Skip to content

Create scan-for-vulns-and-infos.md for LDAP #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Create scan-for-vulns-and-infos.md for LDAP #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1591608
Create scan-for-vulns-and-infos.md for LDAP
termanix May 26, 2025
76aa9d0
Update SUMMARY.md
termanix May 26, 2025
3d1415f
Update SUMMARY.md
termanix May 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@
## LDAP protocol

* [Authentication](ldap-protocol/authentication.md)
* [Scan For Vulns and Informations](ldap-protocol/scan-for-vulns-and-infos.md)
* [Enumerate Domain Users](ldap-protocol/enumerate-users.md)
* [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md)
* [🆕 Query LDAP](ldap-protocol/query-ldap.md)
Expand Down
75 changes: 75 additions & 0 deletions ldap-protocol/scan-for-vulns-and-infos.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
description: Check if host some vulnerabilities or important things.
---

# Scan for Vulnerabilities and Important Things.

## Scan for Vulnerabilities and Important Things.

When you start your internal pentest, these are the first modules you should try:

#### Badsuccessor
This LDAP module checks if a user has "Create all child objects" on any OU.
Based on https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#credentials

```bash
nxc ldap <ip> -u username -p password -M badsuccessor
```

#### Check LDAP Signing

Using the module `ldap-checker` you can verify if LDAP require channel binding or not.

```bash
nxc ldap <ip> -u username -p password -M ldap-checker
```

#### userPassword Attribute
Get userPassword Attribute from all users for potentially credentials in plaintext.

```bash
nxc ldap <ip> -u username -p password -M get-userPassword
```

#### unixUserPassword Attribute
Get unixUserPassword Attribute from all users for potentially credentials in plaintext.

```bash
nxc ldap <ip> -u username -p password -M get-unixUserPassword
```

#### Network
Extract subnet over an active directory environment.

```bash
nxc ldap <ip> -u username -p password -M get-network
nxc ldap <ip> -u username -p password -M get-network -o ONLY_HOSTS=true
nxc ldap <ip> -u username -p password -M get-network -o ALL=true
```

#### User Descriptions
This LDAP module to look for password inside the user's description.

```bash
nxc ldap <ip> -u username -p password -M get-desc-users
```
Three options are available:

* **FILTER**: To look for a string inside the description
* **PASSWORDPOLICY**: To look for password according to the complexity requirements of windows
* **MINLENGTH**: Choose the minimum length of the password (may be obtained from `--pass-pol`)

#### Find Computers
Find Computers in the domain.

```bash
nxc ldap <ip> -u username -p password -M find-computer
```

#### Machine Account Quota

This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this value because by default it permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain.

```bash
nxc ldap <ip> -u username -p password -M maq
```