feat: add acl_abuse LDAP module for ACE chain enumeration

[sup3rDav3]

Description

Adds a new LDAP module acl_abuse that enumerates abusable ACEs from a target
principal to other AD objects, surfacing attack paths with inline attack suggestions.

Detections include:

• WriteDACL, GenericAll, WriteOwner on users, groups, computers, and domain root
• ForceChangePassword via extended rights GUID
• WriteProperty on member (group abuse), servicePrincipalName (Kerberoast path),
  msDS-KeyCredentialLink (shadow credentials path)
• DS-Replication-Get-Changes + Get-Changes-All (DCSync path)

This module was developed with the assistance of Claude (Anthropic) via claude.ai.
Claude assisted with debugging LDAP/impacket attribute access and ACE mask value corrections. All code was reviewed, tested, and verified by the author against a live Windows Server 2022 domain controller.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (Claude via claude.ai — see description above)

Setup guide for the review

Environment:

• Kali Linux (attacker machine)
• Python 3.13
• NetExec installed via poetry in dev mode

Target:

• Windows Server 2022 domain controller
• Domain: ad.local

Test setup — run on DC as Domain Admin:

# Create test accounts
New-ADUser -Name "attacker" -SamAccountName "attacker" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "victim" -SamAccountName "victim" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true
New-ADUser -Name "svc_test" -SamAccountName "svc_test" -AccountPassword (ConvertTo-SecureString "YourPassword123!!" -AsPlainText -Force) -Enabled $true
New-ADGroup -Name "TestGroup" -SamAccountName "TestGroup" -GroupScope Global -GroupCategory Security

# Grant attacker WriteDACL on victim
$victim = Get-ADUser "victim"
$attacker = Get-ADUser "attacker"
$acl = Get-Acl "AD:$($victim.DistinguishedName)"
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $attacker.SID, "WriteDacl", "Allow")))
Set-Acl "AD:$($victim.DistinguishedName)" $acl

# Grant attacker GenericAll on Domain Admins
$da = Get-ADGroup "Domain Admins"
$acl2 = Get-Acl "AD:$($da.DistinguishedName)"
$acl2.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $attacker.SID, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, "Allow")))
Set-Acl "AD:$($da.DistinguishedName)" $acl2

# Grant ForceChangePassword on svc_test
$svc = Get-ADUser "svc_test"
$acl3 = Get-Acl "AD:$($svc.DistinguishedName)"
$acl3.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $attacker.SID, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, "Allow",
    [GUID]"00299570-246d-11d0-a768-00aa006e0529")))
Set-Acl "AD:$($svc.DistinguishedName)" $acl3

Run the module:

nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse
nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o SHOW_ALL=true
nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o TARGET_USER=otheruser
nxc ldap <DC_IP> -u attacker -p <password> -d <domain> -M acl_abuse -o OUTPUT_FILE=/tmp/findings.json

Expected output:

ACL_ABUSE  [CRITICAL] WriteDACL on victim -> Modify DACL to grant yourself GenericAll, then escalate
ACL_ABUSE  [CRITICAL] GenericAll on Domain Admins -> Full object control...
ACL_ABUSE  [+] ForceChangePassword on svc_test -> Reset target password without knowing current...

Screenshot:

References

• SpecterOps - An ACE Up the Sleeve
• The Hacker Recipes - ACL Abuse
• Shadow Credentials - Elad Shamir
• DCSync Attack

## Checklist:
- [x] I have ran Ruff against my changes
- [x] I have added or updated the `tests/e2e_commands.txt` file if necessary
- [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
- [x] I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[azoxlpf]

Nice ! Could you replace ldap3 with ldaptypes from impacket ? You can take a look at #1163for reference

[NeffIsBack]

Thanks for the PR! Will test it when I have reviewed the rest of the PRs that have piled up, but I'll do a quick code review for now.

[NeffIsBack]

Quick code review, without diving too deep into the logic

[NeffIsBack]

As @azoxlpf said, please replace it with the impacket equivalent

[sup3rDav3]

Done.

[NeffIsBack]

Please do such logs in one line. That just wastes space.

[sup3rDav3]

Please do such logs in one line. That just wastes space.

Fixed. All multi-line log calls consolidated to single lines.

[NeffIsBack]

See above

[sup3rDav3]

I think I got all of the multi-line log calls.

[NeffIsBack]

See above

[sup3rDav3]

Got it.

[NeffIsBack]

Please use conn.search()

[sup3rDav3]

Fixed. Using conn.search() directly for user and group lookups in _resolve_principal_sids.

[NeffIsBack]

Logic please in one line, otherwise this is confusing

[sup3rDav3]

Fixed. Consolidated the object_classes ternary onto a single line.

[NeffIsBack]

One line please

[sup3rDav3]

Fixed, thank you.

[NeffIsBack]

Can both be removed after reworking the rest.

[sup3rDav3]

Done. Removed both _ldap_search and _parse_attributes. Now using conn.search() directly and parse_result_attributes from nxc.parsers.ldap_results throughout.

[NeffIsBack]

One line please

[sup3rDav3]

Consolidated to single line.

[NeffIsBack]

That's at the wrong position. Please sort it into its category

[NeffIsBack]

In general, this has the wrong syntax

[sup3rDav3]

Fixed. Removed the incorrectly placed entry and added it to the LDAP Modules section in alphabetical order with the correct syntax.

[sup3rDav3]

Nice ! Could you replace ldap3 with ldaptypes from impacket ? You can take a look at #1163for reference

Done. Replaced security_descriptor_control from ldap3 with SDFlagsControl from impacket.ldap.ldapasn1. All detections verified working against Windows Server 2022.

[sup3rDav3]

All feedback has been addressed, thank you for the review.

• Replaced ldap3 security_descriptor_control with impacket SDFlagsControl
• Consolidated all multi-line log calls to single lines
• Using conn.search() directly throughout
• Removed _ldap_search and _parse_attributes helpers, replaced with parse_result_attributes
• Fixed e2e test syntax and position
• All changes verified working against Windows Server 2022