Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 2 of 5)
May 12, 2011 | Posted in Red Teams by Chris Salerno
2. The local administrator password is blank or easily guessable
Once again, this one isn’t rocket science, but we still see this issue all too often. Whether it’s that third-party vendor system that no one can change the password on or an Administrator that was just “testing” some new functionality, blank or easily guessable local admin passwords in one of the fastest way to get unauthorized access to your internal network
How the attack works:
- Find out what servers and workstations are listening on the internal network by doing a NetBIOS sweep of the network.
- Once the list is compiled, perform a simple scan of these servers and workstations to check for blank passwords, passwords that are “password” and where the username is equal to the password.
- When one or more are identified, connect to the server or workstation to extract password hashes and sensitive information then attempt to further propagate access throughout the network.
Sample of open source tools used:
Nmap, Nbtenum, MBSA
How to mitigate it:
- Again, use your existing vulnerability scan process to proactively scan for blank or weak local administrative passwords on your network. Once identified, notify the business owner and work with them to change the account to use a more complex password defined in your corporate standards.
- Rename the local administrator account from “Administrator” and use a script to make that password unique on each server. Even though an attacker may be still able to enumerate your renamed account, it is a useful obfuscation technique.
- Verify that local Windows security policies are consistent with domain-level GPOs. This can go a long way in preventing systematic issues throughout the Windows environment such as local users with weak passwords.