Refactor Badsucessor : Replace ldap3 with impacket and add dMSA exploitation

[azoxlpf]

Description

This PR refactors the badsuccessor module to remove the ldap3 dependency and add full BadSuccessor exploitation support, using impacket for LDAP and Kerberos.

Previously, the module only enumerated OUs vulnerable to BadSuccessor and relied on ldap3 for the security descriptor control. It now uses impacket’s SDFlagsControl and LDAP CRUD operations.

When TARGET_OU is provided, the module creates a dMSA, retrieves current and previous keys via S4U2Self, and saves the service ticket to a .ccache file.

A DELETE=True option (with DMSA_NAME and TARGET_OU) allows removing a created dMSA. Without options, the module keeps its original enumeration behavior.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

Install a Windows Server 2025 that doesn't have the patch included in the ISO.

You can verify that the server is vulnerable by running nxc smb DC_IP -u user -p password -M enum_cve -o CVE=CVE-2025-53779 :

Screenshots (if appropriate):

Check for vulnerable OUs :

Create a dMSA and exploit the attack :

Delete the dMSA :

dMSA creation when the DC has the patch :

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR, definitely a cool addition!