Skip to main content

The Vilkas Wire

Top 10 Internal Penetration Test Findings of 2024

Jul 18, 2025 · By Ben Rollin

Active DirectoryField NotesInfoSecPentest
Top 10 Internal Penetation Test Findings of 2025 Cover Image

This post aims to shed light on the internal network flaws plaguing companies of various sizes across multiple industries. We hope to educate readers on common issues that organizations can fix proactively to shore up "quick win"-type attack vectors used for obtaining a domain foothold or domain compromise. These are not flashy zero-day attacks or complex attack chains; they are just a reminder that the basics must be taken care of and can be leveraged for an attack even with enterprise-grade EDR and other security tools in place.

We will briefly discuss these findings, including the potential impact and general remediation guidelines. Many of these findings are due to legacy/default configurations left in place, often for a decade or more. Below are the top 10 most common findings across all internal network penetration tests, with many reports containing three or more of these findings.

Top 10 Internal Network findings of 2024

Rank  Finding Name                                                Overview                                        Remediation                                   
1   LLMNR/NBT-NS Response Spoofing                              This attack allows for intercepting network traffic with the goal of credential theft due to how these protocols work by default. The technique was first publicly demonstrated around 15 years ago. However, it is still a widespread method of gaining a foothold in Active Directory or even directly from unauthenticated access to domain compromise.This issue can be fixed by disabling LLMNR via Group Policy (the setting Turn Off Multicast Name Resolution. NetBIOS Name Service (NBT-NS) must be disabled via the Registry on each host, but this can be done remotely with PowerShell or scripted via Group Policy.
2   Default ms-DS-MachineAccountQuota                                 This issue is so prevalent that we did a separate blog post on it. This default attribute allows any Active Directory user to add up to 10 computers to the domain. It can be combined with NTLM relaying attacks to obtain a domain foothold. It is a precursor for various other attacks that can be used for lateral movement or domain privilege escalation.The default can be set to 0 using the Set-ADDomain PowerShell cmdlet only to allow privileged users to add computers to the domain.
3   Administrative Password Reuse               This may apply to local administrator passwords, privileged accounts within a domain, or privileged accounts across domain trusts. Administrative password reuse often facilitates lateral movement and further compromise.Utilize a tool such as the Local Administrator Password Solution (LAPS) for local account passwords and ensure that privileged accounts within the domain and across domain trusts are not sharing passwords.
4   Active Directory Certificate Services (AD CS) - ESC1 AttackAD CS misconfigurations can allow domain privilege escalation. Researchers introduced the "ESC" numbering schema to delineate between different possible abuse scenarios. To date, there are 16 possible techniques. ESC1 can be leveraged when a certificate template allows a low-privileged user to enroll using a certificate template and specify a Subject Alternate Name (SAN) to allow other accounts to use this certificate to prove their identity. This can be abused to impersonate any domain user, leading to domain compromise.Remove unused certificate templates, review all unused certificate templates, and require management approval for certificate requests, especially those that allow for specifying a SAN.
5   Weak Active Directory Passwords Allowed                     Weak domain passwords may facilitate a foothold through a password spraying attack or by cracking a hash obtained via a response spoofing attack. Weak passwords are also often leveraged for lateral movement and domain privilege escalation.Set a strong password policy per NIST and Microsoft best practice guidelines. Implement a password filter and an enterprise password management tool to encourage strong passwords.
6SMB Signing Not EnabledWhen SMB Signing is disabled, it may be possible to leverage a response spoofing attack to "relay" credentials to a target host, resulting in host compromise and a domain foothold or further access.

