nxc-ldap 命令

常用示例

说明

nxc ldap is the LDAP protocol module of NetExec (formerly CrackMapExec). It performs Active Directory enumeration and attacks via the LDAP protocol against domain controllers. The module supports authentication via passwords, NTLM hashes, and Kerberos tickets. It can enumerate users, groups, computers, policies, and delegation settings, as well as perform Kerberoasting and AS-REP roasting attacks.

参数

-u _USER_

Username for authentication.

-p _PASSWORD_

Password for authentication.

-H _HASH_

NTLM hash for pass-the-hash authentication.

-k

Use Kerberos authentication.

--use-kcache

Use Kerberos credential cache.

-d _DOMAIN_

Domain to authenticate to.

--port _PORT_

LDAP port (default: 389).

--users

Enumerate domain users.

--active-users

Enumerate active (non-disabled) domain users.

--groups

Enumerate domain groups.

--computers

Enumerate domain computers.

--dc-list

List domain controllers.

--get-sid

Get domain SID.

--pass-pol

Get password policy.

--gmsa

Enumerate Group Managed Service Accounts.

--kerberoasting _FILE_

Perform Kerberoasting and save hashes to file.

--asreproast _FILE_

Perform AS-REP roasting and save hashes to file.

--trusted-for-delegation

Find accounts trusted for delegation.

--password-not-required

Find accounts that do not require a password.

--admin-count

Find accounts with adminCount=1.

--bloodhound

Collect data for BloodHound.

--query _FILTER_

Custom LDAP query filter.

--base-dn _DN_

Base DN for LDAP queries.

-M _MODULE_

Run a specific LDAP module.