From 15916086af19ee7c662fc9b87af90e9e2375bf09 Mon Sep 17 00:00:00 2001 From: termanix <50464194+termanix@users.noreply.github.com> Date: Mon, 26 May 2025 21:02:47 +0300 Subject: [PATCH 1/3] Create scan-for-vulns-and-infos.md for LDAP --- ldap-protocol/scan-for-vulns-and-infos.md | 75 +++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 ldap-protocol/scan-for-vulns-and-infos.md diff --git a/ldap-protocol/scan-for-vulns-and-infos.md b/ldap-protocol/scan-for-vulns-and-infos.md new file mode 100644 index 0000000..9487ca9 --- /dev/null +++ b/ldap-protocol/scan-for-vulns-and-infos.md @@ -0,0 +1,75 @@ +--- +description: Check if host some vulnerabilities or important things. +--- + +# Scan for Vulnerabilities and Important Things. + +## Scan for Vulnerabilities and Important Things. + +When you start your internal pentest, these are the first modules you should try: + +#### Badsuccessor +This LDAP module checks if a user has "Create all child objects" on any OU. +Based on https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#credentials + +```bash +nxc ldap -u username -p password -M badsuccessor +``` + +#### Check LDAP Signing + +Using the module `ldap-checker` you can verify if LDAP require channel binding or not. + +```bash +nxc ldap -u username -p password -M ldap-checker +``` + +#### userPassword Attribute +Get userPassword Attribute from all users for potentially credentials in plaintext. + +```bash +nxc ldap -u username -p password -M get-userPassword +``` + +#### unixUserPassword Attribute +Get unixUserPassword Attribute from all users for potentially credentials in plaintext. + +```bash +nxc ldap -u username -p password -M get-unixUserPassword +``` + +#### Network +Extract subnet over an active directory environment. + +```bash +nxc ldap -u username -p password -M get-network +nxc ldap -u username -p password -M get-network -o ONLY_HOSTS=true +nxc ldap -u username -p password -M get-network -o ALL=true +``` + +#### User Descriptions +This LDAP module to look for password inside the user's description. + +```bash +nxc ldap -u username -p password -M get-desc-users +``` +Three options are available: + +* **FILTER**: To look for a string inside the description +* **PASSWORDPOLICY**: To look for password according to the complexity requirements of windows +* **MINLENGTH**: Choose the minimum length of the password (may be obtained from `--pass-pol`) + +#### Find Computers +Find Computers in the domain. + +```bash +nxc ldap -u username -p password -M find-computer +``` + +#### Machine Account Quota + +This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this value because by default it permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain. + +```bash +nxc ldap -u username -p password -M maq +``` From 76aa9d048f288332c22a50f68fbe04a165a0a3e8 Mon Sep 17 00:00:00 2001 From: termanix <50464194+termanix@users.noreply.github.com> Date: Mon, 26 May 2025 21:04:20 +0300 Subject: [PATCH 2/3] Update SUMMARY.md --- SUMMARY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUMMARY.md b/SUMMARY.md index a4ec6f6..fbdf663 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -93,6 +93,7 @@ ## LDAP protocol * [Authentication](ldap-protocol/authentication.md) +* [Scan For Vulns and Informations](scan-for-vulns-and-infos.md) * [Enumerate Domain Users](ldap-protocol/enumerate-users.md) * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md) * [🆕 Query LDAP](ldap-protocol/query-ldap.md) From 3d1415fc1d2795010aaad1871a116fe5918fb2d7 Mon Sep 17 00:00:00 2001 From: termanix <50464194+termanix@users.noreply.github.com> Date: Mon, 26 May 2025 21:08:53 +0300 Subject: [PATCH 3/3] Update SUMMARY.md --- SUMMARY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SUMMARY.md b/SUMMARY.md index fbdf663..ab91a65 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -93,7 +93,7 @@ ## LDAP protocol * [Authentication](ldap-protocol/authentication.md) -* [Scan For Vulns and Informations](scan-for-vulns-and-infos.md) +* [Scan For Vulns and Informations](ldap-protocol/scan-for-vulns-and-infos.md) * [Enumerate Domain Users](ldap-protocol/enumerate-users.md) * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md) * [🆕 Query LDAP](ldap-protocol/query-ldap.md)