LDAPRecon-AI

Active Directory LDAP Security Auditor with AI-Powered Analysis

Enumerate, assess, and score the security posture of your AD environment

English | Francais

  _     ____    _    ____  ____                          _    ___
 | |   |  _ \  / \  |  _ \|  _ \ ___  ___ ___  _ __    / \  |_ _|
 | |   | | | |/ _ \ | |_) | |_) / _ \/ __/ _ \| '_ \  / _ \  | |
 | |___| |_| / ___ \|  __/|  _ <  __/ (_| (_) | | | |/ ___ \ | |
 |_____|____/_/   \_\_|   |_| \_\___|\___\___/|_| |_/_/   \_\___|

---

DISCLAIMER / AVERTISSEMENT

This tool is intended for authorized security auditing only. Unauthorized access to computer systems is illegal. Always obtain proper written authorization before performing any security assessment.

Cet outil est destine uniquement aux audits de securite autorises. L'acces non autorise aux systemes informatiques est illegal. Obtenez toujours une autorisation ecrite avant de realiser un audit de securite.

---

English

Overview

LDAPRecon-AI is a comprehensive Active Directory LDAP security auditing tool that enumerates users, groups, computers, delegations, GPOs, and trust relationships to assess the security posture of an AD domain. It provides a Pingcastle-style score (0-100) with detailed findings mapped to CIS Benchmark, ANSSI AD Recommendations, and MITRE ATT&CK techniques.

Features

• User Audit: Kerberoastable accounts, AS-REP roastable, stale passwords, disabled accounts, AdminSDHolder orphans
• Group Analysis: Privileged group membership, nested membership resolution, large group detection
• Computer Inventory: Obsolete OS detection, stale computers, LAPS deployment status
• Delegation Discovery: Unconstrained, constrained, RBCD, protocol transition (T2A4D)
• Trust Assessment: SID filtering, selective authentication, transitive trust risks
• Password Policy: CIS compliance check, lockout policy, fine-grained policies
• Security Scoring: Global 0-100 score with per-category breakdown
• AI Analysis: Optional OpenAI-powered executive summary with remediation plan
• Multi-Format Reports: HTML (interactive), JSON, Markdown, CSV

Architecture

LDAPRecon-AI/
  src/ldaprecon_ai/
    __init__.py        # Package initialization
    cli.py             # Rich CLI with subcommands
    enumerator.py      # Core LDAP enumeration engine
    filters.py         # Security-focused LDAP filter library
    models.py          # Pydantic data models
    reporter.py        # Multi-format report generator
    scorer.py          # Security posture scoring engine
  tests/
    conftest.py        # Shared test fixtures
    test_enumerator.py # Enumerator unit tests
    test_filters.py    # Filter unit tests
    test_scorer.py     # Scorer unit tests

Installation

git clone https://github.com/ayinedjimi/LDAPRecon-AI.git
cd LDAPRecon-AI
pip install -e ".[dev]"

Usage

Full Audit

ldaprecon-ai -s dc01.corp.example.com -d corp.example.com \
  -u "CORP\\auditor" -p "P@ssw0rd" audit -o ./reports

User Enumeration (risk accounts only)

ldaprecon-ai -s dc01 -d corp.example.com -u user@corp.example.com \
  -p "P@ssw0rd" users --risk-only --min-score 25

Kerberos Delegation Discovery

ldaprecon-ai -s dc01 -d corp.example.com -u "CORP\\auditor" \
  -p "P@ssw0rd" delegation

Security Score

ldaprecon-ai -s dc01 -d corp.example.com -u "CORP\\auditor" \
  -p "P@ssw0rd" score --json

With AI Analysis

ldaprecon-ai -s dc01 -d corp.example.com -u "CORP\\auditor" \
  -p "P@ssw0rd" --openai-key sk-... audit -o ./reports

Security Checks Performed

Check	Category	Risk Level	MITRE	CIS	ANSSI
Kerberoastable accounts	Kerberos	High	T1558.003	1.1.4	AD-R29
AS-REP roastable	Kerberos	High	T1558.004	-	AD-R29
Unconstrained delegation	Delegation	Critical	T1550.003	2.3.10.7	AD-R26
Password never expires	Passwords	Medium	T1110	1.1.5	AD-R36
Password not required	Passwords	Critical	T1078	1.1.3	AD-R36
DES-only encryption	Kerberos	Critical	T1558	2.3.6.1	AD-R30
Obsolete OS	Computers	High	T1210	18.10.43.1	-
SID filtering disabled	Trusts	Critical	T1134.005	-	AD-R15
Weak password policy	Passwords	Medium	T1110.001	1.1.1	AD-R36
AdminSDHolder orphans	Privileged	Medium	T1078.002	-	AD-R14

Running Tests

pytest tests/ -v --tb=short

---

Francais

Presentation

LDAPRecon-AI est un outil complet d'audit de securite LDAP pour Active Directory. Il enumere les utilisateurs, groupes, ordinateurs, delegations, GPOs et relations d'approbation pour evaluer la posture de securite d'un domaine AD. Il fournit un score type Pingcastle (0-100) avec des resultats mappes sur CIS Benchmark, Recommandations ANSSI AD et MITRE ATT&CK.

Fonctionnalites

• Audit Utilisateurs : Comptes Kerberoastable, AS-REP roastable, mots de passe obsoletes, comptes desactives, orphelins AdminSDHolder
• Analyse Groupes : Appartenance aux groupes privilegies, resolution imbriquee, detection grands groupes
• Inventaire Ordinateurs : Detection OS obsoletes, ordinateurs inactifs, deploiement LAPS
• Decouverte Delegation : Non contrainte, contrainte, RBCD, transition de protocole
• Evaluation Approbations : Filtrage SID, authentification selective, risques transitifs
• Politique Mots de Passe : Conformite CIS, politique de verrouillage, politiques granulaires
• Scoring Securite : Score global 0-100 avec detail par categorie
• Analyse IA : Resume executif optionnel via OpenAI avec plan de remediation
• Rapports Multi-Format : HTML (interactif), JSON, Markdown, CSV

Utilisation

# Audit complet
ldaprecon-ai -s dc01.corp.example.com -d corp.example.com \
  -u "CORP\\auditeur" -p "MotDePasse" audit -o ./rapports

# Utilisateurs a risque uniquement
ldaprecon-ai -s dc01 -d corp.example.com -u auditeur@corp.example.com \
  -p "MotDePasse" users --risk-only

# Score de securite en JSON
ldaprecon-ai -s dc01 -d corp.example.com -u "CORP\\auditeur" \
  -p "MotDePasse" score --json

Tests

pytest tests/ -v --tb=short

---

Author / Auteur

Ayi NEDJIMI

• Website: ayinedjimi-consultants.fr
• HuggingFace: AYI-NEDJIMI

License

MIT License - See LICENSE for details.