Listen to this Post

Daniel Scheidt from Offensive Security @Vorwerk/@Cerberus-Security shared an improved version of Akamai Research’s BadSuccessor script for Active Directory enumeration. The enhanced version includes:
– Execution from non-domain joined systems
– Forest-wide functionality
– Detailed output of permissions each entity has on Organizational Units (OUs)
– Pre-flight check for 2025 Domain Controllers (DCs)
– General code optimizations
Original Script URL: https://lnkd.in/estAWGJr
You Should Know:
Key Commands & Usage
1. Pre-Flight Check for 2025 DCs
Check for Domain Controllers running Windows Server 2025
Get-ADDomainController -Filter | Where-Object { $_.OperatingSystem -like "2025" } | Select-Object Name, IPv4Address
2. Enumerate OU Permissions
Get all OUs and their security descriptors
Get-ADOrganizationalUnit -Filter -Properties ntSecurityDescriptor | ForEach-Object {
$ou = $_
$acl = $ou.ntSecurityDescriptor
$acl.Access | ForEach-Object {
[bash]@{
OU = $ou.Name
Trustee = $<em>.IdentityReference
Rights = $</em>.ActiveDirectoryRights
Inheritance = $_.InheritanceType
}
}
}
3. Running from Non-Domain Joined Systems
Use explicit credentials for LDAP queries
$cred = Get-Credential
$search = [System.DirectoryServices.DirectorySearcher]::new()
$search.SearchRoot = "LDAP://DC=domain,DC=com"
$search.Filter = "(objectClass=organizationalUnit)"
$search.FindAll() | ForEach-Object { $_.Properties.name }
4. Forest-Wide Enumeration
Get all domains in the forest
(Get-ADForest).Domains | ForEach-Object {
Get-ADDomain -Server $_ | Select-Object Name, DomainMode
}
5. Exporting Results for Analysis
Export OU permissions to CSV $results | Export-Csv -Path "OU_Permissions.csv" -NoTypeInformation
What Undercode Say
This script is a powerful tool for red teamers and penetration testers assessing Active Directory security. The improvements allow for broader reconnaissance, especially in multi-domain forests, while maintaining stealth by working from non-domain-joined systems.
Additional Useful Commands:
Linux Alternative (Using ldapsearch)
ldapsearch -x -H ldap://DOMAIN_CONTROLLER -b "DC=domain,DC=com" "(objectClass=organizationalUnit)"
Windows Command Line (Using dsquery)
dsquery ou -limit 0
Check for Sensitive Permissions (PowerShell)
Get-ADObject -Filter -Properties nTSecurityDescriptor | Where-Object {
$<em>.nTSecurityDescriptor.Access | Where-Object {
$</em>.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"
}
}
Expected Output:
A detailed CSV containing:
- OU Names
- Trustees (Users/Groups)
- Assigned Permissions
- Inheritance Settings
For offensive security assessments, this script helps identify misconfigured OUs that could lead to privilege escalation or lateral movement.
Prediction
As Active Directory attacks evolve, expect more automated tools leveraging cross-forest enumeration and non-domain-joined techniques to bypass detection. Microsoft may introduce new security controls in Windows Server 2025 to mitigate such reconnaissance.
References:
Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


