Penetration Tester Secrets: How Hackers Really Get In

Think your network is secure? Think again. Even organizations with mature cybersecurity programs are falling victim to the same simple misconfigurations that allow penetration testers—and potentially real attackers—to gain full domain admin access. At LMG Security, our penetration testing team gains full control in over 90% of internal tests. If that surprises you, it shouldn’t. In this blog, we’ll share real-world examples of how penetration testers exploit common network vulnerabilities—and more importantly, how you can stop attackers before they get in.

The UPS That Took Down a Bank

In one internal assessment, LMG’s team compromised a regional bank, starting with nothing more than a network-connected uninterruptible power supply (UPS). The UPS was configured to send email alerts when switching to battery power. To do that, it needed network credentials.

“We didn’t know the password, but we didn’t have to,” Tom Pohl, LMG Security’s Penetration Testing Manager, explained. “We just redirected the UPS to talk to our fake email server. When it tried to authenticate, it gave us valid domain credentials.” That foothold opened the door to file shares, internal services, and eventually domain control.

Takeaway: Every internet-connected device—whether it’s a UPS, camera, or printer—is a potential entry point. Default credentials and weak segmentation are among the most common network vulnerabilities that experienced penetration testers look for first.

Hidden Dangers in Active Directory Certificate Services (AD CS)

Once LMG had user-level credentials, the next stop was AD CS. This Microsoft feature is widely used for internal PKI, but frequently misconfigured. “Even with a non-privileged account, we could trick AD CS into issuing us a certificate for the domain controller,” said Tom. That allowed the team to impersonate the controller, sync password hashes across the domain, and ultimately crack them offline.

This exploit works because of common defaults in AD CS web enrollment services—defaults that many organizations have never reviewed or updated. In fact, this vulnerability was only recently addressed by Microsoft, so older deployments are especially at risk.

Man-in-the-Middle at a Law Firm: Legacy Protocols Strike Again

At a mid-sized law firm, LMG’s team uncovered one of the most insidious—and preventable—common network vulnerabilities: legacy broadcast protocols like LLMNR and NetBIOS, still enabled by default.

By using a tool like Responder, Tom’s team intercepted these broadcasts and responded as the “legitimate” file server. The result? They captured authentication attempts and relayed them to real servers, effectively becoming the man-in-the-middle.

“This wouldn’t be possible if SMB signing was enforced,” Tom noted. SMB signing cryptographically verifies message integrity and authenticity between clients and servers—but it’s often not enabled, except on domain controllers.

Once inside, the team discovered a hidden file share (with a dollar sign at the end) that included a deployment script with plaintext domain admin credentials. “Dollar signs mean dollar signs,” joked Tom. “If an admin is hiding a file share, we’re going to look.”

Why These Attacks Work: A Pentester’s Perspective

What do all these examples have in common? Default settings, weak access controls, and forgotten configurations that fly under the radar until it’s too late. “These are the low-hanging fruit,” says Tom. “If you’ve never had an internal pen test, I can almost write the report before I show up.”

A penetration tester knows how to chain together these issues. A misconfigured UPS gives you credentials. Those credentials unlock file shares. In one share, a script includes admin credentials. From there, it’s game over.

Real-World Implications

The vulnerabilities discussed here are not theoretical. Russian GRU cyber actors have been targeting Western logistics and tech companies using similar Active Directory misconfigurations, according to a recent CISA alert.

In another example, a critical Windows Server 2025 vulnerability revealed how default settings in enterprise networks expose systems to total compromise. The reality is stark: If you’re not proactively seeking out and fixing these issues, attackers—and even low-skilled ones—will find and exploit these security gaps.

Key Takeaways: How to Protect Your Organization

Whether you’re a CISO or seasoned IT pro, here’s how to eliminate the common network vulnerabilities that penetration testers love to exploit. Here’s how to start:

• Audit and Replace Default Credentials

• Why it matters: Default logins are one of the first things attackers try, and they’re still shockingly effective.
• Action steps: Inventory every network-connected device (including printers, UPS systems, and cameras), remove factory credentials, and replace them with strong, unique passwords.
• Bonus tips: Disable guest accounts and check for hardcoded credentials in scripts and config files.

• Harden Active Directory Certificate Services (AD CS)

• Why it matters: Misconfigured AD CS can allow attackers to request certificates and impersonate critical infrastructure.
• Action steps: Audit certificate template permissions, enrollment agent roles, and disable unnecessary web interfaces.
• Bonus tip: Use tools like Microsoft’s PKI Health Check or third-party scanners to catch vulnerabilities in your current deployment, and schedule a penetration test that includes AD CS checks for common network vulnerabilities.

• Enforce SMB Signing

• Why it matters: Without SMB signing, attackers can intercept or relay communications across your network using man-in-the-middle attacks.
• Action steps: Require SMB signing for both clients and servers via Group Policy.
• Bonus tip: Where legacy apps can’t support signing, isolate them on a restricted subnet with limited access.

• Disable Legacy Protocols

• Why it matters: Protocols like LLMNR and NetBIOS were designed for ease of use, not security, and are easily exploited for spoofing.
• Action steps: Disable them via Group Policy to prevent name service poisoning attacks.
• Bonus tip: Educate your IT staff on safer DNS configurations and monitor for fallback behaviors that could reintroduce risk.

• Segment the Network

• Why it matters: Flat networks make lateral movement easy for attackers once they’re in.
• Action steps: Separate critical assets (like domain controllers and management interfaces) from general user traffic using VLANs and firewall rules.
• Bonus tip: Pair segmentation with strong monitoring to detect and contain intrusions before they escalate.

• Clean Up File Shares and Enforce Role-Based Access Control (RBAC)

• Why it matters: Over-permissioned file shares are a treasure trove for attackers, especially when they contain scripts with credentials.
• Action steps: Regularly scan and audit shares, remove sensitive data, and implement RBAC so only those with a true need can access critical resources.
• Bonus tip: Don’t assume hidden shares (e.g., ending in $) are safe—experienced attackers are actively looking for them. Read our blog on Identity and Access Management or watch our video for more tips.

Final Thoughts: Time to Think Like a Penetration Tester

Great security starts with knowing how attackers think and act. As Tom put it, “We start as if we’re just plugged into a conference room. No usernames, no passwords. And from there, we find a way in.” It’s crucial to find these security gaps before the attackers do! To hear more details about these 5 common network vulnerabilities, watch our Cyberside Chats podcast or video on how hackers can get in.

Want to level the playing field? Contact us to schedule a penetration test.  Our experts simulate real-world threats to uncover vulnerabilities before they’re exploited. Let’s work together to turn your crunchy outer shell and ooey-gooey center into a hardened, defense-in-depth infrastructure.