Skip to main content

ldap

The ldap command is R4t’s primary interface for interacting with Active Directory via the Lightweight Directory Access Protocol. It supports enumeration, modification, object creation and deletion, vulnerability scanning, DACL manipulation, GPO management, and LAPS interaction. All ldap subcommands use the global authentication and connection flags.

Usage

r4t ldap <subcommand> [flags]

Subcommands

ldap get

Query and retrieve AD objects. 
r4t ldap get <object-type> [flags]

Object Types

TypeDescription
userSingle user by samAccountName, DN, or UPN
usersAll domain user accounts
computerSingle computer account
computersAll computer accounts
groupSingle group by name or DN
groupsAll security and distribution groups
ouSingle Organizational Unit
ousAll Organizational Units
maqMachine Account Quota for the domain
spnAll accounts with Service Principal Names
descAccounts with interesting strings in the description field

Common Flags

FlagDescription
--nameFilter by samAccountName, CN, or DN
--output, -oWrite results to file
--rawOutput raw LDAP attributes

Examples

# List all users
r4t ldap get users

# Get a single user
r4t ldap get user --name jsmith

# List all computers
r4t ldap get computers

# Find accounts with SPNs (Kerberoastable)
r4t ldap get spn

# Find accounts with interesting description strings
r4t ldap get desc

ldap create

Create new AD objects. 
r4t ldap create <object-type> [flags]

Object Types

TypeDescription
userCreate a new user account
computerCreate a new computer account
groupCreate a new security group
group-memberAdd a member to an existing group
ouCreate a new Organizational Unit

Examples

# Create a user
r4t ldap create user --name backdoor --password 'P@ssword1' --ou "CN=Users,DC=corp,DC=example,DC=com"

# Create a computer account
r4t ldap create computer --name FAKEPC

# Add user to group
r4t ldap create group-member --group "Domain Admins" --member "CN=backdoor,CN=Users,DC=corp,DC=example,DC=com"

# Create an OU
r4t ldap create ou --name "Staging" --parent "DC=corp,DC=example,DC=com"

ldap delete

Delete AD objects. 
r4t ldap delete <object-type> [flags]

Object Types

TypeDescription
userDelete a user account
computerDelete a computer account
group-memberRemove a member from a group
ouDelete an Organizational Unit

ldap modify

Modify attributes on an existing AD object. 
r4t ldap modify [flags]
FlagDescription
--dnDistinguished Name of the object to modify
--attributeLDAP attribute name to change
--valueNew value for the attribute
--addAdd the attribute value (rather than replace)
--deleteDelete the attribute value

Examples

# Set an arbitrary attribute
r4t ldap modify --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com" --attribute description --value "Test account"

# Add an SPN
r4t ldap modify --dn "CN=svcApp,CN=Users,DC=corp,DC=example,DC=com" --attribute servicePrincipalName --value "HTTP/app.corp.example.com" --add

ldap enable

Re-enable a disabled AD object. 
r4t ldap enable <object-type> [flags]

Object Types

TypeDescription
userEnable a disabled user account
computerEnable a disabled computer account

ldap password

Reset or change an account password. 
r4t ldap password [flags]
FlagDescription
--target-userThe user whose password to change
--new-passwordThe new password to set
--old-passwordCurrent password (required for self-service change)

Examples

# Force reset (requires write permission on the target account)
r4t ldap password --target-user jsmith --new-password 'NewP@ss!'

# Self-service change (requires old password)
r4t ldap password --target-user jsmith --old-password 'OldP@ss' --new-password 'NewP@ss!'

ldap query

Execute a raw LDAP search query. 
r4t ldap query [flags]
FlagDescription
--filterLDAP search filter (e.g., (objectClass=user))
--attributesComma-separated list of attributes to return
--baseSearch base DN (defaults to domain root)
--scopeSearch scope: base, one, sub (default: sub)
--output, -oWrite results to file

Examples

# Find all enabled users with passwords that never expire
r4t ldap query --filter "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=65536))"

# Get specific attributes for all computers
r4t ldap query --filter "(objectClass=computer)" --attributes "name,operatingSystem,dnshostname,lastlogontimestamp"

# Search within a specific OU
r4t ldap query --filter "(objectClass=user)" --base "OU=Employees,DC=corp,DC=example,DC=com"

ldap scan

Scan for AD vulnerabilities and misconfigurations. 
r4t ldap scan [flags]
This subcommand performs a broad vulnerability scan of the AD environment and populates the database with findings. It checks for:
  • Accounts with no pre-authentication (AS-REP Roastable)
  • Accounts with kerberoastable SPNs
  • DCSync-capable accounts (Replicating Directory Changes All)
  • Accounts with shadow credential opportunities
  • Coercible hosts
  • Password policy weaknesses
  • Domain functional level issues
  • Delegation misconfigurations (unconstrained, constrained, resource-based)
  • Pre-Windows 2000 compatible access
  • NOPAC-vulnerable accounts
FlagDescription
--output, -oWrite scan results to file

ldap recon

Full domain reconnaissance — enumerates users, computers, groups, OUs, GPOs, trusts, domain controllers, and password policies, storing everything in the database. 
r4t ldap recon [flags]
FlagDescription
--output, -oOutput directory for results
This is typically the first command run after gaining credentials. It populates the full local database for offline analysis.

ldap dacl

Enumerate and modify Discretionary Access Control Lists (DACLs) on AD objects. 
r4t ldap dacl <subcommand> [flags]

Subcommands

SubcommandDescription
getEnumerate DACL ACEs on an object
addAdd an ACE to an object’s DACL
removeRemove an ACE from an object’s DACL
FlagDescription
--dnTarget object DN
--trusteeAccount to grant/revoke rights to
--rightAD right (e.g., GenericAll, WriteProperty, ResetPassword)

Examples

# View ACL on an object
r4t ldap dacl get --dn "CN=jsmith,CN=Users,DC=corp,DC=example,DC=com"

# Grant GenericAll to a controlled account
r4t ldap dacl add --dn "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com" \
  --trustee "CN=backdoor,CN=Users,DC=corp,DC=example,DC=com" --right GenericAll
Manage Group Policy Object links to containers (OUs, domains, sites). 
r4t ldap gplink <subcommand> [flags]

Subcommands

SubcommandDescription
addLink a GPO to a container
removeUnlink a GPO from a container
listList all GPO links

ldap laps

Interact with LAPS (Local Administrator Password Solution). 
r4t ldap laps [flags]
FlagDescription
--computerTarget computer name
--allRetrieve LAPS passwords for all computers
--output, -oWrite results to file
Reads ms-Mcs-AdmPwd (LAPS v1) and msLAPS-Password (LAPS v2) attributes from computer objects.

Examples

# Get LAPS password for a specific computer
r4t ldap laps --computer WS01

# Dump LAPS passwords for all computers you can read
r4t ldap laps --all

ldap gpo

Enumerate Group Policy Objects. 
r4t ldap gpo [flags]
FlagDescription
--output, -oWrite results to file
--linksInclude GPO link information

ldap gpo — GPO Enumeration Notes

GPO data is stored in the gpos and gp_link_entries tables in the SQLite database after enumeration.

LDAP Obfuscation

R4t uses the el-dap library, which supports LDAP query obfuscation to evade signature-based detection of LDAP queries. Obfuscation is applied transparently for all ldap subcommand operations when configured.