At Paramount Defenses, we know a thing or two about Active Directory Security, yet out of respect for organizations worldwide, we have NEVER directly demonstrated how a trusted insider could enact the #1 threat to Active Directory deployments today.
However, it appears that a recent inaccurate claim related to Active Directory security seems to be distracting organizations from arguably one of the world's top cyber security threats to not just 95% of the Fortune 1000 but to 85% of all organizations worldwide, so we felt it was necessary to demo just how easily a malicious insider could compromise an(y) Active Directory.
The Set Up
For the setup, lets consider a fictional multi-national organization that operates in multiple continents, and has 1000s of employees and contractors, as well as computers, and of course, millions of IT resources stored on these computers.
Let's assume that the accounts of 1000s of employees and contractors are all stored in Active Directory, and that a majority of the 1000s of computers are all domain-joined as well, and finally that there exist 1000s of domain security groups that collectively serve to protect the entirety of their IT assets.
An Active Directory Deployment Spanning 4 Continents |
Let's also assume that in order to manage all these resources, the organization has delegated administrative authority amongst its global IT team, which is comprised of numerous IT personnel.
Members of the IT Team that have been delegated varying levels of access in Active Directory |
Let us further assume that this organization has delegated administrative authority amongst its IT admins based on the principle of least privilege, and thus currently has only 1 Domain Admin account, other than the default Administrator's account.
To keep it simple, assume that account management tasks have been delegated to the Account Management Team, computer account management tasks to the Host Management Team, security group management tasks to the Access Management Team, and that help desk related tasks including Password Resets have been delegated to the global Help Desk Team.
Finally, let's assume that their Active Directory has been around for at least a few years, and that they've been delegating access in Active Directory for years now, as a result of which there's a fair bit of delegation done in the Active Directory.
Let us also keep in mind that although they've done their best to delegate authority based on the principle of least privilege, they have no way of verifying delegations, and thus can only hope that their delegations adhere to the principle of least privilege.
In summary -
- The Active Directory is spread across 4 continents - America, Europe, Asia Pacific and Australia
- There are 1000s of domain user accounts in Active Directory for employees and contractors
- There are 1000s of domain computer accounts in Active Directory, one for each machine (laptop, desktop, server)
- There are 1000s of domain security groups in Active Directory, and are used to provision access company-wide
- There is 1 Domain Admin (; realistically most organizations have 20+ Domain Admins)
- The Account Management Team is delegated all account management tasks
- The Access Management Team is delegated all security group management tasks
- The Host Management Team is delegated all computer management tasks in AD, and via GPOs
- The Help Desk Team is delegated password reset operations across the Active Directory
- Delegations are extensively done, but the organization does not have the means to audit/verify these delegations, so they do not know if delegations adhere to the principle of least privilege.
Objective - Obtain Domain Admin Credentials
The objective is to obtain Domain Admin credentials, because if you can do so, you can in effect, control the entire Active Directory, and by extension the entire IT infrastructure (using GPOs, Security Groups, etc.).
As you may know, in addition to obtaining access to any IT resource in the organization, there are some other things you can do once you're a Domain Admin - immediately lock everyone else (including all admins) out before you start to wreak havoc, disable auditing, prevent everyone else from logging on, etc (The list is long.)
In this fictional demo deployment, there is only 1 Domain Admin account, apart from the Administrator account -
As you'll hopefully agree, most organizations have many more Domain Admins than 1, so we're being very kind to this fictional organization in this demo. (With each additional Domain Admin, the attack surface increases exponentially.)
Attacker and Starting Point - An Ordinary Domain User Account
Assume that the attacker is a temporary contractor who happens to be on a 3-month contract with the organization. His fictional name is Kevin. All he has is a domain-joined laptop given to him to by the company and a regular domain-user account.
He has NO administrative rights whatsoever anywhere in the Active Directory, or on any domain joined or non domain joined machine, except the ability to install software on his assigned laptop.
He also has NO knowledge of security concepts like Kerberos, NTLM, Hashes, Firewalls etc. Consequently, of course, he does not have the skill to use advanced techniques like PtH.
[A Side Note to PtH Users ]
Unlike you, our attacker is a complete non-techie. He has no hacking skills, has no clue what a hash is, so of course, has no idea as to how to use Pass-the-Hash etc. He technical skills are limited to using MS Office.
