Skip to main content
All case studies
Manufacturing

Domain Admin in 4 Hours: Network Penetration Test of a Global Engineering Conglomerate

Kerberoasting + lateral movement across 50,000+ IP internal network achieves full domain compromise

Client: Global Engineering and Construction Conglomerate

4 hrs
Time from network access to full Domain Admin compromise
47
Service account passwords cracked via Kerberoasting
52,847
Live hosts mapped across 340 network segments
0
Network segments with effective microsegmentation at baseline

The Challenge

Massive Internal Network with Legacy Systems and Flat Architecture

A global engineering conglomerate with 50,000+ IPs across 30+ locations needed to validate their internal network security posture. The network had grown organically over 15 years through acquisitions, resulting in a mix of modern and legacy systems with inconsistent patching and segmentation. A board-level directive following a peer company ransomware incident mandated an internal network penetration test.

  • 50,000+ IP addresses across 30+ offices and project sites
  • Network grown through 8 acquisitions — inconsistent AD forests and trust relationships
  • Legacy Windows Server 2012 and 2008 systems still running in production
  • Flat network with minimal segmentation between business units and project sites

The Solution

Internal Network Penetration Test with Active Directory Focus

Security Brigade deployed a 4-person team for a comprehensive internal network penetration test, focusing on Active Directory attack paths, lateral movement, and privilege escalation. The team used a combination of automated discovery and manual exploitation techniques, with B-52 engine tracking coverage across all network segments to ensure no zone was missed.

Services used

network-pt red-team vapt

Our approach

  1. 01 Day 1: Network discovery and enumeration — mapped 52,847 live hosts across 340 subnets, identified 4 AD forests with 12 trust relationships
  2. 02 Day 1-2: Kerberoasting attack against service accounts — cracked 47 service account passwords within 3 hours using GPU-accelerated hash cracking
  3. 03 Day 2: Lateral movement via compromised service account — identified 3 hosts where a Domain Admin had active sessions — credential extraction via memory dump
  4. 04 Day 2-3: Demonstrated impact — accessed ERP database, HR payroll system, project bidding documents, and board presentation repository

The Results

Full Domain Admin Compromise in 4 Hours — 47 Weak Service Account Passwords Identified

Achieved Domain Admin access within 4 hours of starting the internal test, primarily through Kerberoasting weak service account passwords and lateral movement to hosts with privileged sessions. The assessment revealed fundamental issues with AD security hygiene, service account management, and network segmentation that were subsequently addressed in a 12-week remediation programme.

4 hrs
Time from network access to full Domain Admin compromise
47
Service account passwords cracked via Kerberoasting
52,847
Live hosts mapped across 340 network segments
0
Network segments with effective microsegmentation at baseline

Ready to discuss your security needs?

Talk to our team about a similar engagement for your organisation.

Request a Scoping Call