SilentHound - Quietly Enumerate An Active Directory Domain Via LDAP Parsing Users, Admins, Groups, Etc.

Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc. Created by Nick Swink from Layer 8 Security.


Using pipenv (recommended method)

sudo python3 -m pip install --user pipenvgit clone https://github.com/layer8secure/SilentHound.gitcd silenthoundpipenv install

This will create an isolated virtual environment with dependencies needed for the project. To use the project you can either open a shell in the virtualenv with pipenv shell or run commands directly with pipenv run.

From requirements.txt (legacy)

This method is not recommended because python-ldap can cause many dependency errors.

Install dependencies with pip:

python3 -m pip install -r requirements.txtpython3 silenthound.py -h


$ pipenv run python silenthound.py -husage: silenthound.py [-h] [-u USERNAME] [-p PASSWORD] [-o OUTPUT] [-g] [-n] [-k] TARGET domainQuietly enumerate an Active Directory environment.positional arguments:  TARGET                Domain Controller IP  domain                Dot (.) separated Domain name including both contexts e.g. ACME.com / HOME.local / htb.netoptional arguments:  -h, --help            show this help message and exit  -u USERNAME, --username USERNAME                        LDAP username - not the same as user principal name. E.g. Username: bob.dole might be 'bob                        dole'  -p PASSWORD, --password PASSWORD                        LDAP passwo   rd - use single quotes 'password'  -o OUTPUT, --output OUTPUT                        Name for output files. Creates output files for hosts, users, domain admins, and descriptions                        in the current working directory.  -g, --groups          Display Group names with user members.  -n, --org-unit        Display Organizational Units.  -k, --keywords        Search for key words in LDAP objects.


A lightweight tool to quickly and quietly enumerate an Active Directory environment. The goal of this tool is to get a Lay of the Land whilst making as little noise on the network as possible. The tool will make one LDAP query that is used for parsing, and create a cache file to prevent further queries/noise on the network. If no credentials are passed it will attempt anonymous BIND.

Using the -o flag will result in output files for each section normally in stdout. The files created using all flags will be:

-rw-r--r--  1 kali  kali   122 Jun 30 11:37 BASENAME-descriptions.txt-rw-r--r--  1 kali  kali    60 Jun 30 11:37 BASENAME-domain_admins.txt-rw-r--r--  1 kali  kali  2620 Jun 30 11:37 BASENAME-groups.txt-rw-r--r--  1 kali  kali    89 Jun 30 11:37 BASENAME-hosts.txt-rw-r--r--  1 kali  kali  1940 Jun 30 11:37 BASENAME-keywords.txt-rw-r--r--  1 kali  kali    66 Jun 30 11:37 BASENAME-org.txt-rw-r--r--  1 kali  kali   529 Jun 30 11:37 BASENAME-users.txt



  • Parse users belonging to specific OUs
  • Refine output
  • Continuously cleanup code
  • Move towards OOP

For additional feature requests please submit an issue and add the enhancement tag.

Disqus Comments