Oh, just one more thing. The Domain Admin does understand how PtH works, so he NEVER logs on to any other machine except his dedicated Domain Admin laptop, which is always with him, and he only uses it to carry out Domain Admin related responsibilities. He does not check his mail on it, browse the Web, or any Intranet site from that laptop. The only tools on that laptop are ADUC and some of Microsoft's AD related utilities like ntdsutil, dsacls, LDP etc. No freely downloaded tools whatsoever. He of course also never Remote Desktop's into any machine using his Domain Admin creds.
So even if you compromise a machine on the inside, you can sit and wait and wait and wait and wait for him to logon to the machine you 0wn on the network, and you might get old waiting, because he's NOT going to logon to your machine, so you're not going to get him via a PtH attack.
Sorry :-(
Motive
Let's assume something has upset Kevin, our contractor; could be anything; the motive is relatively inconsequential. Lets assume that he decides to get even, and he figured he's going to do so by become the most powerful individual in the company, the Domain Admin.
- Side note- Contrary to popular belief, the most powerful individual in an organization is not the CEO. the most powerful individual is he/she who ultimately controls access to the entirety of the organization's IT assets - the Domain Admin.
In other words, we now have a malicious trusted insider in our environment!
Attack Methodology
So we have a malicious insider who knows nothing about cyber security.
All he knows is that once when he had forgotten his password, he was asked to call Help Desk, and when he did, they reset his password and assigned him a temporary password, with which he could instantly logon. So he figures that if he could reset someone's password, he could then logon as that individual. For instance, anyone who can reset the CEO's password can then logon as the CEO.
Finally, he knows that there is a local IT admin on-site (details below), who has previously assisted him with issues he may have had on his laptop.
Oh yes, and he knows one other thing - he knows the name of the Domain Admin, only because the Domain Admin was recently honored by the company in its monthly newsletter for all the great work he's been doing, as a result of which he actually made the company newsletter's front page with a headline that read - Honoring Steve Ballmer, Our Domain Admin!
Now, his ultimate target is the Domain Administrator Steve Ballmer, so he figures, why not try and find out who can reset Steve Ballmer's password, and let's assume he finds that another delegated IT admin named Kid Zuckerburg can reset Steve Ballmer's password, why not try and figure out who can reset Kid Zuckerburg's password and iterate this process over and see where it leads to.
You never know, he may find that ultimately that path ends at his local IT admin.
So, all he needs to do is find out who can reset whose passwords, until he can find someone whose account he can easily compromise. Once that's done, all he needs to do is a couple of password resets, each one taking just a few seconds, and he will have obtained Domain Admin credentials within a matter of minutes, without having to compromise a single machine.
Some Quick Theory
In case you find yourself wondering - "but wait, trying to find out who can reset a domain user account's password is by no means an easy task."
You're absolutely right. It is NOT an easy task. At a minimum it requires -
- Read access to the target user's account in Active Directory
- A tool, such as ADUC, with which you can view Active Directory content and look at AD ACLs
- The knowledge and expertise to examine an AD object's ACL and accurately determine effective permissions.
- Access to a tool, such as ADUC, that allows the user to perform password resets
The ACL on the Domain Admin, Steve Ballmer's Account |
So, how is our attacker, who doesn't even know what a hash is, let alone what effective permissions are, possibly going to fulfill these 4 requirements?
Keep reading.
Oh, Just One Other Thing - Smartcards
In case you find yourself saying - "but we use Smart-cards, so this doesn't apply to us." I have some not so good news for you. It unfortunately still applies, because someone can easily disable the requirement to use smart-cards by modifying the userAccountControl attribute on the user account. Once that's disabled, the account's back to relying on passwords.
The Cast
Before I walk you through a step-by-step demo, lets get introduced to the IT personnel involved in this fictional demo. Kindly note that all names are fictional and that any resemblance to real individuals bearing these names is completely coincidental.
That said, here's the cast -
- The Attacker - Kevin Mandia, is a temporary contractor who works for a fictional company called Mundane
- The Domain Admin - Steve Ballmer, an IT Analyst, is the most powerful individual in this organization
- The Delegated Admin - Kid Zuckerburg, a Jr. IT Analyst, is a member of the Account Management Team
- The Help-Desk Operator - Larry Page, an IT Support Analyst, is a member of the Help Desk team
- The Local IT Admin - Ted Schlein, a Jr. IT Operator, in addition to being a member of the Help Desk team, is also a local on-site IT admin at the attacker's location
(The titles of these fictional employees can be verified by viewing the Setup snapshot above.)
