ADSprayGen a command-line utility written in Go that leverages LDAP (Lightweight Directory Access Protocol) to retrieve user attributes. These attributes can then be used to generate possible passwords for the users. A mask is required to generate the passwords, which can contain user attribute placeholders and modifiers for them.

• Installation
  • Option 1: Prebuilt Binary
  • Option 2: Install Using Go
• Usage
  • Mask Placeholders
  • Modifiers
• TODOs
• Common LDAP Errors

Prebuilt binaries of ADSprayGen are provided on the releases page.

Requirements: go1.23 or higher

go install -v github.com/m10x/adspraygen@latest

Example: adspraygen -d domain.local -u m10x -p m10x -s 10.10.10.10 -m 'Foobar{givenName#Reverse}{MonthGerman}{YYYY}!'

• {cn} : Full Name
• {givenName} : First Name
• {sn} : Last Name
• {sAMAccountName} : Logon Name (Pre Windows 2000)
• {rPrincipalName} : Logon Name
• {description} : Description
• {info} : Notes
• {department} : Department
• {I} : City
• {postcalCode} : Postal Code
• Last password change
  • {YYYY} : e.g. 2024
  • {YY} : e.g. 24
  • {MM} : e.g. 01
  • {M} : e.g. 1
  • {SeasonGerman} : e.g. Herbst
  • {SeasonAmerican} : e.g. Fall
  • {SeasonBritish} : e.g. Autumn
  • {MonthGerman} : e.g. Januar
  • {MonthEnglish} : e.g. January

Modifiers can be used to transform attribute values. Multiple modifiers can be chained using #.

• #Upper - Converts text to uppercase
  • Example: {firstName#Upper} → "JOHN"
• #Lower - Converts text to lowercase
  • Example: {firstName#Lower} → "john"
• #Title - Capitalizes first letter of each word
  • Example: {firstName#Title} → "John Smith"
• #Capitalize - Capitalizes only the first letter
  • Example: {firstName#Capitalize} → "John"

• #AlternateLower - Alternates case starting with lowercase
  • Example: {firstName#Alternate} → "jOhN"
• #AlternateUpper - Alternates case starting with uppercase
  • Example: {firstName#AlternateUpper} → "JoHn"

• #Reverse - Reverses the text
  • Example: {firstName#Reverse} → "nhoJ"
• #Pattern(from>to) - Replaces characters according to pattern rules
  • Example: {firstName#Pattern(a>4)} → Replaces all 'a' with '4'
  • Example: {lastName#Pattern(e>3;a>4;i>1)} → Leetspeak conversion
  • Example: {department#Pattern(IT>tech)} → Replaces whole strings
  • Example: {givenName#Pattern(ll>1)} → Replaces multiple characters
  • Example: {userName#Pattern(a>)} → Removes all 'a' characters

• #LeetBasic - Basic leetspeak conversion (A->4, E->3, I->1, O->0)
  • Example: {firstName#LeetBasic} → "J0hn"
• #LeetBasicPlus - Extended leetspeak (Basic + A->@, T->7)
  • Example: {firstName#LeetBasicPlus} → "J0hn"

You can combine multiple modifiers to achieve complex transformations:

{firstName#Upper#Reverse}              // "JOHN" → "NHOJ"
{department#Lower#Pattern(it>tech)}    // "IT Support" → "tech support"
{userName#Camel#LeetBasic}            // "john doe" → "j0hnD03"
{text#AlternateUpper#Pattern(O>0)}    // "hello" → "H3Ll0"

Note: When using special characters in patterns (;, >, (, ), #), you need to escape them with a backslash:

{text#Pattern(a\;b>c)}     // Replaces "a;b" with "c"
{text#Pattern(a\>b>c)}     // Replaces "a>b" with "c"
{text#Pattern(\(x\)>y)}    // Replaces "(x)" with "y"
{text#Pattern(a\#b>c)}     // Replaces "a#b" with "c"

• filter disabled users
• query PDC, so only domain is required
• PSO
• handling of givenName with multiple names

• LDAP Result Code 1 "Operations Error": 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection. - Anonymous/Unauthenticated bind is not possible. Specify a password or NTLM hash.
• LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error - The specified credentials are invalid
• LDAP Result Code 49 "Invalid Credentials": 8009030C: LdapErr: DSID-0C0906B5, comment: AcceptSecurityContext error - Unauthenticated NTLM bind is not possible or specified credentials are not valid.