From 15916086af19ee7c662fc9b87af90e9e2375bf09 Mon Sep 17 00:00:00 2001
From: termanix <50464194+termanix@users.noreply.github.com>
Date: Mon, 26 May 2025 21:02:47 +0300
Subject: [PATCH 1/4] Create scan-for-vulns-and-infos.md for LDAP

---
 ldap-protocol/scan-for-vulns-and-infos.md | 75 +++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 ldap-protocol/scan-for-vulns-and-infos.md

diff --git a/ldap-protocol/scan-for-vulns-and-infos.md b/ldap-protocol/scan-for-vulns-and-infos.md
new file mode 100644
index 0000000..9487ca9
--- /dev/null
+++ b/ldap-protocol/scan-for-vulns-and-infos.md
@@ -0,0 +1,75 @@
+---
+description: Check if host some vulnerabilities or important things.
+---
+
+# Scan for Vulnerabilities and Important Things.
+
+## Scan for Vulnerabilities and Important Things.
+
+When you start your internal pentest, these are the first modules you should try:
+
+#### Badsuccessor
+This LDAP module checks if a user has "Create all child objects" on any OU.
+Based on https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#credentials
+
+```bash
+nxc ldap <ip> -u username -p password -M badsuccessor
+```
+
+#### Check LDAP Signing
+
+Using the module `ldap-checker` you can verify if LDAP require channel binding or not.
+
+```bash
+nxc ldap <ip> -u username -p password -M ldap-checker
+```
+
+#### userPassword Attribute
+Get userPassword Attribute from all users for potentially credentials in plaintext.
+
+```bash
+nxc ldap <ip> -u username -p password -M get-userPassword
+```
+
+#### unixUserPassword Attribute 
+Get unixUserPassword Attribute from all users for potentially credentials in plaintext.
+
+```bash
+nxc ldap <ip> -u username -p password -M get-unixUserPassword
+```
+
+#### Network
+Extract subnet over an active directory environment.
+
+```bash
+nxc ldap <ip> -u username -p password -M get-network
+nxc ldap <ip> -u username -p password -M get-network -o ONLY_HOSTS=true
+nxc ldap <ip> -u username -p password -M get-network -o ALL=true
+```
+
+#### User Descriptions
+This LDAP module to look for password inside the user's description.
+
+```bash
+nxc ldap <ip> -u username -p password -M get-desc-users
+```
+Three options are available:
+
+* **FILTER**: To look for a string inside the description
+* **PASSWORDPOLICY**: To look for password according to the complexity requirements of windows
+* **MINLENGTH**: Choose the minimum length of the password (may be obtained from `--pass-pol`)
+
+#### Find Computers
+Find Computers in the domain.
+
+```bash
+nxc ldap <ip> -u username -p password -M find-computer
+```
+
+#### Machine Account Quota
+
+This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this value because by default it permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain.
+
+```bash
+nxc ldap <ip> -u username -p password -M maq
+```

From 76aa9d048f288332c22a50f68fbe04a165a0a3e8 Mon Sep 17 00:00:00 2001
From: termanix <50464194+termanix@users.noreply.github.com>
Date: Mon, 26 May 2025 21:04:20 +0300
Subject: [PATCH 2/4] Update SUMMARY.md

---
 SUMMARY.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SUMMARY.md b/SUMMARY.md
index a4ec6f6..fbdf663 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -93,6 +93,7 @@
 ## LDAP protocol
 
 * [Authentication](ldap-protocol/authentication.md)
+* [Scan For Vulns and Informations](scan-for-vulns-and-infos.md)
 * [Enumerate Domain Users](ldap-protocol/enumerate-users.md)
 * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md)
 * [🆕 Query LDAP](ldap-protocol/query-ldap.md)

From 3d1415fc1d2795010aaad1871a116fe5918fb2d7 Mon Sep 17 00:00:00 2001
From: termanix <50464194+termanix@users.noreply.github.com>
Date: Mon, 26 May 2025 21:08:53 +0300
Subject: [PATCH 3/4] Update SUMMARY.md

---
 SUMMARY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SUMMARY.md b/SUMMARY.md
index fbdf663..ab91a65 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -93,7 +93,7 @@
 ## LDAP protocol
 
 * [Authentication](ldap-protocol/authentication.md)
-* [Scan For Vulns and Informations](scan-for-vulns-and-infos.md)
+* [Scan For Vulns and Informations](ldap-protocol/scan-for-vulns-and-infos.md)
 * [Enumerate Domain Users](ldap-protocol/enumerate-users.md)
 * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md)
 * [🆕 Query LDAP](ldap-protocol/query-ldap.md)

