How to Use the Command 'nxc ldap' (with Examples)

The nxc ldap command is a powerful and versatile tool used for pentesting and exploiting Windows Active Directory Domains via the Lightweight Directory Access Protocol (LDAP). This command allows security professionals to perform a comprehensive analysis of domain networks to identify vulnerabilities, test domain security, and gather valuable information about the domain environment. Additionally, nxc ldap provides automation for various tasks, such as credential searching, user enumeration, data collection, and the execution of sophisticated attacks like ASREPRoasting and password extraction of service accounts.

Use Case 1: Search for Valid Domain Credentials

Code:

nxc ldap 192.168.178.2 -u path/to/usernames.txt -p path/to/passwords.txt

Motivation:

This use case is essential for security professionals who aim to identify weak or commonly used domain credentials. By automating the process of trying multiple combinations of usernames and passwords, the command helps in determining if there are default, poorly chosen, or reused credentials within the domain, which can be a major security vulnerability.

Explanation:

• 192.168.178.2: This specifies the IP address of the target domain controller that an attempt is being made to access.
• -u path/to/usernames.txt: This argument indicates the file path to the list of potential usernames to be tried.
• -p path/to/passwords.txt: This specifies the file path to the list of potential passwords.

Example Output:

[+] Valid credentials found: john.doe@domain.com:SuperSecretPassword123
[+] Valid credentials found: jane.smith@domain.com:Welcome2023
[-] No valid credentials found for user: james.taylor

Use Case 2: Enumerate Active Domain Users

Code:

nxc ldap 192.168.178.2 -u username -p password --active-users

Motivation:

This use case is important for understanding and mapping the domain’s active users. Enumerating active domain users allows security professionals to have insights into which accounts are currently active and potentially being used for unauthorized access or malicious activities.

Explanation:

• 192.168.178.2: The IP address of the targeted domain controller.
• -u username: Specifies the username with sufficient privileges to query the domain.
• -p password: Corresponding password for the specified user.
• --active-users: This flag instructs the command to focus on retrieving information about users currently marked as active.

Example Output:

[+] Active Domain Users:
    - alice.j@domain.com
    - bob.k@domain.com
    - carol.l@domain.com

Use Case 3: Collect Data and Import into BloodHound

Code:

nxc ldap 192.168.178.2 -u username -p password --bloodhound --collection All

Motivation:

This use case leverages the command’s capability to gather comprehensive data about a domain, which is crucial for analyzing the security posture and identifying potential attack paths using BloodHound. Automating data collection and import into BloodHound makes it more efficient for security analysts to visualize and interpret complex domain relationships.

Explanation:

• 192.168.178.2: IP address of the target domain controller.
• -u username: Command uses this domain user to authenticate against LDAP.
• -p password: Password for the specified user to allow access.
• --bloodhound: Triggers the collection of data compatible with BloodHound.
• --collection All: Specifies that all data types should be collected for a comprehensive analysis.

Example Output:

[+] Gathered data successfully
[+] Data imported to BloodHound: Nodes - 152, Relationships - 326

Use Case 4: Perform an ASREPRoasting Attack

Code:

nxc ldap 192.168.178.2 -u username -p '' --asreproast path/to/output.txt

Motivation:

ASREPRoasting is a technique used during security assessments to exploit accounts that do not require pre-authentication when requesting Kerberos service tickets. This process captures encrypted authentication messages, which can be vulnerable to offline brute-force attacks to extract credentials.

Explanation:

• 192.168.178.2: Target’s domain controller IP.
• -u username: Username of the account to be tested.
• -p '': An empty password, as pre-authentication is not required.
• --asreproast: Specifies the intention to perform ASREPRoasting.
• path/to/output.txt: Path to the output file where captured messages will be stored.

Example Output:

[+] AS-REP Roasting for user alice.j@domain.com
[+] Written to file: path/to/output.txt
[!] No AS-REP responses found for other accounts

Use Case 5: Extract Passwords of Group Managed Service Accounts

Code:

nxc ldap 192.168.178.2 -u username -p password --gmsa

Motivation:

Extracting passwords for Group Managed Service Accounts (GMSAs) is an advanced operation that can reveal critical insights into domain configurations and potential misconfigurations. These accounts often have elevated privileges, making them attractive targets during a security test.

Explanation:

• 192.168.178.2: IP address of the domain controller being interrogated.
• -u username: Indicates the account used for executing the query.
• -p password: Password for the specified user, ensuring valid entry.
• --gmsa: This flag directs the command to attempt extraction of GMSA passwords.

Example Output:

[!] Insufficient privileges to access GMSA information
or
[+] GMSA Password for account serviceAccountA: ComplexPassword#

Conclusion:

The nxc ldap command is an indispensable tool in the arsenal of security professionals conducting penetration tests and audits of Windows Active Directory environments. Each use case provides unique functionality to uncover potential weaknesses and gather valuable intelligence on the security posture of a domain, facilitating threat mitigation efforts and enhancing overall cybersecurity measures.