Create scan-for-vulns-and-infos.md for LDAP

SUMMARY.md

@@ -103,28 +103,31 @@
 * [Enumerate Domain Users](ldap-protocol/enumerate-users.md)
 * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md)
 * [🆕 Query LDAP](ldap-protocol/query-ldap.md)
-* [ASREPRoast](ldap-protocol/asreproast.md)
 * [Find Domain SID](ldap-protocol/find-domain-sid.md)
-* [Kerberoasting](ldap-protocol/kerberoasting.md)
-* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md)
-* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md)
 * [Admin Count](ldap-protocol/admin-count.md)
 * [Machine Account Quota](ldap-protocol/machine-account-quota.md)
 * [Get User Descriptions](ldap-protocol/get-user-descriptions.md)
-* [Dump gMSA](ldap-protocol/dump-gmsa.md)
-* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md)
-* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md)
+* [🆕 Find Computer](ldap-protocol/find-computer.md)
 * [Extract Subnet](ldap-protocol/extract-subnet.md)
-* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md)
-* [Read DACL Rights](ldap-protocol/read-dacl-right.md)
-* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md)
 * [Bloodhound Ingestor](ldap-protocol/bloodhound-ingestor.md)
 * [🆕 List DC IP / Enum Trust](ldap-protocol/dc-list.md)
-* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md)
 * [Enumerate Domain Trusts](ldap-protocol/enumerate-trusts.md)
 * [🆕 Enumerate SCCM](ldap-protocol/enumerate-sccm.md)
 * [🆕 Enumerate Entra ID](ldap-protocol/enumerate-entra-id.md)
+* [ASREPRoast](ldap-protocol/asreproast.md)
+* [Kerberoasting](ldap-protocol/kerberoasting.md)
+* [Dump gMSA](ldap-protocol/dump-gmsa.md)
+* [Extract gMSA Secrets](ldap-protocol/extract-gmsa-secrets.md)
+* [🆕 Get User Passwords from LDAP Attributes](ldap-protocol/get-user-passwords.md)
+* [Pre2k Computer Account Abuse](ldap-protocol/pre2k.md)
+* [Exploit ESC8 (ADCS)](ldap-protocol/exploit-esc8-adcs.md)
+* [Read DACL Rights](ldap-protocol/read-dacl-right.md)
 * [🆕 Dump PSO](dump-pso.md)
+* [Check LDAP Signing](ldap-protocol/check-ldap-signing.md)
+* [🆕 Find Misconfigured Delegation](ldap-protocol/find-misconfigured-delegation.md)
+* [Unconstrained Delegation](ldap-protocol/unconstrained-delegation.md)
+* [🆕 Abuse Domain Trust: Raisechild](ldap-protocol/raisechild.md)
+* [🆕 BadSuccessor](ldap-protocol/badsuccessor.md)
 
 ## WINRM protocol
 

ldap-protocol/badsuccessor.md

@@ -0,0 +1,27 @@
+---
+description: Detect the BadSuccessor privilege escalation vulnerability in Active Directory
+---
+
+# BadSuccessor
+
+The `badsuccessor` module checks if any user or group has dangerous permissions (such as `CreateChild`) over an Organizational Unit (OU) in Active Directory. This can be abused via Delegated Managed Service Accounts (DMSA) to escalate privileges.
+
+Based on the research: [Abusing dMSA for Privilege Escalation in Active Directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)
+
+{% hint style="warning" %}
+This vulnerability requires at least one Windows Server 2025 Domain Controller in the domain.
+{% endhint %}
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M badsuccessor
+```
+
+The module enumerates OUs and analyzes their DACLs for the following dangerous rights:
+
+* **GenericAll** / **GenericWrite**
+* **CreateChild**
+* **WriteProperties**
+* **WriteDACL** / **WriteOwner**
+* **AllExtendedRights**
+
+Built-in administrative accounts (Domain Admins, Enterprise Admins, Builtin Administrators, SYSTEM) are excluded from results automatically.

ldap-protocol/find-computer.md

@@ -0,0 +1,25 @@
+---
+description: Search for computers in the domain by name or operating system
+---
+
+# Find Computer
+
+The `find-computer` module searches for computer objects in Active Directory matching a given text string against computer names or operating system fields. It also attempts DNS resolution to retrieve the IP address of each result.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT=<search_string>
+```
+
+| Option | Description | Required |
+|--------|-------------|----------|
+| TEXT   | String to match against computer name or operating system | Yes |
+
+**Examples:**
+
+```bash
+# Find computers running Windows Server 2019
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT="Server 2019"
+
+# Find computers with a specific name pattern
+nxc ldap <ip> -u <user> -p <pass> -M find-computer -o TEXT="DC"
+```

ldap-protocol/get-user-passwords.md

@@ -0,0 +1,23 @@
+---
+description: Retrieve plaintext or hashed passwords stored in LDAP user attributes
+---
+
+# Get User Passwords from LDAP Attributes
+
+Some Active Directory environments store passwords in legacy LDAP attributes. The following modules check for credentials left in these fields.
+
+## userPassword Attribute
+
+Retrieves the `userPassword` attribute from all user objects. This attribute may contain plaintext passwords in non-standard or legacy configurations.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M get-userPassword
+```
+
+## unixUserPassword Attribute
+
+Retrieves the `unixUserPassword` attribute from all user objects. Common in Unix-integrated Active Directory environments, this attribute may contain password hashes.
+
+```bash
+nxc ldap <ip> -u <user> -p <pass> -M get-unixUserPassword
+```