From 0b01d0fff6de6bfbfde97c8caaa4784779902382 Mon Sep 17 00:00:00 2001
From: termanix <mehmetcantopal9@hotmail.com>
Date: Sat, 4 Apr 2026 18:30:36 +0300
Subject: [PATCH 4/4] Revise LDAP docs: replace aggregate page with individual
 module pages. badsucc, find-comp, get-user-pass

---
 SUMMARY.md                                | 26 ++++----
 ldap-protocol/badsuccessor.md             | 27 ++++++++
 ldap-protocol/find-computer.md            | 25 ++++++++
 ldap-protocol/get-user-passwords.md       | 23 +++++++
 ldap-protocol/scan-for-vulns-and-infos.md | 75 -----------------------
 5 files changed, 89 insertions(+), 87 deletions(-)
 create mode 100644 ldap-protocol/badsuccessor.md
 create mode 100644 ldap-protocol/find-computer.md
 create mode 100644 ldap-protocol/get-user-passwords.md
 delete mode 100644 ldap-protocol/scan-for-vulns-and-infos.md

diff --git a/SUMMARY.md b/SUMMARY.md
index e359106..b32df70 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -100,32 +100,34 @@
 ## LDAP protocol
 
 * [Authentication](ldap-protocol/authentication.md)
-* [Scan For Vulns and Informations](ldap-protocol/scan-for-vulns-and-infos.md)
 * [Enumerate Domain Users](ldap-protocol/enumerate-users.md)
 * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md)
 * [🆕 Query LDAP](ldap-protocol/query-ldap.md)
-* [ASREPRoast](ldap-protocol/asreproast.md)
 * [Find Domain SID](ldap-protocol/find-domain-sid.md)
-* [Kerberoasting](ldap-protocol/kerberoasting.md)
-* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md)
-* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md)
 * [Admin Count](ldap-protocol/admin-count.md)
 * [Machine Account Quota](ldap-protocol/machine-account-quota.md)
 * [Get User Descriptions](ldap-protocol/get-user-descriptions.md)
-* [Dump gMSA](ldap-protocol/dump-gmsa.md)
-* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md)
-* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md)
+* [🆕 Find Computer](ldap-protocol/find-computer.md)
 * [Extract Subnet](ldap-protocol/extract-subnet.md)
-* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md)
-* [Read DACL Rights](ldap-protocol/read-dacl-right.md)
-* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md)
 * [Bloodhound Ingestor](ldap-protocol/bloodhound-ingestor.md)
 * [🆕 List DC IP / Enum Trust](ldap-protocol/dc-list.md)
-* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md)
 * [Enumerate Domain Trusts](ldap-protocol/enumerate-trusts.md)
 * [🆕 Enumerate SCCM](ldap-protocol/enumerate-sccm.md)
 * [🆕 Enumerate Entra ID](ldap-protocol/enumerate-entra-id.md)
+* [ASREPRoast](ldap-protocol/asreproast.md)
+* [Kerberoasting](ldap-protocol/kerberoasting.md)
+* [Dump gMSA](ldap-protocol/dump-gmsa.md)
+* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md)
+* [🆕 Get User Passwords from LDAP Attributes](ldap-protocol/get-user-passwords.md)
+* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md)
+* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md)
+* [Read DACL Rights](ldap-protocol/read-dacl-right.md)
 * [🆕 Dump PSO](dump-pso.md)
+* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md)
+* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md)
+* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md)
+* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md)
+* [🆕 BadSuccessor](ldap-protocol/badsuccessor.md)
 