Now, to the demo...
The Demo - Ordinary User to Domain Admin in Minutes
Our attacker, Kevin, who is now a malicious insider, figures that what he needs to do is analyze who can reset whose passwords. He has no idea how difficult it is do so, but he figures that since these days there's a tool to do just about everything, there must be a tool to do password reset analysis as well, so he launches his favorite Web browser and performs an online search to see if there's any such thing as a "Password Reset Analysis Tool"
He happens to across this tool - http://www.paramountdefenses.com/goldfinger-mini
- Note that this tool is designed to assist employees in assessing the risk to their own accounts. However, in this case, a trusted insider is unfortunately going to misuse it, thereby breaching the trust we (Paramount Defenses) impose in employees of organizations worldwide. It only takes 1 trusted insider to breach the trust that we, and their organization, imposes in them.
Anyway, he first downloads and installs the free edition on his laptop (which is a domain joined machine) and then tries it out, all of which takes about 2 minutes. He figures he'll need a 007 edition license, so he acquires one, in another 2 minutes.
Now, there are 3 parts to this attack vector -
- Privilege Escalation Path Identification - This is the most difficult part, and without appropriate tooling, this part can take even an expert hours to accurately perform, per account. With the right tooling however, it only takes seconds.
- Starting Point Compromise - This part involves compromising the initial starting port in the privilege escalation path. This can be accomplished in various ways, one of which is described below. This may not always be necessary, for instance, if the attacker happens to be a delegated admin with sufficient delegated rights in Active Directory.
- Privilege Escalation via Password Resets - This is the easy part, and usually only takes a few seconds.
Before we Begin - Ordinary User Verification
Prior to beginning, the attacker Kevin uses whoami to verify that he does not have any administrative privileges -
Part 1 - Privilege Escalation Path Identification (Time involved: 5 minutes, Effort required: Minimal)
Clock Start Time: 2:00 pm
Our attacker Kevin downloads and installs the tool and the license on his laptop, then launches it to begin -
- Technical Note - It is important to note that when launching the tool on a Windows Server 2008 machine or beyond, he will need to set the Compatibility Mode to Windows XP Service Pack 3 -
Before proceeding, he quickly verifies his licensing details by clicking on Help, then on About -
He then proceeds to select the second report "Who can reset a colleague's account's password" -
He then clicks the search button located to the right of the drop-down to access the inbuilt Account Locator -
Now, he enters the word "Steve" as the only thing he knows is that the Domain Admin's name is "Steve Ballmer". The locator finds and displays the Domain Admin's account, and he select's it -
That's it. The tool is now ready to find out within seconds, exactly who can reset Steve Ballmer's password (i.e. the Domain Admin's password) -
He clicks the Gold Finger button (i.e. the big button with the golden hand on it) which is the equivalent of the Run button) and within seconds, the tool determines and displays the list of all individuals who can currently reset the Domain Admin's account's password -
He finds that only 2 other individuals can reset the Domain Admin's password, one of whom happens to be a delegated admin, Jr. IT Analyst, Kid Zuckerburg, so he figures it might be worthy finding out who can reset Mr. Zuckerburg's account's password.
So he proceeds to locate Kid Zuckerburg's account using the inbuilt Account Locator -
He is now ready to find out who can reset Kid Zuckerburg's account -
He click's the Gold Finger, and within seconds, learns that 19 individuals can reset Kid Zuckerburg's account. Their identities are displayed by the tool -
Curious to see the entire list, he scrolls down a bit, and finds that amongst others, Larry Page, another delegated IT support admin, can reset Kid Zuckerburg's password -
So he proceeds to locate Larry Page's account using the inbuilt Account Locator -
He is now ready to find out who can reset Larry Page's account -
He click's the Gold Finger, and within seconds, learns that 22 individuals can reset Larry Page's account. Their identities are displayed by the tool -
He finds that the 2nd name on this list is that of none other than the local IT admin at his location, Ted Schlein, who in addition to being a local IT admin is a member of the Help Desk team -
This is a very valuable find, because what it means is that if somehow, he can compromise Ted Schlein's account, he would in effect be just 2 minutes (i.e. 3 password resets) away from becoming a Domain Admin!
Why (, or how so) ?
