Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP). Looks for enabled normal user accounts.
Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
- LDAP Ping (Microsoft)
- LDAP Nom Nom (GitHub)
No Windows audit logs generated! High speed ~ up to 10K/sec – go beyond 25K/sec with multiple servers!
Installation
sudo apt updatesudo apt install golanggo install github.com/lkarlslund/ldapnomnom@latestHelp
~/go/bin/ldapnomnom -hldapnomnom [--server dc1.domain.suffix[,dc2.domain.suffix] | --dnsdomain domain.suffix] [--port number] [--tlsmode notls|tls|starttls] [--input filename] [--output filename [--progressbar]] [--parallel number-of-connections] [--maxservers number-of-servers] [--maxstrategy fastest|random] [--throttle n] [--maxrequests n]Bruteforce AD usernames
Download wordlists of usernames
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txtwget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/xato-net-10-million-usernames.txtwget https://raw.githubusercontent.com/lisandre-com/Wordlists/main/xato-net-10-million-usernames-10000.txtBruteforce
~/go/bin/ldapnomnom -server dc01.example.com -dnsdomain example.com -input names.txt~/go/bin/ldapnomnom --input xato-top10000 --output nomnom-results.txt --server dc01.example.com -dnsdomain example.com --parallel 4~/go/bin/ldapnomnom --input xato-top10000 --output nomnom-results.txt --server dc01.example.com,dc02.example.com -dnsdomain example.com --parallel 16