For Internal pentesting
Unsupported operating systems
Hosts with SMB Signing not required
Use of LLMNR/NetBios/mDNS protocols
Presence of SMBv1 protocol
High privileges accounts not in "Protected Users" group
Insufficient password rotation for the "krbtgt" account
Least privilege violation
Weak password requirement
Password reuse
Print Spooler Service enabled
Windows Credentials stored in LSASS
Windows Credentials stored in Windows Authentication Cache
WPAD support
Unconstrained Delegation
Internal services with no password or default credentials
Kerberoastable Domain Admin account
Clear Passwords within share files
ADCS misconfigurations (ex: ECS8 Web Enrollment Web Service)
Password stored in Local Security Authority (LSA)
Anonymous FTP
SNMP with common community string
Presence of LanMan hashes in AD
Anonymous SMB/RPC connection
RDP with Network Level Authentication (NLA) not enabled
Machine account quota parameter not set to 0
Last updated 1 year ago