Ghostline is an interactive bash toolkit that automates Active Directory enumeration by integrating 10+ professional security tools into a single, easy-to-use menu. It supports both passive reconnaissance (no credentials) and active enumeration (with credentials).
- Persistent target configuration (IP / hostname, domain, credentials).
- Custom output directory naming.
- Configuration displayed in every menu header.
- Network scanning (Nmap).
- SMB enumeration (enum4linux-ng).
- RPC null session attacks (rpcclient).
- Anonymous LDAP queries (ldapsearch).
- DNS enumeration (dnsrecon).
- BloodHound data collection.
- Comprehensive SMB enumeration (CrackMapExec).
- AD-integrated DNS dumping (adidnsdump).
- Kerberos pre-auth attacks (GetNPUsers).
- RID cycling enumeration (ridenum).
- Automated full workflow.
- SMB vulnerability scanning.
- Domain secrets extraction (secretsdump).
- Results viewer.
Ghostline targets Debian / Ubuntu / Kali and bundles an installer for every supported tool:
sudo ./install.shOr install manually:
# Debian / Ubuntu / Kali
sudo apt update
sudo apt install -y \
nmap \
samba-common-bin \
ldap-utils \
dnsrecon \
python3 \
python3-pip \
pipx
# Python tools
pipx install crackmapexec
pipx install bloodhound
pipx install impacket
# GitHub-hosted tools
git clone https://github.com/cddmp/enum4linux-ng.git /opt/enum4linux-ng
git clone https://github.com/dirkjanm/adidnsdump.git /opt/adidnsdump
git clone https://github.com/trustedsec/ridenum.git /opt/ridenumgit clone https://github.com/WhiteMuush/Ghostline.git
cd Ghostline
chmod +x ghostline.sh
./ghostline.sh./ghostline.sh
# 1. Configure your target
Main Menu → [1] Configuration Menu
→ [1] Set Target: 192.168.1.10
→ [2] Set Domain: corp.local
→ [0] Back
# 2. Run automated reconnaissance
Main Menu → [4] Special Actions
→ [1] Auto Workflow
# 3. View results
Main Menu → [4] Special Actions
→ [4] View Results# 1. Configure credentials
Main Menu → [1] Configuration Menu
→ [3] Set Credentials
Username: john.doe
Password: ********
# 2. Run BloodHound collection
Main Menu → [3] Active Enumeration
→ [1] BloodHound Collection
# Results saved in: ad_enum_YYYYMMDD_HHMMSS/ghostline.sh Entry point (~50 lines).
install.sh Installs every supported tool.
lib/
├── core.sh Colors (TTY-aware), palette, globals.
├── ui.sh ASCII art and menu rendering.
├── installer.sh Logging, prompting, install primitives.
└── modules/
├── config.sh Target / domain / credentials / output.
├── passive.sh Unauthenticated reconnaissance.
├── active.sh Authenticated enumeration.
└── special.sh Workflows, vuln scans, secrets dump.
docs/
├── ARCHITECTURE.md Layout, boot sequence, helpers, CI.
└── ADDING_A_TOOL.md Recipe for plugging in a new tool.
.github/
├── workflows/ci.yml shellcheck + bash -n + smoke test.
├── ISSUE_TEMPLATE/ Structured bug and tool-request forms.
└── PULL_REQUEST_TEMPLATE.md
See docs/ARCHITECTURE.md for details and CONTRIBUTING.md for the contribution workflow.
All results are saved in a timestamped directory:
ad_enum_20231220_143022/
├── nmap_ad.nmap Nmap normal output
├── nmap_ad.xml Nmap XML (importable)
├── nmap_ad.gnmap Nmap greppable
├── enum4linux-ng.txt Full SMB enumeration
├── rpcclient.txt RPC enumeration results
├── ldap.txt LDAP query results
├── dnsrecon.txt DNS records
├── cme_shares.txt CrackMapExec shares
├── cme_users.txt CrackMapExec users
├── dns.csv AD-integrated DNS dump
├── asreproast.txt AS-REP roastable accounts
├── ridenum.txt RID enumeration
├── smb_vulns.nmap SMB vulnerability scan
├── secrets.txt Domain secrets (NTLM hashes)
└── *.json BloodHound data files
BloodHound:
neo4j console
# Then in BloodHound GUI: Upload Data → select the .json filesNmap XML:
xsltproc nmap_ad.xml -o report.html
nmap -iL nmap_ad.xml --resumeContributions are welcome. See CONTRIBUTING.md for the local setup, the conventions and the PR checklist. To plug in a new tool, docs/ADDING_A_TOOL.md walks through the recipe in under a page.
- Bug reports and tool requests use the templates in .github/ISSUE_TEMPLATE/.
- Security issues should be reported privately — see SECURITY.md.
- Nmap — by Gordon Lyon Network discovery and security auditing tool. Used with NSE scripts for SMB, LDAP, Kerberos and AD enumeration.
- enum4linux-ng — by cddmp Modern SMB enumeration tool (users, groups, shares, policies).
- ldapsearch (OpenLDAP) Native LDAP query utility for extracting domain objects and attributes.
- rpcclient (Samba) RPC interaction tool for querying domain users, groups and SIDs via SMB.
- CrackMapExec — by byt3bl33d3r Swiss army knife for Active Directory: SMB, LDAP, WinRM, MSSQL, and more.
- Impacket — by SecureAuth
Collection of Python scripts for low-level network protocol interaction.
Includes
GetUserSPNs.pyandsecretsdump.py. - BloodHound — by SpecterOps Graph-based Active Directory attack path analysis. Uses bloodhound-python as the data ingestor.
- bloodhound-python — data ingestor CLI collector used by BloodHound.
- adidnsdump — by dirkjanm Enumerates Active Directory–integrated DNS records via LDAP.
- ridenum — by TrustedSec RID cycling tool for enumerating domain users.
- dnsrecon — by DarkOperator DNS reconnaissance tool (alternative: dnsenum).
- Kerbrute — by ropnop Kerberos-based user enumeration and password spraying tool.
- ldapdomaindump — by dirkjanm Dumps LDAP domain information into human-readable reports.
Ghostline is released under the MIT License. Use only against systems you own or have explicit written permission to test.