Active Directory Security Assessment & Attack Surface Analysis
An open-source penetration testing tool to evaluate AD security, identify misconfigurations, and map exploitation paths before attackers do.
π The Hidden Risks of Active Directory
Over time, every Active Directory environment accumulates operational and security debt.
What often begins as a well structured and controlled infrastructure gradually degrades through years of:
- π« Orphaned test and temporary accounts
- π« Service accounts that are never reviewed or decommissioned
- π« Excessive or misconfigured delegations
- π« Weak or inconsistent password policies
- π« Privileged group memberships left unchanged for extended periods
This lack of continuous governance often amplified by team turnover and insufficient visibility significantly expands the attack surface.
The result is an environment that appears compliant and secure on paper, yet conceals critical weaknesses that enable lateral movement, persistence, and privilege escalation for both internal and external attackers.
While PingCastle, PurpleKnight, and ORADAD are excellent tools, they have fundamental limitations:
| Aspect | PingCastle / PurpleKnight | ORADAD | ADcheck |
|---|---|---|---|
| Open Source | Licensed | Yes | Yes |
| Focus | Compliance & Maturity Scoring | Data Collection Only | Attack Surface |
| Actionable Results | Maturity Reports | Manual Analysis Required | Direct Interpretation |
| Platform | Windows Only | Windows Only | Cross-Platform |
| Pentest-Oriented | Limited | Limited | Built for Pentesters |
ADcheck doesn't measure domain "maturity" it analyzes your attack surface:
β What are the administrative flaws?
β Which delegations can be abused?
β What accounts pose real compromise risk?
β What lateral movement paths exist?
The output provides direct interpretation, not raw data answers you can act on immediately.
Detect account-level vulnerabilities and misconfigurations:
Click to expand/collapse
- Admin accounts that can be delegated
- Admin accounts not in "Protected Users" group
- Accounts which can use DES authentication
- Accounts vulnerable to ASRepRoasting attack
- Accounts with
altSecurityIdentitiesattributes - Accounts with
userPasswordattributes - Accounts with
unixUserPasswordattributes - Accounts with
unicodePwdattributes - Accounts with
msDS-HostServiceAccountattribute - Accounts with blank password
- Accounts vulnerable to KerbeRoasting attack
- Locked accounts
- Number of accounts which have never expiring passwords
- Number of accounts with identical passwords
- Number of inactive accounts
- Number of accounts in "Schema Admins" group
- Accounts which have reversible passwords
- Accounts vulnerable to timeroasting attack
- Accounts that had admin rights in the past
- Accounts with password not required
- Name of Pre-Windows 2000 Compatible Access group members
- Get List of users in Privesc group
- Get Users with description
- Verify if The native administrator account has been used recently
- Get Group Managed Service Accounts
Verify security policy compliance and endpoint hardening:
Click to expand/collapse
- Get Audit Policy
- Get Default password policy
- Get Group Policy Object by Organizational Unit
- Name of Group Policy containing a password
- Verify if Force logoff when logon hours expire
- Verify if MSI packages are always installed with elevated privileges
- Verify if CredentialGuard is enabled
- Verify if LM hash storage disabled
- Verify if Authentication limited to NTLMv2 mechanism only
- Verify if AppLocker rules defined
- Verify if gpp_autologon is enabled
- Verify if Bitlocker is enabled
- Verify if Firewall is disabled
- Verify if IPv4 preferred over IPv6
- Verify if LLMNR, NetBIOS or mDNS is enabled
- Verify if Too many logons are kept in the LSA cache
- Verify if Lsass runs as a protected process
- Verify if Powershell v2 is enabled
- Verify if Powershell events are logged
- Verify if Powershell is configured in Restricted mode
- Verify if RDP use NLA
- Verify if RDP is secured over pass the hash attack
- Verify if RDP session timeout is too short
- Verify if UAC configuration is secure
- Verify if WDigest authentication enabled
- Verify if WPAD is disabled
- Verify if Windows Script Host is disabled
- Verify if WSUS server is not used
- Get Name of AMSI installed
- Trusted Root Certification Authorities status
Assess domain-wide architecture and security posture:
Click to expand/collapse
- Computers with bitlocker keys
- Get Domain Controllers
- Get Functional level of domain
- Get Kerberos config
- Verify if Non-admin users can add up to 10 computer(s) to a domain
- Get Supported Kerberos encryption algorithms
- Verify if Kerberos password last changed < 40 days
- Verify if LAPS is installed
- Get Password Settings Object
- Verify if Recycle Bin is enabled
- Verify if The computer was recently backed up
- Verify if The computer is up to date
- Get Supported encryption by Domain Controllers
- Verify if SMB signing is required
- Verify if Spooler service is enabled on remote target
- Verify if LDAP signature was required on target
- Verify if Channel binding is enforced
- Ldap anonymous bind
- DFSR SYSVOL
Uncover privilege abuse vectors and delegation chains:
Click to expand/collapse
- Registry access rights
- Get Control delegations by container
- Get Privilege Rights (SeDebugPrivilege, SeBackupPrivilege, ...)
- Get Authentication policy silos
- Name of Trust accounts for the delegation
- Name of Computers with rbac
- Verify if User can create dns record
- Computers with constrained delegation
- Get Group policy folder/file rights
- WinRM authorization
- Share accessible in read/write by everyone
ADcheck provides readable, structured results with intuitive color-coding:
- π΄ Red β Critical vulnerability or dangerous misconfiguration requiring immediate remediation
- π’ Green β Secure configuration or compliant setting
- βͺ White β Informational reference data
Each finding is directly interpretableβno manual analysis required.
π View a sample HTML report
# 1. Install UV (fastest Python package manager)
pip install uv
# 2. Install ADcheck
uv tool install git+https://github.com/CobblePot59/ADcheck.git
# 3. Run your assessment
ADcheck -d 'example.com' -u 'Administrator' -p 'Password1' --dc-ip '192.168.1.1'# 1. Clone the repository
git clone https://github.com/CobblePot59/ADcheck.git
cd ADcheck
# 2. Install dependencies with UV
uv sync
# 3. Run your assessment
uv run adcheck -d 'example.com' -u 'Administrator' -p 'Password1' --dc-ip '192.168.1.1'
Planned enhancements:
- Trusts
- Azure (Entra ID)
- Persistent attack trace (mimikatz, certipy, ticket, dsrm, acl)
- List of Named pipes
- Verify if Spooler service is enabled on remote target
- Outputs a human readable summary of acls
Before running :
- Use a dedicated testing machine when possible
- Verify authorization for Active Directory auditing
- Notify security/infrastructure teams before running assessments
Best Practices:
- Archive reports for historical trend analysis
- Share findings with infrastructure and security teams for prioritized remediation
- Use results to reconstruct real-world attack scenarios and improve defenses