dc dc01.domain.local -u admin -p password123 -d DOMAIN.LOCAL --auth kerberos\n\n  # With Kerberos using TGT from file (bypasses channel binding)\n  pyadrecon.py -dc dc01.domain.local -u admin -d DOMAIN.LOCAL --auth kerberos --tgt-file /tmp/admin.ccache\n\n  # With Kerberos using TGT from base64 string (bypasses channel binding)\n  pyadrecon.py -dc dc01.domain.local -u admin -d DOMAIN.LOCAL --auth kerberos --tgt-base64 BQQAAAw...\n\n  # Only collect specific modules\n  pyadrecon.py -dc 192.168.1.1 -u admin -p pass -d DOMAIN.LOCAL --collect users,groups,computers\n\n  # Output to specific directory\n  pyadrecon.py -dc 192.168.1.1 -u admin -p pass -d DOMAIN.LOCAL -o /tmp/adrecon_output\n\n  # Generate Excel report from existing CSV files (standalone mode)\n  pyadrecon.py --generate-excel-from /path/to/CSV-Files -o report.xlsx\n````\n\n\u003e[!TIP]\n\u003ePyADRecon always tries LDAPS on TCP/636 first.\n\u003e\n\u003eIf flag `--ssl` is not used, LDAP on TCP/389 may be tried as fallback.\n\n\u003e[!WARNING]\n\u003eIf LDAP channel binding is enabled, this script will fail with `automatic bind not successful - strongerAuthRequired`, as ldap3 does not support it (see [here](https://github.com/cannatag/ldap3/issues/1049#issuecomment-1222826803)). You must use Kerberos authentication instead.\n\u003e\n\u003eIf you use Kerberos auth under Linux, please create a valid `/etc/krb5.conf` and DC hostname entry in `/etc/hosts`. May read [this](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=32628#KerberosClientConfiguration-*NIX/etc/krb5.confConfiguration). If you are on Windows, please make sure you have valid Kerberos tickets. May read [this](https://github.com/l4rm4nd/PyADRecon/tree/main/windows#kerberos-authentication). Note that you can provide an already existing TGT ticket to the script via `--tgt-file` or `--tgt-base64`. For example, obtained by Netexec via `netexec smb \u003cTARGET\u003e \u003cARGS\u003e --generate-tgt \u003cFILEMAME\u003e`.\n\n## Docker\n\nThere is also a Docker image available on GHCR.IO.\n\n````\ndocker run --rm -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/hosts:/etc/hosts:ro -v ./:/tmp/pyadrecon_output ghcr.io/l4rm4nd/pyadrecon:latest -dc dc01.domain.local -u admin -p password123 -d DOMAIN.LOCAL -o /tmp/pyadrecon_output\n````\n\n## Collection Modules\n\nAs default, PyADRecon runs all collection modules. They are referenced to as `default` or `all`.\n\nThough, you can freely select your own collection of modules to run:\n\n| Icon | Meaning |\n|------|---------|\n| 🛑 | Requires administrative domain privileges (e.g. Domain Admins) |\n| ✅ | Requires regular domain privileges (e.g. Authenticated Users) |\n| 💥 | New collection modul in beta state. Results may be incorrect. |\n\n**Forest \u0026 Domain**\n- `forest` ✅\n- `domain` ✅\n- `trusts` ✅\n- `sites` ✅\n- `subnets` ✅\n- `schema` or `schemahistory` ✅\n\n**Domain Controllers**\n- `dcs` or `domaincontrollers` ✅\n\n**Users \u0026 Groups**\n- `users` ✅\n- `userspns` ✅\n- `groups` ✅\n- `groupmembers` ✅\n- `protectedgroups` ✅💥\n- `krbtgt` ✅\n- `asreproastable` ✅\n- `kerberoastable` ✅\n\n**Computers \u0026 Printers**\n- `computers` ✅\n- `computerspns` ✅\n- `printers` ✅\n\n**OUs \u0026 Group Policy**\n- `ous` ✅\n- `gpos` ✅\n- `gplinks` ✅\n\n**Passwords \u0026 Credentials**\n- `passwordpolicy` ✅\n- `fgpp` or `finegrainedpasswordpolicy` 🛑\n- `laps` 🛑\n- `bitlocker` 🛑💥\n\n**Managed Service Accounts**\n- `gmsa` or `groupmanagedserviceaccounts` ✅💥\n- `dmsa` or `delegatedmanagedserviceaccounts` ✅💥\n  - Only works for Windows Server 2025+ AD schema\n\n**Certificates**\n- `adcs` or `certificates` ✅💥\n  - Detects ESC1, ESC2, ESC3, ESC4 and ESC9\n\n**DNS**\n- `dnszones` ✅\n- `dnsrecords` ✅\n\n## Acknowledgements\n\nMany thanks to the following folks:\n - [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t) for a first Claude draft of this Python3 port \n- [Sense-of-Security](https://github.com/sense-of-security) for the original ADRecon script in PowerShell\n- [cannatag](https://github.com/cannatag) for the awesome ldap3 Python client\n- [Forta](https://github.com/fortra) for the awesome impacket suite\n- [Anthropic](https://github.com/anthropics) for Claude LLMs\n\n## License\n\n**PyADRecon** is released under the **MIT License**.\n\nThe following third-party libraries are used:\n\n| Library     | License        |\n|-------------|----------------|\n| ldap3       | LGPL v3        |\n| openpyxl    | MIT            |\n| gssapi      | MIT            |\n| impacket    | Apache 2.0     |\n| winkerberos | Apache 2.0     |\n\nPlease refer to the respective licenses of these libraries when using or redistributing this software.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4rm4nd%2Fpyadrecon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl4rm4nd%2Fpyadrecon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl4rm4nd%2Fpyadrecon/lists"}