BadSuccessor Script Improvements for Active Directory Enumeration

Listen to this Post

Featured Image
Daniel Scheidt from Offensive Security @Vorwerk/@Cerberus-Security shared an improved version of Akamai Research’s BadSuccessor script for Active Directory enumeration. The enhanced version includes:
– Execution from non-domain joined systems
– Forest-wide functionality
– Detailed output of permissions each entity has on Organizational Units (OUs)
– Pre-flight check for 2025 Domain Controllers (DCs)
– General code optimizations

Original Script URL: https://lnkd.in/estAWGJr

You Should Know:

Key Commands & Usage

1. Pre-Flight Check for 2025 DCs

 Check for Domain Controllers running Windows Server 2025 
Get-ADDomainController -Filter  | Where-Object { $_.OperatingSystem -like "2025" } | Select-Object Name, IPv4Address 

2. Enumerate OU Permissions

 Get all OUs and their security descriptors 
Get-ADOrganizationalUnit -Filter  -Properties ntSecurityDescriptor | ForEach-Object { 
$ou = $_ 
$acl = $ou.ntSecurityDescriptor 
$acl.Access | ForEach-Object { 
[bash]@{ 
OU = $ou.Name 
Trustee = $<em>.IdentityReference 
Rights = $</em>.ActiveDirectoryRights 
Inheritance = $_.InheritanceType 
} 
} 
} 

3. Running from Non-Domain Joined Systems

 Use explicit credentials for LDAP queries 
$cred = Get-Credential 
$search = [System.DirectoryServices.DirectorySearcher]::new() 
$search.SearchRoot = "LDAP://DC=domain,DC=com" 
$search.Filter = "(objectClass=organizationalUnit)" 
$search.FindAll() | ForEach-Object { $_.Properties.name } 

4. Forest-Wide Enumeration

 Get all domains in the forest 
(Get-ADForest).Domains | ForEach-Object { 
Get-ADDomain -Server $_ | Select-Object Name, DomainMode 
} 

5. Exporting Results for Analysis

 Export OU permissions to CSV 
$results | Export-Csv -Path "OU_Permissions.csv" -NoTypeInformation 

What Undercode Say

This script is a powerful tool for red teamers and penetration testers assessing Active Directory security. The improvements allow for broader reconnaissance, especially in multi-domain forests, while maintaining stealth by working from non-domain-joined systems.

Additional Useful Commands:

Linux Alternative (Using ldapsearch)

ldapsearch -x -H ldap://DOMAIN_CONTROLLER -b "DC=domain,DC=com" "(objectClass=organizationalUnit)" 

Windows Command Line (Using dsquery)

dsquery ou -limit 0 

Check for Sensitive Permissions (PowerShell)

Get-ADObject -Filter  -Properties nTSecurityDescriptor | Where-Object { 
$<em>.nTSecurityDescriptor.Access | Where-Object { 
$</em>.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner" 
} 
} 

Expected Output:

A detailed CSV containing:

  • OU Names
  • Trustees (Users/Groups)
  • Assigned Permissions
  • Inheritance Settings

For offensive security assessments, this script helps identify misconfigured OUs that could lead to privilege escalation or lateral movement.

Prediction

As Active Directory attacks evolve, expect more automated tools leveraging cross-forest enumeration and non-domain-joined techniques to bypass detection. Microsoft may introduce new security controls in Windows Server 2025 to mitigate such reconnaissance.

References:

Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram