Blog: How Tos
Top 10 stupidest ways we’ve got domain admin
We asked our crew for the stupidest ways they have ever got domain admin.
This is what they said:
- Simple discovery by trying available creds. Local admin was the same as domain admin for servers, some workstations, cisco access points, and more.
- It was ‘password’, despite all domain admins having unique, complex creds and granular permissions, the core domain admin password had been overlooked.
- Found a file share with blank password, containing a creds list, as well other juicy data; C-level staff’s digital signatures, HR files, and Finance spreadsheets including payroll.
- Password vault backup on the IT share was contained in the sysadmin’s old PST backup.
- IT service provider had used the same password for all the admin and domain admin accounts.
- Domain admin password was blank.
- Windows SQL server that is running with domain admin service account and the administrative database account “sa” has a blank password.
- Found a splunk interface (splunk == central log aggregation and
analysis) that did not require authentication, which exposed a domain account (user+pass) setup to integrate the product with the domain’s authentication server (AD/LDAP/Domain controller). Turns out that that account was a domain administrator.
- Every service user in the domain had the same (l33t speak) password. Some of these were in the domain admin group. (found the base password in the system documentation on a public drive.) Also, guessed the password as “Password1”.
- Password cached in a logon field for Splunk. I proxied the web page on submit and grabbed the admin password.
…but 10 doesn’t do it justice, so here are a few more that made us laugh or cry:
- Windows 2000 server vulnerable to MS08-067 and had full rights to add domain admins to the domain: “Oh, that’s being de-commissioned in a few weeks”. D’oh!
- HP Data Protector running on IT support desktops… Got root via a DP exploit and dumped Kerberos passwords using mimikatz. Bingo! The machine was in use by a domain admin and I now had their password.
- Found a .gitconfig file on c:\. It was configured to use the internal web proxy, which needed domain credentials. You can guess the rest.
- Backup of DC VM on open share on the network. You could download the backup and extract the password hashes which happened to be in LM format.