feat: add acl_abuse LDAP module for ACE chain enumeration

[sup3rDav3]

Description

Adds a new LDAP module acl_abuse that enumerates abusable ACEs from a target
principal to other AD objects, surfacing attack paths with inline attack suggestions.

Detections include:

• WriteDACL, GenericAll, WriteOwner on users, groups, computers, and domain root
• ForceChangePassword via extended rights GUID
• WriteProperty on member (group abuse), servicePrincipalName (Kerberoast path),
  msDS-KeyCredentialLink (shadow credentials path)
• DS-Replication-Get-Changes + Get-Changes-All (DCSync path)

This module was developed with the assistance of Claude (Anthropic) via claude.ai.
Claude assisted with debugging LDAP/impacket attribute access and ACE mask value corrections. All code was reviewed, tested, and verified by the author against a live Windows Server 2022 domain controller.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (Claude via claude.ai — see description above)

Setup guide for the review

Environment:

• Kali Linux (attacker machine)
• Python 3.13
• NetExec installed via poetry in dev mode

Target:

• Windows Server 2022 domain controller
• Domain: ad.local

Test setup — run on DC as Domain Admin:

# Create test accounts New-ADUser -Name "attacker" -SamAccountName "attacker" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true New-ADUser -Name "victim" -SamAccountName "victim" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true New-ADUser -Name "svc_test" -SamAccountName "svc_test" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true New-ADGroup -Name "TestGroup" -SamAccountName "TestGroup" -GroupScope Global -GroupCategory Security # Grant attacker WriteDACL on victim $victim = Get-ADUser "victim" $attacker = Get-ADUser "attacker" $acl = Get-Acl "AD:$($victim.DistinguishedName)" $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule( $attacker.SID, "WriteDacl", "Allow"))) Set-Acl "AD:$($victim.DistinguishedName)" $acl # Grant attacker GenericAll on Domain Admins $da = Get-ADGroup "Domain Admins" $acl2 = Get-Acl "AD:$($da.DistinguishedName)" $acl2.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule( $attacker.SID, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, "Allow"))) Set-Acl "AD:$($da.DistinguishedName)" $acl2 # Grant ForceChangePassword on svc_test $svc = Get-ADUser "svc_test" $acl3 = Get-Acl "AD:$($svc.DistinguishedName)" $acl3.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule( $attacker.SID, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, "Allow", [GUID]"00299570-246d-11d0-a768-00aa006e0529"))) Set-Acl "AD:$($svc.DistinguishedName)" $acl3

Run the module:

nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o SHOW_ALL=true nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o TARGET_USER=otheruser nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o OUTPUT_FILE=/tmp/findings.json

Expected output:

ACL_ABUSE [CRITICAL] WriteDACL on victim -> Modify DACL to grant yourself GenericAll, then escalate ACL_ABUSE [CRITICAL] GenericAll on Domain Admins -> Full object control... ACL_ABUSE [+] ForceChangePassword on svc_test -> Reset target password without knowing current... 

Screenshot:

Checklist:

• I have ran Ruff against my changes
• I have added or updated the tests/e2e_commands.txt file if necessary
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[azoxlpf]

Nice ! Could you replace ldap3 with ldaptypes from impacket ? You can take a look at #1163for reference

[NeffIsBack]

Thanks for the PR! Will test it when I have reviewed the rest of the PRs that have piled up, but I'll do a quick code review for now.

[NeffIsBack]

Quick code review, without diving too deep into the logic

[NeffIsBack]

As @azoxlpf said, please replace it with the impacket equivalent

[NeffIsBack]

Please do such logs in one line. That just wastes space.

[NeffIsBack]

See above

[NeffIsBack]

See above

[NeffIsBack]

Please use conn.search()

[NeffIsBack]

Logic please in one line, otherwise this is confusing

[NeffIsBack]

One line please

[NeffIsBack]

Can both be removed after reworking the rest.

[NeffIsBack]

One line please

[NeffIsBack]

That's at the wrong position. Please sort it into its category

[NeffIsBack]

In general, this has the wrong syntax