 ## WINRM protocol
 
diff --git a/ldap-protocol/badsuccessor.md b/ldap-protocol/badsuccessor.md
new file mode 100644
index 0000000..c3601f3
--- /dev/null
+++ b/ldap-protocol/badsuccessor.md
@@ -0,0 +1,27 @@
+---
+description: Detect the BadSuccessor privilege escalation vulnerability in Active Directory
+---
+
+# BadSuccessor
+
+The `badsuccessor` module checks if any user or group has dangerous permissions (such as `CreateChild`) over an Organizational Unit (OU) in Active Directory. This can be abused via Delegated Managed Service Accounts (DMSA) to escalate privileges.
+
+Based on the research: [Abusing dMSA for Privilege Escalation in Active Directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)
+
+{% hint style="warning" %}
+This vulnerability requires at least one Windows Server 2025 Domain Controller in the domain.
+{% endhint %}
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M badsuccessor
+```
+
+The module enumerates OUs and analyzes their DACLs for the following dangerous rights:
+
+* **GenericAll** / **GenericWrite**
+* **CreateChild**
+* **WriteProperties**
+* **WriteDACL** / **WriteOwner**
+* **AllExtendedRights**
+
+Built-in administrative accounts (Domain Admins, Enterprise Admins, Builtin Administrators, SYSTEM) are excluded from results automatically.
diff --git a/ldap-protocol/find-computer.md b/ldap-protocol/find-computer.md
new file mode 100644
index 0000000..41a95bf
--- /dev/null
+++ b/ldap-protocol/find-computer.md
@@ -0,0 +1,25 @@
+---
+description: Search for computers in the domain by name or operating system
+---
+
+# Find Computer
+
+The `find-computer` module searches for computer objects in Active Directory matching a given text string against computer names or operating system fields. It also attempts DNS resolution to retrieve the IP address of each result.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT=<search_string>
+```
+
+| Option | Description | Required |
+|--------|-------------|----------|
+| TEXT   | String to match against computer name or operating system | Yes |
+
+**Examples:**
+
+```bash
+# Find computers running Windows Server 2019
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT="Server 2019"
+
+# Find computers with a specific name pattern
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT="DC"
+```
diff --git a/ldap-protocol/get-user-passwords.md b/ldap-protocol/get-user-passwords.md
new file mode 100644
index 0000000..ab472ba
--- /dev/null
+++ b/ldap-protocol/get-user-passwords.md
@@ -0,0 +1,23 @@
+---
+description: Retrieve plaintext or hashed passwords stored in LDAP user attributes
+---
+
+# Get User Passwords from LDAP Attributes
+
+Some Active Directory environments store passwords in legacy LDAP attributes. The following modules check for credentials left in these fields.
+
+## userPassword Attribute
+
+Retrieves the `userPassword` attribute from all user objects. This attribute may contain plaintext passwords in non-standard or legacy configurations.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M get-userPassword
+```
+
+## unixUserPassword Attribute
+
+Retrieves the `unixUserPassword` attribute from all user objects. Common in Unix-integrated Active Directory environments, this attribute may contain password hashes.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M get-unixUserPassword
+```
diff --git a/ldap-protocol/scan-for-vulns-and-infos.md b/ldap-protocol/scan-for-vulns-and-infos.md
deleted file mode 100644
index 9487ca9..0000000
--- a/ldap-protocol/scan-for-vulns-and-infos.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-description: Check if host some vulnerabilities or important things.
----
-
-# Scan for Vulnerabilities and Important Things.
-
-## Scan for Vulnerabilities and Important Things.
-
-When you start your internal pentest, these are the first modules you should try:
-
-#### Badsuccessor
-This LDAP module checks if a user has "Create all child objects" on any OU.
-Based on https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#credentials
-
-```bash
-nxc ldap <ip> -u username -p password -M badsuccessor
-```
-
-#### Check LDAP Signing
-
-Using the module `ldap-checker` you can verify if LDAP require channel binding or not.
-
-```bash
-nxc ldap <ip> -u username -p password -M ldap-checker
-```
-
-#### userPassword Attribute
-Get userPassword Attribute from all users for potentially credentials in plaintext.
-
-```bash
-nxc ldap <ip> -u username -p password -M get-userPassword
-```
-
-#### unixUserPassword Attribute 
-Get unixUserPassword Attribute from all users for potentially credentials in plaintext.
-
-```bash
-nxc ldap <ip> -u username -p password -M get-unixUserPassword
-```
-
-#### Network
-Extract subnet over an active directory environment.
-
-```bash
-nxc ldap <ip> -u username -p password -M get-network
-nxc ldap <ip> -u username -p password -M get-network -o ONLY_HOSTS=true
-nxc ldap <ip> -u username -p password -M get-network -o ALL=true
-```
-
-#### User Descriptions
-This LDAP module to look for password inside the user's description.
-
-```bash
-nxc ldap <ip> -u username -p password -M get-desc-users
-```
-Three options are available:
-
-* **FILTER**: To look for a string inside the description
-* **PASSWORDPOLICY**: To look for password according to the complexity requirements of windows
-* **MINLENGTH**: Choose the minimum length of the password (may be obtained from `--pass-pol`)
-
-#### Find Computers
-Find Computers in the domain.
-
-```bash
-nxc ldap <ip> -u username -p password -M find-computer
-```
-
-#### Machine Account Quota
-
-This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this value because by default it permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain.
-
-```bash
-nxc ldap <ip> -u username -p password -M maq
-```