It is useful here to step back and summarize which operational practices we have exploited to take over the two domain controllers:
- The firewall had a port open that was not actually used on an internal host. Using a port redirection tool, we were able to get a GUI shell through that port. For more information on how to mitigate this type of attack, turn to Chapter 7.
- Next we used the extremely common administrative practice of using high-level accounts to log on to untrusted servers. Using high-security credentials on low-security machines compromises high-security machines. This practice, known as an administrative dependency, is discussed in detail in Chapter 8.
- After we took over the data center DC, it was a simple task to dump out the password hashes and crack those. Although password hashes theoretically do not represent a vulnerability in and of themselves—the vulnerability is allowing untrusted users access to them—several users had passwords that were easy to crack. For more information on why, and how to avoid it, refer to Chapter 11.
- We then found a flawed network segmentation that allowed us unrestricted access from the DMZ DC to the corporate network. This allows us to exploit any dependencies between systems in the DMZ and those on the corporate network. Information on how to design a proper logical segmentation is available in Chapter 9.
- Finally, we used another form of administrative dependencies by exploiting the fact that at least one user had administrative accounts on both the DMZ network and the corporate network; and used the same password for both accounts. More information on these kinds of administrative dependencies and how to detect them is available in Chapter 8.