diff --git a/SUMMARY.md b/SUMMARY.md index a4ec6f6..ab91a65 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -93,6 +93,7 @@ ## LDAP protocol * [Authentication](ldap-protocol/authentication.md) +* [Scan For Vulns and Informations](ldap-protocol/scan-for-vulns-and-infos.md) * [Enumerate Domain Users](ldap-protocol/enumerate-users.md) * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md) * [🆕 Query LDAP](ldap-protocol/query-ldap.md) diff --git a/ldap-protocol/scan-for-vulns-and-infos.md b/ldap-protocol/scan-for-vulns-and-infos.md new file mode 100644 index 0000000..9487ca9 --- /dev/null +++ b/ldap-protocol/scan-for-vulns-and-infos.md @@ -0,0 +1,75 @@ +--- +description: Check if host some vulnerabilities or important things. +--- + +# Scan for Vulnerabilities and Important Things. + +## Scan for Vulnerabilities and Important Things. + +When you start your internal pentest, these are the first modules you should try: + +#### Badsuccessor +This LDAP module checks if a user has "Create all child objects" on any OU. +Based on https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#credentials + +```bash +nxc ldap -u username -p password -M badsuccessor +``` + +#### Check LDAP Signing + +Using the module `ldap-checker` you can verify if LDAP require channel binding or not. + +```bash +nxc ldap -u username -p password -M ldap-checker +``` + +#### userPassword Attribute +Get userPassword Attribute from all users for potentially credentials in plaintext. + +```bash +nxc ldap -u username -p password -M get-userPassword +``` + +#### unixUserPassword Attribute +Get unixUserPassword Attribute from all users for potentially credentials in plaintext. + +```bash +nxc ldap -u username -p password -M get-unixUserPassword +``` + +#### Network +Extract subnet over an active directory environment. + +```bash +nxc ldap -u username -p password -M get-network +nxc ldap -u username -p password -M get-network -o ONLY_HOSTS=true +nxc ldap -u username -p password -M get-network -o ALL=true +``` + +#### User Descriptions +This LDAP module to look for password inside the user's description. + +```bash +nxc ldap -u username -p password -M get-desc-users +``` +Three options are available: + +* **FILTER**: To look for a string inside the description +* **PASSWORDPOLICY**: To look for password according to the complexity requirements of windows +* **MINLENGTH**: Choose the minimum length of the password (may be obtained from `--pass-pol`) + +#### Find Computers +Find Computers in the domain. + +```bash +nxc ldap -u username -p password -M find-computer +``` + +#### Machine Account Quota + +This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this value because by default it permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain. + +```bash +nxc ldap -u username -p password -M maq +```