Very simple - thus far he has found that -
- Kid Zuckerburg (a Jr. IT Analyst) can reset Steve Ballmer's (a Domain Admin) password,
- Larry Page (an IT Support Analyst) can reset Kid Zuckerburg's password, and
- Ted Schlein (a Jr. IT Operator and a local on-site IT admin) can reset Larry Page's password.
In other words, he has now found his starting point - it is Ted Schlein, his local on-site IT admin!
By the way, a quick note about Logon Names (UPNs). The astute reader would have noticed that our malicious insider is going to need to know the UPNs of these delegated admins to logon as them. Although he does not know the UPNs, the tool displays the UPN of each user, so determining the UPN is just a matter of scrolling the results in the Account Locator -
With that out of the way, on to the 2nd part.
Clock End Time: 2:05 pm
Part 2 -Starting Point Compromise (Time involved: 3 minutes, Effort required: Minimal)
Clock Start Time: 2:06 pm
It's time to compromise the initial starting point. There are many ways of doing so, but since we have assumed that the attacker has no IT security knowledge, we'll use one involving just a little bit of Social Engineering.
The attacker, who is a contractor, and now a malicious insider, places a surveillance clock on his desk such that the hidden camera in the clock can take a video of the keyboard.
He then walks upto Ted Schlein, the local on-site IT admin, tells him that something doesn't seem to be working right on his laptop, and requests him for some urgent technical assistance with his laptop.
Ted Schlein comes over, and in order to troubleshoot the non-existent technical issue, logs in using his own domain account and password. He finds no problems, so he lets Kevin know that all is well and moves on.
Little did he know, that the attacker, albeit technically unsavvy, managed to capture a clear enough video of Ted Schlein entering his username and password via that surveillance camera he had set up.
Clock End Time: 2:09 pm
That's it - he know has the creds of Ted Schlein, and its about 2:10 pm.
- Note: This is merely an illustrative example. A minimally tech savvy attacker can employ various other means to learn about the local IT admin's password. Examples include shoulder surfing, keystroke logging etc. A tech savvy hacker can additionally employ hacking skills and tools to get the local IT admin's credentials, because he has both network access as well as physical access to the local admin's machine.
Although he is ready to launch his attack, he waits for an opportune time say around 6:30 pm, as he knows that most IT personnel would have left for the day, and in all likelihood be stuck in traffic somewhere.
From 2:10 pm until 6:30 pm, he goes about his work as usual.
Fast forward 4 hours and 20 minutes, and its time to complete the attack.
Part 3 - Privilege Escalation Via Password Resets (Time involved: 3 minutes, Effort required: Minimal)
Clock Start Time: 6:30 pm
The attacker Kevin logs off his account on his own laptop, and then immediately logs back in using Ted Schlein's credentials. Since he knows the logon-name (UPN) and password, the logon succeeds, so now he is logged on as Ted Schlein -
Now, all he needs to do is reset Larry Page's password.
Note that ordinarily he would have had to use an administrative tool like Active Directory Users and Computers, but Gold Finger Mini has an inbuilt password reset capability (provided for testing purposes), which can be accessed by pressing Alt-R (for Reset).
So he launches Gold Finger Mini, then uses the inbuilt Account Locator to find Larry's account and select Larry's account. To select Larry's account, he selects it and then clicks the Select button. (When he clicks the Select button, the account is selected and control is passed back to the main window) -
He then presses Alt-R to access the Password Reset dialog -
He enters a password of his choice for Larry's account, such as WeRunOnADToo! -
He then clicks the Reset Password button, and lo and behold, Larry's Page's password has been reset! -
That took all of 5 seconds. He instantly logs off as Ted Schlein, and then logs back on as Larry Page, using Larry Page's account and password -
Same drill, next account. Time to reset Kid Zuckerburg's password. First locate the account, using the inbuilt target locator, then press Alt-R to access the Password Reset dialog -
He then enters a password for Kid Zuckerburg's account, such as LikeThis,Kid!
He then presses the Reset Password button, and he just successfully elevated his privilege again -
He instantly logs off as Larry Page and logs right back on as Kid Zuckerburg -
Its time to perform the last step in privilege escalation to that of Domain Admin. Its time to reset Steve Ballmer's password, so he locates his account and accesses the password reset window -
He enters a password for Steve Ballmer's account, such as WhoNeedsPtHWhenUCanResetPwds?!
