
โŒ Secure Planet Training Courses Updated For 2019 - Click Here
There are new available articles, click to refresh the page.
โ˜ โ˜† โœ‡ KitPloit - PenTest Tools!

LDAPWordlistHarvester - A Tool To Generate A Wordlist From The Information Present In LDAP, In Order To Crack Passwords Of Domain Accounts

By: Zion3R โ€” May 29th 2024 at 12:30

A tool to generate a wordlist from the information present in LDAP, in order to crack non-random passwords of domain accounts.



The bigger the domain is, the better the wordlist will be.

  • [x] Creates a wordlist based on the following information found in the LDAP:
  • [x] User: name and sAMAccountName
  • [x] Computer: name and sAMAccountName
  • [x] Groups: name
  • [x] Organizational Units: name
  • [x] Active Directory Sites: name and descriptions
  • [x] All LDAP objects: descriptions
  • [x] Choose wordlist output file name with option --outputfile


To generate a wordlist from the LDAP of the domain domain.local you can use this command:

./ -d 'domain.local' -u 'Administrator' -p 'P@ssw0rd123!' --dc-ip

You will get the following output if using the Python version:

You will get the following output if using the Powershell version:

Cracking passwords

Once you have this wordlist, you should crack your NTDS using hashcat, --loopback and the rule clem9669_large.rule.

./hashcat --hash-type 1000 --potfile-path ./client.potfile ./client.ntds ./wordlist.txt --rules ./clem9669_large.rule --loopback


$ ./ -h v1.1 - by @podalirius_

usage: [-h] [-v] [-o OUTPUTFILE] --dc-ip ip address [-d DOMAIN] [-u USER] [--ldaps] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]

-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
Path to output file of wordlist.

Authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with
--ldaps Use LDAPS instead of LDAP

--no- pass Don't ask for password (useful for -k)
-p PASSWORD, --password PASSWORD
Password to authenticate with
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
