-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
The Configuration menu (Main → [1]) sets the four values every other module reads: target, domain, credentials and output directory. The current values are shown in the menu header.
[1] Set Target (IP / Hostname)
[2] Set Domain
[3] Set Credentials
[4] Set Output Directory
[0] Back to Main Menu
All values live in memory for the duration of the session only, nothing is persisted to disk, so credentials never touch a config file.
The IP address or hostname of the machine you are enumerating, usually the Domain Controller.
Target IP/hostname: 192.168.56.10
Used by every module. If you launch a module without a target set, it prompts you for one inline.
The Active Directory domain in dotted form, for example corp.local.
Domain name: corp.local
Required by the LDAP, DNS, BloodHound, adidnsdump, GetNPUsers and secretsdump modules. Ghostline converts the dotted domain into an LDAP base DN automatically (corp.local → dc=corp,dc=local) for the LDAP queries.
Username and password for authenticated (Active) enumeration.
Username: john.doe
Password: ******** (typed silently, not echoed)
The password prompt does not echo characters. Credentials are needed for the whole Active Enumeration menu and for secretsdump. Passive modules ignore them.
Process-list exposure. Tools like CrackMapExec, secretsdump and adidnsdump receive the password as a command-line argument, so it is briefly visible to other local users via
ps//procwhile the tool runs. Only run Ghostline on hosts you trust. See Legal & Safe Use.
Where results are written. Defaults to a timestamped name generated at launch:
ad_enum_YYYYMMDD_HHMMSS
You can override it:
Directory name [ad_enum_20231220_143022]: engagement-acme
The directory is created automatically the first time any module writes to it (you do not need to mkdir it). Paths are relative to where you launched ghostline.sh, so run Ghostline from your engagement workspace. See Output & Results for the file layout.
| Module group | Needs target | Needs domain | Needs credentials |
|---|---|---|---|
| Nmap, SMB vuln scan | ✅ | — | — |
| enum4linux-ng, rpcclient | ✅ | — | — |
| LDAP search | ✅ | ✅ | — |
| DNS enumeration | ✅ | ✅ | — |
| BloodHound, adidnsdump | ✅ | ✅ | ✅ |
| CrackMapExec | ✅ | — | ✅ |
| GetNPUsers | ✅ | ✅ | — (uses -no-pass) |
| RID enumeration | ✅ | — | — |
| secretsdump | ✅ | ✅ | ✅ |
Any missing required value is requested on the spot when you start the module, so you can also configure values lazily as you go.
Ghostline — Active Directory enumeration toolkit by Melvin PETIT · MIT License ·
Getting set up
Enumeration
Reference