He presses the Reset Password button, and voilà , he just became a Domain Admin! -
Time to log-off as Kid Zuckerburg and logon as Steve Ballmer, the most powerful individual in the organization, the Domain Admin!
Folks, our malicious insider has just escalated his privilege to that of a Domain Admin!
End of Privilege Escalation; End of Demo.
Attack Summary
In just minutes, without having to compromise a single machine, or use any sophisticated techniques like Pass-the-Hash, a malicious insider with virtually no security know-how and no administrative access of any sort, just escalated his/her privilege to the most powerful individual in the organization, the Domain Admin.
Analysis
This attack vector demonstrated the risk posed by Active Directory Privilege Escalation based on the exploitation of unauthorized access grants in Active Directory, which is arguably the world's #1 cyber security risk today.
This risk stems from the fact that there exist large numbers of excessive access grants in Active Directory deployments, which without sufficient tooling/expertise, are very difficult to identify, whether by organizational IT personnel or by a malicious insider.
These excessive grants exist because although Active Directory makes it very easy to precisely delegate access, it lacks the ability to help organizations precisely verify/audit delegated access, and as a result, most organizations end up delegating access in the proverbial dark, i.e. on a best-effort basis, without any verification/proof.
Over time, the state of delegated access constantly yet subtly changes, due to administrative churn, group membership changes, ACL changes and other factors, causing currently implemented delegations to deviate from intended delegations.
Consequently, many more individuals than intended, unbeknownst to themselves or IT personnel, end up with excessive delegated administrative access entitlements in Active Directory, and it is these excessive delegated entitlements that can be easily exploited by anyone who can accurately identify them. Password reset entitlements happen to be the easiest to exploit.
The ability to begin the password reset analysis process on a high-value target, such as a Domain Admin account, and iterate it down until an easily compromisable low-value target can be identified, helps identify the easiest possible privilege escalation path from a low-value to a high-value target, which can then be exploited within a matter of minutes, without requiring that the targets to have logged on to a machine one owns.
Even though this risk provides a far easier way to compromise security, most malicious perpetrators still resort to sophisticated attack methodologies like Pass-the-Hash, because they're neither aware of this risk, nor have the means to quickly or accurately identify these excessive delegated access grants and thus perform accurate password accurate reset analysis, yet.
Without sufficient tooling, it is very difficult and time consuming to perform such analysis. However, as demonstrated above, with the right tools, such analysis can now be done within seconds.
In addition, because the analysis phase is read-only, even if using basic tools, an attacker could take his/her own sweet time to perform the analysis, because read-access is almost never audited. (Audit logs would start rolling over within minutes if organizations started auditing read access.)
Also, because so much read access takes place every day in the Active Directory, no solution, such as a firewall built to monitor Active Directory traffic and identify suspect situations could potentially identify this as suspicious activity.
Finally, once the analysis is over, and a path has been found, enacting the privilege escalation steps by resetting passwords also only takes a matter of seconds, so even if password reset operations are audited, realistically, by the time someone receives a notification, the perpetrator would already have completed the privilege escalation and would possibly be in a position to take aggressive counter-measures, such as deploying a pre-written script that would lock everyone else out, and thus prevent anyone from stopping the perpetrator. (As such, audit log analysis will only indicate that authorized IT personnel were involved in resetting passwords, and thus it would be difficult to determine whether something "fishy" was going on.)
This risk is real, it exists today, and virtually every Active Directory deployment is vulnerable to it.
Risk Mitigation
Unlike other risks, not only can this risk be precisely assessed, it can also be quickly and reliably mitigated. In order to mitigate this risk, organizations only need the ability to efficiently assess and lock down effective access grants delegated in their Active Directory domains, AND the will to mitigate this risk.
Once organizations can efficiently and accurate identify effective access and the underlying permissions, their IT administrative personnel can use this insight to instantly and methodically start locking-down excessive access, and within a matter of days, measurably and demonstratably lock down access to the point that all existing access is based on verifiable least privilege.
When existing access is provisioned on verifiable least-privilege, 99.9% of privilege escalation paths are automatically eliminated, and once there are no paths left to exploit, with or without tooling, malicious perpetrators will have virtually no opportunity to escalate privilege in such a manner.
By corollary, until all existing access is provisioned based on verifiable least-privilege, there will continue to exist large numbers of privilege escalation paths, any ONE of which could be identified and exploited to cause significant damage.