We see this frequently, even in environments where SMB signing is enabled. A deeper breakdown of how this misconfiguration is abused in practice is covered here → The Real-World Risk of Not Enforcing SMB Signing in Internal Networks
Ensure that SMB Signing is enabled and enforced on all Windows hosts in the domain.
7   Default Credentials                                         Default credentials plague even the most hardened environments. When present, they can allow for unauthorized system access that could result in remote code execution, credential theft, or denial of service. This is a prevalent attack vector of ours for gaining a foothold in an internal network.Ensure that web administrative portals and remote access services have had the default credentials set to a strong, not easily guessable password.
8   Weak Kerberos Authentication Configuration (Kerberoasting)  When an Active Directory account has a Service Principal Name (SPN) set, any domain user, regardless of privilege, can perform a Kerberoasting attack to obtain a password hash that can be subjected to offline password cracking. This technique has existed for over a decade but is still commonly used for lateral movement and domain privilege escalation.If possible, replace SPNs with Group Management Service Accounts (gMSA). If SPNs are required, only assign them to service accounts and set a complex, randomized password.
9    DNS Spoofing via IPv6                                       IPv6 is enabled by default on Windows systems, but is rarely used. When in use, an attacker can start a malicious DHCPv6 service to provide responses to IPv6 requests and modify settings such as the DNS server used by a target host. This can be used to send poisoned DNS responses to DNS queries and result in credential theft. The resultant password hashes can be subjected to offline password cracking or be used in NTLM relaying attacks to gain a foothold, move laterally, or escalate privileges in the domain.Disable IPv6 on all Windows hosts in the domain, remotely or via Group Policy, if it is not in use.
10  SMB Null Session                                            An SMB Null session on a domain controller allows for retrieving Active Directory data, such as a list of users and the password policy. These can be used for inputs into a calculated password spraying attack without fear of locking out accounts.This can be fixed by removing the Everyone group from the Pre-Windows 2000 Compatible Access group. A secondary step is ensuring that Network access: Let Everyone permissions apply to anonymous users is disabled within the Default Domain Controllers Policy in Group Policy.

Honorable Mentions

We would be remiss in not briefly covering a few impactful, honorable mentions.

1. Active Directory ACL Misconfiguration

Overview: Misconfigured Active Directory ACLs can lead to a myriad of attacks, including—but not limited to—forced password changes, user additions to groups, accounts, or computer takeovers, and attacks leading to domain compromise.

Remediation: Periodically review ACLs in Active Directory to look for ACL misconfigurations, especially those that can be leveraged by otherwise low-privileged users. Tools such as BloodHound can facilitate this process. Vilkas' Active Directory Security Assessment service uses various custom tools to dive deeply into Active Directory, including ACLs, to expose flaws and opportunities for further hardening.

2. Reset Password on KRBTGT Account

Overview: The KRBTGT account signs and encrypts all Kerberos tickets in the domain. A compromised KRBTGT account NTLM password hash is a requirement for performing a "Golden Ticket" attack, allowing an attacker to create a Kerberos Ticket Granting Ticket (TGT) for any domain account, allowing persistence within an organization because the issued ticket may be valid for up to 10 years. Many organizations have not changed the KRBTGT account password since the creation of the domain. It is a good practice to change this password periodically, or at least after a breach (i.e., a penetration test that resulted in domain compromise) to invalidate all existing TGT tickets, removing any possible persistence in the domain.

Remediation: Microsoft recommends changing the KRBTGT account periodically. The password must be changed twice, ideally with a 24-hour delay, to ensure the change replicates to all domain controllers. The password must be changed twice because the last two passwords are stored in the account's password history. Once the password is set, Active Directory will automatically change it to a strong randomized value in the background.

3. LDAP Signing/Channel Binding Disabled

Overview: When LDAP Signing and Channel Binding are disabled, it is often possible to relay credentials obtained through a response spoofing attack or authentication coercion attack to the LDAP service on a domain controller. This may lead to a foothold, such as creating an attacker-controlled computer account or even a direct domain compromise if the relay account holds high privileges in the domain.

This condition often serves as a critical component in broader attack chains, rather than as an isolated issue. For a detailed analysis of common LDAP signing attack paths identified during internal assessments, see Common Attack Paths Enabled by Missing LDAP Signing.

Remediation: LDAP Signing can be enabled via the Registry, but ideally by modifying the setting Domain controller: LDAP server signing requirements within the Default Domain Controllers Policy in Group Policy to Require Signing. LDAP Channel binding can be enabled by setting Domain controller: LDAP server channel binding token requirements to Always within the same GPO. LDAP Channel Binding is only required if LDAPS is enabled. We often see organizations enable LDAP Signing on LDAP but overlook LDAP Channel Bindings on LDAPS, so we can still obtain a foothold via credential relaying to the LDAPS service.

Final Thoughts

Even in 2025, with increased awareness of common attacks and cybersecurity programs becoming increasingly mature, we still uncover one or more of these "easy win" type issues on most of our internal penetration tests. If your penetration tester is not digging deep into all areas of Active Directory, these issues may linger for years.

Our Active Directory Security Hardening & Hygiene Checklist covers many of the common identity and Active Directory issues we consistently identify during internal assessments, along with guidance on how to properly address them.


Want to test your environment for risks like this?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones.

Have a question about this article or a security challenge of your own? Fill out the form and we’ll get back to you shortly.

Loading form…