The Breach That Never Happened Issue #005
Domain Admin Without Knowing a Password. How intercepted authentication traffic handed an attacker the keys to an entire corporate network in twenty minutes.
Severity: Critical
Time to Exploit: 20 minutes
Cost if Breached: $3 to $9 million
What Happened
During an internal network assessment, we discovered that authentication traffic between workstations and the domain controller was flowing unprotected across the network.
This is something many organizations take for granted. Windows machines constantly communicate with Active Directory, exchanging credentials in the background during routine operations.
We positioned ourselves between two systems and silently captured that authentication traffic. Then we relayed it directly to the domain controller, convincing it that we were a trusted machine with legitimate credentials.
Within twenty minutes of starting the test, we had domain administrator access. We never cracked a password. We never stole a hash. The network simply handed us the keys.
The issue was caught right on time. No breach occurred.
T.L.D.R.
Active Directory is the backbone of most corporate networks. Every Windows machine constantly talks to it.
When those conversations are not protected, an attacker positioned inside the network can listen in.
Not to steal the password itself, but to borrow the authentication handshake while it is happening.
Think of it like copying someone’s signature mid-air as they sign, then using that signature yourself before the ink dries.
The domain controller sees a valid authentication and opens the door. It never knew the difference.
The Impact
An attacker exploiting this could:
• Take full control of the Active Directory domain
• Create new administrator accounts silently
• Access every system, file share, and database in the organization
• Read and exfiltrate sensitive data without triggering alerts
• Disable security tools across the entire network
• Persist indefinitely using legitimate-looking credentials
Real-world precedent: LDAP and NTLM relay attacks have been used in major ransomware campaigns to escalate privileges and spread laterally across enterprise networks within hours of initial access.
How To Fix It
• Enable LDAP signing and channel binding on all domain controllers
• Enable SMB signing across every machine in the network
• Disable NTLM where Kerberos can be used instead
• Implement network segmentation to limit lateral movement
• Monitor for unusual authentication patterns from unexpected sources
Protecting authentication traffic at the network level eliminates the foundation that relay attacks depend on.
Key Takeaways
If you’re a business leader:
An attacker inside your network can become a domain administrator without ever stealing a password if authentication traffic is left unprotected.
If you’re technical:
Enable LDAP signing, channel binding, and SMB signing. These are configuration changes that close this attack vector entirely.
The bottom line:
The most dangerous attacks are often the quietest. This one never triggered a single alarm because it used your own infrastructure against you.
What You Can Do
[ ] Enable LDAP signing and channel binding on domain controllers
[ ] Enforce SMB signing across all endpoints
[ ] Audit NTLM usage and restrict it where Kerberos is available
[ ] Test your internal network for relay attack exposure
This vulnerability was discovered during real penetration testing and remediated before publication.
About The Breach That Never Happened
Monthly insights from real penetration testing engagements, real vulnerabilities, real fixes, zero breaches.
Discovered by Penti’s Agent and Penetration Testing Team.
#CyberSecurity #PenetrationTesting #ActiveDirectory #LDAPRelay #PreventedBreach