This project is a fork of ldap_shell from Impacket. It provides an interactive shell for Active Directory enumeration and manipulation via LDAP/LDAPS protocols, making it useful for both system administrators and security professionals.
These tools are only compatible with Python 3.5+. Clone the repository from GitHub, install the dependencies and you should be good to go. Installation with pip:
git clone https://github.com/PShlyundin/ldap_shell.git cd ldap_shell python3 -m pip install .Installation with uv:
uv venv uv pip install .# Basic authentication with password ldap_shell domain.local/user:password # Specify domain controller IP address ldap_shell domain.local/user:password -dc-ip 192.168.1.2 # Authentication using NTLM hashes ldap_shell domain.local/user -hashes aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404e1 # Kerberos authentication using TGT export KRB5CCNAME=/home/user/ticket.ccache ldap_shell -k -no-pass domain.local/userGet Info dump [output_dir] - Dumps the domain get_group_users group - Get all users in a group get_laps_gmsa [target] - Retrieves LAPS and GMSA passwords associated with a given account (sAMAccountName) or for all. Supported LAPS 2.0 get_maq [user] - Get Machine Account Quota and allowed users get_user_groups user - Retrieves all groups recursively this user is a member of search ldap_filter [attributes] - Search AD objects Abuse ACL add_user_to_group user group - Add a user to a group change_password user [password] - Attempt to change a given user's password. Requires LDAPS. clear_rbcd target [grantee] - Clear RBCD permissions for a target computer dacl_modify target grantee action mask - Modify DACL entries for target object del_dcsync target - Remove DCSync rights from user/computer by deleting ACEs in domain DACL del_user_from_group user group - Delete a user from a group get_ntlm target - Get NTLM hash using Shadow Credentials attack (requires write access to msDS-KeyCredentialLink) set_dcsync target - If you have write access to the domain object, assign the DS-Replication right to the selected user set_dontreqpreauth target flag - Targeted AsRepRoast attack. Set or unset DONT_REQUIRE_PREAUTH flag for a target user. set_genericall target [grantee] - Set GenericAll permissions for a target object set_owner target [grantee] - Set new owner for target object set_rbcd target grantee - Configure RBCD permissions for a target computer set_spn target action [spn] - List, add or delete SPN for a target object Misc add_computer computer_name [password] [target_dn] - Add a new computer account to the domain add_group group_name [target_dn] - Add new group to Active Directory add_user username [password] [target_dn] - Add a new user account to the domain del_computer computer_name - Delete a computer account from the domain del_group group_name - Delete group from Active Directory del_user username - Delete a user account from the domain disable_account username - Disable a user account in the domain enable_account username - Enable a user account in the domain start_tls - Start TLS connection with LDAP server switch_user username [password] - Switch current user to another Other help [command] - Show help exit - exit from shell Apache License 2.0
