maelstrom -- AD enumeration engine

Maelstrom

35+ enumeration modules across SMB, LDAP, MSSQL,
RDP, FTP, and NFS in a single command

Get Started View on GitHub
// capabilities

Comprehensive AD enumeration

A NetExec wrapper that replaces manual nxc commands with a single automated scan -- colored output, intelligent caching, and actionable recommendations.

35+ Modules

Users, groups, shares, LAPS, Kerberoastable, delegation, ADCS, gMSA, GPP, PSO, SCCM. Run all at once or pick specific modules.

Multi-Protocol

SMB, LDAP, MSSQL, RDP, FTP, NFS, and VNC in a single scan. Port availability is auto-detected before each module runs.

Multi-Target

CIDR ranges, IP ranges, and target files. Parallel host discovery scans /24 networks in seconds with aggregate summary.

Multi-Credential

Test multiple credentials with -C creds.txt. Visual share access matrix, admin detection, and access comparison.

Next Steps

Findings generate ready-to-run commands with your credentials auto-filled. Priority-ranked with auto-exploit warnings.

Copy-Paste Output

Clean line-by-line lists of usernames, SPNs, shares, computers. Pipe directly to other tools or save to files.

Zero Dependencies

Only requires Python 3.10+ and NetExec on your PATH. No pip packages, no virtual environments, no build steps.

Proxy Mode

Full proxychains/SOCKS support. Auto-reduces concurrency, increases timeouts, skips incompatible modules.

// in action

Findings at a glance

Colored indicators, organized sections, and actionable recommendations -- all from a single command.

============================================
| LDAP Security Configuration for 10.0.0.1 |
============================================

[!] LDAP Signing: NOT REQUIRED
Vulnerable to LDAP relay attacks
[!] Channel Binding: NOT ENFORCED

============================================
| LAPS Deployment Check for 10.0.0.1 |
============================================

[+] Found 15 computer(s) with LAPS configured
[!] Current user CAN read LAPS passwords!

============================================
| Next Steps |
============================================

HIGH PRIORITY (2)
------------------------------------------------------------
LAPS readable on 15 computers
Retrieve LAPS passwords for local admin access
$ nxc ldap 10.0.0.1 -u 'admin' -p 'pass' -M laps

Kerberoastable accounts: svc_sql, svc_backup
Request TGS tickets for offline cracking
$ nxc ldap 10.0.0.1 -u 'admin' -p 'pass' --kerberoasting hashes.txt

Security findings with actionable next steps -- credentials auto-filled from your input.

// architecture

Pure Python. Zero dependencies.

No pip packages, no build step. Shells out to NetExec for network operations, parses the output, and presents findings with context.

system architecture
01

Parallel Execution

ThreadPoolExecutor runs 36 independent modules with 15 workers. Cache priming runs 7 queries in parallel. Multi-target scans use 5 concurrent workers.

02

Smart Caching

EnumCache stores parsed results from batch LDAP queries. Modules check the cache before making network calls -- 5-10x faster than individual queries.

03

Passive Recon Only

LDAP queries, SMB enumeration, RPC calls -- never executes commands on targets. Kerberoasting finds SPNs via LDAP only, doesn't request TGS tickets.

04

Credential Safety

Output files created with 0o600 permissions. Debug mode redacts passwords and hashes. Warns on overly permissive credential files.

Python 3.10+ NetExec ThreadPoolExecutor subprocess Catppuccin Mocha pytest Black
// quickstart

Running in 30 seconds

Clone, install, scan. No Docker, no build step, no config files. Just Python and NetExec.

bash
# Clone and install
$ git clone https://github.com/Real-Fruit-Snacks/maelstrom.git
$ cd maelstrom
$ pip install -e .
# Anonymous enumeration
$ maelstrom 10.0.0.1
# Full enumeration with credentials
$ maelstrom 10.0.0.1 -u admin -p 'Password123' -d CORP
# Scan a whole subnet
$ maelstrom 10.0.0.0/24 -u admin -p pass

With no credentials, Maelstrom auto-probes for null sessions, guest access, and LDAP anonymous binds. If any succeed, enumeration continues automatically.

Supports -H for pass-the-hash, -k for Kerberos, --pfx-cert for certificate auth, and -C creds.txt for multi-credential mode with share access matrix.

Target type is auto-detected -- IPs, hostnames, CIDR notation, IP ranges, and target files all work without flags.