# Credential Reuse Leading to Domain Controller Compromise in an Active Directory Environment

## Overview

During an internal Active Directory penetration test, I achieved Domain Controller compromise through credential abuse and lateral movement. The attack relied entirely on well-known tooling and common post-authentication techniques. This matters because it demonstrates how basic credential hygiene failures can lead directly to full domain compromise.

## Objective

The objective of the engagement was to assess the security posture of a corporate Active Directory environment. Testing was conducted in an authenticated, black-box context using a single set of domain credentials. No administrative privileges were assumed at the start of testing.

## Discovery

After validating the provided credentials, I performed light enumeration to understand the level of access available and identify potential opportunities for further access. During this step, I identified the presence of a local administrator account on a system accessible with the supplied credentials.

Based on this observation, I attempted to extract local account password hashes. Using Impacket’s [`secretsdump.py`](http://secretsdump.py), I dumped the local user password hashes from the system.

Example command used:

```plaintext
secretsdump.py domain/user@10.x.x.x
```

I initially attempted to crack the extracted hashes offline. This, however, was unsuccessful; I pivoted to testing whether the extracted hash could be reused across other systems in the environment.

After extracting the local administrator hash, I tested whether it could be reused to authenticate to other systems. Using a pass-the-hash attack, the same credential was accepted by multiple hosts, including the Domain Controller.

Example command used:

```plaintext
crackmapexec smb 10.x.x.x/24 -u admin -d domain -H <HASH>
```

This demonstrated that the local administrator password was reused across multiple machines. Most importantly, the hash successfully authenticated against the Domain Controller, resulting in administrative-level access.

With authentication established, I moved on to command execution. After evaluating available execution options, I obtained a semi-interactive shell on the Domain Controller using Impacket’s [`smbexec.py`](http://smbexec.py).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1768323934035/8d147f6b-b0ca-4935-8ae1-968c1e9dea6f.avif align="center")

At this stage, command execution on the Domain Controller was confirmed, and the compromise was considered complete. The relevant stakeholders were notified so that remediation could begin.

## Takeaway

Reusing local administrator passwords can turn a single compromised host into full domain compromise. Defenders should enforce unique local administrator credentials, for example, through LAPS, and continuously monitor for lateral authentication activity.
