In 2024, vPenTest by Vonahi Security conducted thousands of automated internal network penetration tests. The results revealed consistent and alarming trends in internal network security across organizations of all sizes and sectors. This article unpacks the top 10 most common internal network vulnerabilities identified, illustrating how each weakness can serve as a stepping stone for attackers to compromise enterprise networks.

1. LLMNR/NBT-NS Poisoning

Prevalence: 63% of internal networks
Impact: Enables credential capture and relay attacks
Details: LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are legacy name resolution protocols vulnerable to spoofing. Attackers can exploit them to capture NTLMv2 password hashes via tools like Responder or MITM6.

Recommendation:

• Disable LLMNR and NBT-NS via Group Policy
• Implement DNSSEC and enforce usage of modern DNS

2. Passwords Stored in SYSVOL

Prevalence: 58%
Impact: Exposes plaintext or reversible encrypted credentials
Details: Shared Group Policy Preferences (GPP) XML files in SYSVOL often contain hardcoded passwords accessible to any authenticated domain user. Attackers can extract these with scripts like Get-GPPPassword.

Recommendation:

• Remove all GPP XML files with passwords
• Replace with secure credential management solutions (e.g., LAPS, PAM tools)

3. Passwords Stored in Scripts

Prevalence: 53%
Impact: Easy harvesting of sensitive credentials
Details: Hardcoded credentials in logon, backup, and maintenance scripts are frequently overlooked. These scripts often reside in shared folders or are executed automatically on login.

Recommendation:

• Conduct regular audits of login scripts
• Use credential vaults or tokens instead of static passwords

4. Domain Users Can Read LAPS Passwords

Prevalence: 50%
Impact: Undermines Local Administrator Password Solution (LAPS) security
Details: LAPS stores local admin passwords in Active Directory, but if improperly configured, any domain user can read them.

Recommendation:

• Use Set-AdmPwdReadPasswordPermission to restrict LAPS access to specific AD groups
• Validate permissions with Find-LapsMisconfigurations.ps1

5. Unquoted Service Paths

Prevalence: 47%
Impact: Local privilege escalation
Details: When a service path contains spaces and is unquoted (e.g., C:\Program Files\App Name\Service.exe), attackers can drop malicious executables in earlier path segments (like C:\Program.exe) to hijack execution.

Recommendation:

• Audit services with PowerShell: Get-WmiObject win32_service | where {$_.pathname -match ' ' -and $_.pathname -notmatch '^".*"$'}
• Correct paths by enclosing them in quotes

6. Weak Service Permissions

Prevalence: 45%
Impact: Privilege escalation to SYSTEM
Details: Services that allow standard users to modify their configuration or binaries can be exploited to execute arbitrary code as SYSTEM.

Recommendation:

• Use accesschk.exe from Sysinternals to find vulnerable services
• Restrict service permissions with sc sdset or Group Policy

7. No SMB Signing

Prevalence: 43%
Impact: Enables SMB relay and man-in-the-middle attacks
Details: Without SMB signing, attackers can intercept and modify SMB traffic, exploiting tools like ntlmrelayx.py to gain privileged access.

Recommendation:

• Enforce SMB signing via GPO: Microsoft network client/server: Digitally sign communications (always)
• Disable NTLM where possible

8. NTLMv1 Enabled

Prevalence: 39%
Impact: Exposes users to easily cracked authentication
Details: NTLMv1 is cryptographically weak and susceptible to rainbow table attacks.

Recommendation:

• Enforce NTLMv2 via Group Policy
• Monitor with Event ID 4624 (Logon Type 3 and NTLMv1 usage)

9. Kerberoastable Accounts with Weak Passwords

Prevalence: 36%
Impact: Kerberos ticket extraction and offline brute-forcing
Details: Attackers request service tickets (TGS) for accounts with SPNs and then brute-force weak passwords offline using tools like Rubeus.

Recommendation:

• Identify SPN accounts: Get-ADUser -Filter {ServicePrincipalName -ne "$null"}
• Enforce strong passwords and consider removing unnecessary SPNs

10. No Patching on Endpoints

Prevalence: 34%
Impact: Widely exploitable vulnerabilities persist
Details: Unpatched systems remain vulnerable to known exploits (e.g., EternalBlue, PrintNightmare), allowing lateral movement and privilege escalation.

Recommendation:

• Use WSUS, SCCM, or Intune for patch compliance.
• Prioritize high CVSS vulnerabilities and automate patch cycles

Conclusion

The vPenTest 2024 report reveals a clear message: internal network security hygiene is still lacking across the board. Many of these risks are preventable with configuration hardening, user training, and systematic auditing.

Security is not a one-time fix—it's a culture of continual improvement.

By addressing these top 10 internal network misconfigurations, organizations can significantly reduce the attack surface available to adversaries and increase resilience against internal threats and lateral movement.