diff --git a/SUMMARY.md b/SUMMARY.md index c8455d7..b32df70 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -103,28 +103,31 @@ * [Enumerate Domain Users](ldap-protocol/enumerate-users.md) * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md) * [🆕 Query LDAP](ldap-protocol/query-ldap.md) -* [ASREPRoast](ldap-protocol/asreproast.md) * [Find Domain SID](ldap-protocol/find-domain-sid.md) -* [Kerberoasting](ldap-protocol/kerberoasting.md) -* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md) -* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md) * [Admin Count](ldap-protocol/admin-count.md) * [Machine Account Quota](ldap-protocol/machine-account-quota.md) * [Get User Descriptions](ldap-protocol/get-user-descriptions.md) -* [Dump gMSA](ldap-protocol/dump-gmsa.md) -* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md) -* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md) +* [🆕 Find Computer](ldap-protocol/find-computer.md) * [Extract Subnet](ldap-protocol/extract-subnet.md) -* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md) -* [Read DACL Rights](ldap-protocol/read-dacl-right.md) -* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md) * [Bloodhound Ingestor](ldap-protocol/bloodhound-ingestor.md) * [🆕 List DC IP / Enum Trust](ldap-protocol/dc-list.md) -* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md) * [Enumerate Domain Trusts](ldap-protocol/enumerate-trusts.md) * [🆕 Enumerate SCCM](ldap-protocol/enumerate-sccm.md) * [🆕 Enumerate Entra ID](ldap-protocol/enumerate-entra-id.md) +* [ASREPRoast](ldap-protocol/asreproast.md) +* [Kerberoasting](ldap-protocol/kerberoasting.md) +* [Dump gMSA](ldap-protocol/dump-gmsa.md) +* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md) +* [🆕 Get User Passwords from LDAP Attributes](ldap-protocol/get-user-passwords.md) +* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md) +* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md) +* [Read DACL Rights](ldap-protocol/read-dacl-right.md) * [🆕 Dump PSO](dump-pso.md) +* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md) +* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md) +* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md) +* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md) +* [🆕 BadSuccessor](ldap-protocol/badsuccessor.md) ## WINRM protocol diff --git a/ldap-protocol/badsuccessor.md b/ldap-protocol/badsuccessor.md new file mode 100644 index 0000000..c3601f3 --- /dev/null +++ b/ldap-protocol/badsuccessor.md @@ -0,0 +1,27 @@ +--- +description: Detect the BadSuccessor privilege escalation vulnerability in Active Directory +--- + +# BadSuccessor + +The `badsuccessor` module checks if any user or group has dangerous permissions (such as `CreateChild`) over an Organizational Unit (OU) in Active Directory. This can be abused via Delegated Managed Service Accounts (DMSA) to escalate privileges. + +Based on the research: [Abusing dMSA for Privilege Escalation in Active Directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory) + +{% hint style="warning" %} +This vulnerability requires at least one Windows Server 2025 Domain Controller in the domain. +{% endhint %} + +```bash +nxc ldap -u -p -M badsuccessor +``` + +The module enumerates OUs and analyzes their DACLs for the following dangerous rights: + +* **GenericAll** / **GenericWrite** +* **CreateChild** +* **WriteProperties** +* **WriteDACL** / **WriteOwner** +* **AllExtendedRights** + +Built-in administrative accounts (Domain Admins, Enterprise Admins, Builtin Administrators, SYSTEM) are excluded from results automatically. diff --git a/ldap-protocol/find-computer.md b/ldap-protocol/find-computer.md new file mode 100644 index 0000000..41a95bf --- /dev/null +++ b/ldap-protocol/find-computer.md @@ -0,0 +1,25 @@ +--- +description: Search for computers in the domain by name or operating system +--- + +# Find Computer + +The `find-computer` module searches for computer objects in Active Directory matching a given text string against computer names or operating system fields. It also attempts DNS resolution to retrieve the IP address of each result. + +```bash +nxc ldap -u -p -M find-computer -o TEXT= +``` + +| Option | Description | Required | +|--------|-------------|----------| +| TEXT | String to match against computer name or operating system | Yes | + +**Examples:** + +```bash +# Find computers running Windows Server 2019 +nxc ldap -u -p -M find-computer -o TEXT="Server 2019" + +# Find computers with a specific name pattern +nxc ldap -u -p -M find-computer -o TEXT="DC" +``` diff --git a/ldap-protocol/get-user-passwords.md b/ldap-protocol/get-user-passwords.md new file mode 100644 index 0000000..ab472ba --- /dev/null +++ b/ldap-protocol/get-user-passwords.md @@ -0,0 +1,23 @@ +--- +description: Retrieve plaintext or hashed passwords stored in LDAP user attributes +--- + +# Get User Passwords from LDAP Attributes + +Some Active Directory environments store passwords in legacy LDAP attributes. The following modules check for credentials left in these fields. + +## userPassword Attribute + +Retrieves the `userPassword` attribute from all user objects. This attribute may contain plaintext passwords in non-standard or legacy configurations. + +```bash +nxc ldap -u -p -M get-userPassword +``` + +## unixUserPassword Attribute + +Retrieves the `unixUserPassword` attribute from all user objects. Common in Unix-integrated Active Directory environments, this attribute may contain password hashes. + +```bash +nxc ldap -u -p -M get-unixUserPassword +```