[gtirloni]

> As usual, we managed to get administrative access to the domain controller

As usual? Is that the state of Windows Server security these days? I never managed a Windows-based network so I have no idea. I heard about these things back in the 2000's but I'm surprised this is "usual".

[jabroni_salad]

Yes. If you have LLMNR, NTLM enabled, unsigned SMB allowed, and nonencrypted LDAP bindings then your domain controller can be popped with zero effort by metasploit.

Legacy protocols can be very sticky and most repeat pentest engagements I am able to use the same exact method every time because they will never get addressed. Modern windows (since like vista-era) will use better stuff out of the box but will also allow downgrade attacks in the name of compatibility.

Hell, I still find SMBv1 in a lot of places.

[SV_BubbleTime]

>Hell, I still find SMBv1 in a lot of places.

It cost me thousands of dollars last year to get our MSP to disable SMBv1 and force correct policies. They "Needed to audit for a week" to make sure this "didn't break older software". It was annoying I even had to ask that they didn't come to me saying "We won't support you if you have SMBv1 enabled".

[charcircuit]

Why hasn't Microsoft at least sandboxed these protocols if they are so bad in regards to security?

[gruez]

It's not broken in terms of the implementation (eg. buffer overflows). The protocol itself is fundamentally broken. Sandboxing http isn't going to protect your credit card information, and sandboxing md5 isn't going to prevent people from finding collisions.

[ziddoap]

Well, they're a pentesting company. Getting access to the DC is goal #1 for every engagement they do.

So, I read this to be "as usual for us during our engagements", not "as usual for everyone all the time".

[SV_BubbleTime]

I promise if you are using Windows AD and haven't had a pen test and remediation in the last few years - you would lose to a decent pentesting group.

[dist-epoch]

It could be through social engineering which is the easiest way.