It is important to note that 3 things are key here - completeness, speed (i.e. efficiency) and accuracy.
By completeness, we mean that it is not sufficient to merely lock down access on a subset of Active Directory content, such as focusing only on Domain Admin accounts etc. Organizations must at a minimum lock down access on all Active Directory administrative accounts and groups, including those of all delegated administrators and groups, and ideally they should lock down access to all content, because using this approach, virtually every IT resource stored in or protected by Active Directory can be compromised.
(For instance, the easiest way to compromise a set of confidential documents stored on a domain-joined server, is to find out which domain security group is being used to grant access to this set of documents, and then modify that domain security group (stored in Active Directory) to gain access to these documents, by adding one's own account (or another account) to this domain security group.)
Speed is important because with each passing day, the exposure only continues to increase, and the luxury of being able to take months to address is simply one that is not affordable.
Accuracy is key because without accuracy, organizations can end up making incorrect access control decisions, and incorrect access control decision can very quickly exacerbate the situation.
Doing our Bit to Help
From our side, we are doing out bit to help organizations mitigate this security risk.
Our Gold Finger solution makes the domain-wide assessment of effective access grants as easy as touching a button, thereby giving organizations instant, on-demand effective-access insight, accomplishing for them in hours, what could take years to do -
Gold Finger's patented capabilities fully-automate the accurate determination of effective-access in Active Directory deployments -
Gold Finger can consequently help organizations instantly and accurately determine effective delegated access across their entire Active Directory domain(s) within hours, delivering completeness, speed and accuracy, at a button's touch.
Gold Finger also helps identify the underlying permissions so organizations know exactly what to modify to lock down unauthorized excessive access, and most importantly, its patented algorithms deliver accurate results, so organizations can mitigate this serious risk in a timely manner.
There are certainly other choices available as well. These primarily include a handful of basic / amateur Active Directory permission reporters/analyzers that can help organizations try and solve this problem manually. The only disadvantage of all such tools is that they leave you to do the entire effective-permissions and effective delegated access analysis yourself, which unfortunately could take months or even years to do.
Finally, the most important point here is that timely, successful and adequate risk mitigation will require executive support from the highest levels of the organization. IT groups are thus encouraged to educate executive management about this risk, so that they can obtain the support they'll need to mitigate it. (Here's an Executive Summary for Executive Management)
Responsible Disclosure
Strictly speaking, there's nothing to disclose here. This should technically be apparent to those of ordinary skill in the art.
That said, as an organization, as we have indicated previoulsy, we have known about the possibility of this risk for over 8 years now. We informed Microsoft about it way back in 2007. We have also invested over half a decade of innovative research and development to help organizations mitigate this risk, and it is only after a solution had been available for over a year that we shed light on this risk last year.
We also had no particular interest in building Gold Finger Mini. Our focus always has been on Gold Finger so that we could help organizations mitigate this risk, and we only license the Gold Finger to organizations. We do not license it to individuals.
As for Gold Finger Mini, it was primarily built for senior executives who would find it difficult to believe the existence of this risk, and requested proof. So, we built Gold Finger Mini so they could instantly see for themselves, not just how much risk their organizations were exposed to but also verify that such password reset analysis could be performed by non-administrative users as well (i.e. using their own accounts.) Subsequently, based on feedback from numerous organizations, in order to help employees participate in the overall cyber security process, we made Gold Finger Mini available for use by organizational employees in 2012.
Even though Gold Finger Mini has been available since 2012, until today, not once have we demonstrated how easy it is for someone to enact this risk, were they to misuse a Password Reset Analysis Tool. If we did so today, it was only because, as indicated above, it appears that a recent inaccurate claim related to Active Directory security seems to be distracting organizations, and we wanted to help organizations see for themselves just how much easier it is for a malicious insider to potentially cause substantial damage via this risk, than it is with any other risk.
Wrapping it up
As demonstrated above, with the right tools, almost anyone could easily compromise any Active Directory deployment, within minutes, without so much so as owning a machine, let alone using sophisticated techniques like Pass-the-Hash.
Not just 95% of the Fortune 1000 run on Active Directory, but in fact 85% of all organizations worldwide run on Active Directory, and in all likelihood, today, most of them may be exposed to this risk. Sadly, all it takes is one insider, e.g. Edward Snowden.
See it for yourself - http://www.paramountdefenses.com/products/password-reset-analysis-tool/try
Best wishes,
Sanjay