Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 2 of 5)

by | May 12, 2011

How to Become a Domain Administator on an Internal Network
2. The local administrator password is blank or easily guessable

Once again, this one isn’t rocket science, but we still see this issue all too often.  Whether it’s that third-party vendor system that no one can change the password on or an Administrator that was just “testing” some new functionality, blank or easily guessable local admin passwords in one of the fastest way to get unauthorized access to your internal network


How the attack works:

  1. Find out what servers and workstations are listening on the internal network by doing a NetBIOS sweep of the network.
  2. Once the list is compiled, perform a simple scan of these servers and workstations to check for blank passwords, passwords that are “password” and where the username is equal to the password.
  3. When one or more are identified, connect to the server or workstation to extract password hashes and sensitive information then attempt to further propagate access throughout the network.


 Sample of open source tools used:

Nmap, Nbtenum, MBSA


 How to mitigate it:

  1. Again, use your existing vulnerability scan process to proactively scan for blank or weak local administrative passwords on your network.  Once identified, notify the business owner and work with them to change the account to use a more complex password defined in your corporate standards.
  2. Rename the local administrator account from “Administrator” and use a script to make that password unique on each server. Even though an attacker may be still able to enumerate your renamed account, it is a useful obfuscation technique.
  3. Verify that local Windows security policies are consistent with domain-level GPOs. This can go a long way in preventing systematic issues throughout the Windows environment such as local users with weak passwords
Chris Salerno
Managing Director | Archive

Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.

Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.