#2 Low Hanging Credentials

Intro

Picture this: You’ve spent millions on firewalls, endpoint security and even completely cut off the Internet connection of the entire organization. your network is locked down tighter than Fort Knox—or so you think. then, someone strolls in like they own the place, armed with nothing but a password of “123456” and a mischievous grin.

Yup, it’s the classic tale of strong security undermined by the world's weakest link—bad passwords. as a red teamer, I’ve seen it all: passwords so simple that even your grandmother could guess them, and policies so lax that it’s practically an invitation for an open house.

In this post, I’m taking you on a wild ride through the magical land of weak password policies, where owning the network is even easier than pwning an Active Directory lab environment in easy mode. let’s dive into the (not-so) secret sauce that lets bad guys walk right in, and why it’s time to say goodbye to the “Qwerty” security strategy!

User Enumeration

As always, I began with domain enumeration. starting with user enumeration using the tool, which leverages the Kerberos pre-authentication mechanism to identify valid domain users. by sending Kerberos AS-REQ requests and trying a list of possible users, I was able to gather a bunch of valid usernames from the KDC ( Domain Controller ). this provided me with a starting point for further attack vectors, such as password spraying or brute-forcing weak credentials.

Password Spraying

After gathering the valid usernames, I moved on to password spraying. I tested a few commonly used passwords, like 123456, across all the identified accounts, ensuring I stayed within a presumable lockout thresholds (3 tries per 5 minutes) to avoid detection (since i did not know the password policy at the time).

This method allowed me to attempt multiple logins without locking any users out. It didn’t take long before a few accounts with weak passwords were compromised, granting me initial access to the network.

After successfully compromising a few accounts (thanks to the classic 123456 password), I used these credentials to enumerate the full list of domain users. with access to these accounts, I could query Active Directory directly, retrieving a complete list of users within the domain.

A fun fact is that the domain actually had an account lockout policy.

Anyway, I didn't continue with the spray because I didn't want to lock out any users. so I moved on to domain enumeration.

Authenticated Domain Recon

Running BloodHound using one of the compromised accounts returned a lot of information about the domain and opened a few more attack paths.

Now i could use this to find privilege escalation paths.

Kerberosting

Since I've seen many cases where default Active Directory password policy is disabled by system administrators, i knew that cracking Kerberos tickets (of all kinds) would be a reasonable way for domain privilege escalation. AS-REProasting attempt did not return any results, but BloodHound listed a few Kerberostable accounts.

Again, using the same compromised low-privilege accounts, i grabbed a couple of Kerberos tickets from 5 different SPNs.

Cracking TGS tickets revealed the clear-text passwords.

OK, another weak password. this one is a 6 letter password from rockyou wordlist, and it gets even worse, this account was a domain admin !?

Pwning the Domain

Long story short, I got clear-text creds of a DA member, the rest is history:

Just for Fun

To see how bad the situation really was, i tried cracking (bruteforcing) all the hashes that I've dumped during the engagement using only CPU power. here is picture to give you an idea:

Successfully cracked 124 out of 175 NTLM hashes with passwords shorter than 7 characters !?

At this point, I think this picture is the best way to describe this AD environment: