https://www.a1ops.com/, https://linktr.ee/AlphaONEOps

AlphaONE Operations, Birmingham, AL (2026)

05/25/2026

22,468 password hashes.
12,016 recovered.
One afternoon.

After landing Domain Admin on a client network, we dumped every NTLM hash in Active Directory and fed them to our hashcat cluster. Before the day was out, we'd recovered the plaintext credentials for 53.48% of the domain. More than twelve thousand accounts, wide open.

The part that stings: nearly every recovered password was technically compliant. Eight characters minimum. Upper, lower, number, symbol. The audit tool never blinked once while we had the keys to the kingdom.

Here's where the policy fell apart:
-18.5% of recovered passwords hit exactly the 8-character floor, nothing more.
-49.8% had full complexity: letters, a special character, and a digit.
-Only 36% cleared the 12-character bar recommended by PCI DSS 4.0.
-Just 7.6% met the NIST 800-63B Rev 4 single-factor threshold of 15 characters.

Phase 1 used pure mask attacks against the policy requirements: 0.10% recovered. Phase 2 added rockyou with no rules: 1.50% cumulative. Phase 3 layered in the public d3ad0ne ruleset (34,000+ transformations): 13.91%. Phase 4 brought our internal wordlist and custom rules: 50.20% of accounts were unique, for a total of 53.48%.

That proprietary tooling delta tells the whole story. Off-the-shelf public tools left 7,621 passwords standing. Our internal corpus knocked them down in a single phase. No compliance scan, NIST checklist, or audit dashboard can see that gap.

The complete analysis is in the comments: all four phases with full hashcat syntax, length and pattern breakdowns, crack-time projections across five hardware tiers (from a single laptop GPU to our 12-GPU, 4.3 TH/s rig), and framework mapping.

When was the last time someone actually cracked your AD hashes? Not just reviewed the policy. Not just running an audit. Cracked the hashes.

05/22/2026

"We're fine with our 8-character minimum and complexity rules."
That's a statement that's showing up as a finding in 2026 security audits.
Both NIST SP 800-63B Rev 4 (2025) and Microsoft's 2025 Security Baselines have done away with forced complexity requirements and scheduled password resets. Today's standard sets the minimum at 15 characters for accounts without a second factor, or 14 characters when MFA is active. The days of 8-character passwords being acceptable are behind us.
We took the password policy remediation advice from every Active Directory pentest report we deliver and consolidated it into a single playbook. Give it to your helpdesk. Hand it to your GRC team. It's the same process we walk every client through after we've compromised a domain.
The most important thing in the playbook: get MFA deployed everywhere before you change a single password length or expiration setting. Everything else hinges on whether MFA is in place, because both NIST and Microsoft explicitly allow lighter password requirements when a strong second factor is present.
The steps below are ordered — that order is not optional:

Universal MFA (RADIUS / NPS / Entra ID).
Banned-password list enabled (Specops, nFront, or Azure AD Password Protection).
Minimum length increased — 14 chars with MFA, 15 chars without.
Complexity rules removed (only once steps 1–3 are done).
Password expiration removed (only once steps 1–3 are done); reset on breach stays permanent.
Service accounts migrated to gMSA.
Fine-Grained Password Policies applied to privileged accounts (minimum 20 characters).
SIEM alerting configured for events 4662, 4769, 4768, 4624, 4625, 4740, 4928, 4929, 5136.

Cut corners on the sequence, and you leave the domain weaker than before. Turn off complexity without first raising the length floor and activating a ban list, and your next pentest will crack more passwords, not fewer.
The full playbook — covering both on-prem AD and Entra ID, with framework mappings for auditors (NIST 800-53, NIST CSF 2.0, CIS Controls v8.1, CIS Windows Benchmark, ISO/IEC 27001:2022, Microsoft Security Baselines, and MITRE ATT&CK M1027/M1032/M1018) — is in the comments.
Where is your environment getting stuck?

05/21/2026

Twenty-year-old method, an engagement that wrapped up this week, a full pivot across the domain, and not one password cracked.

NTLM relay happens when the network passes a captured authentication off to a destination it was never supposed to reach. The underlying protocol weakness (NTLMSSP doesn't bind to a target SPN) has been documented since the early 2000s. The remedy (SMB signing) has been around almost the entire time. Yet the default has stayed server-side-optional for everything before Server 2025, which is precisely why this attack continues to land on the majority of internal engagements.

Here's the 2026 chain we walked through on a recent client engagement:

- Responder grabs a NetNTLMv2 hash inside of 60 seconds via LLMNR poisoning.
- NetExec `--gen-relay-list` enumerates every host on the segment with signing turned off.
- ntlmrelayx forwards the captured authentication into a file server that doesn't require signing. The relayed user comes through as a local admin.
- ntlmrelayx, by default, auto-dumps the local SAM. We notice matching NT hashes shared between `Administrator` and a `*-adm` secondary admin account, the classic password-reuse-on-the-same-box finding, and also a signal that the same build image has been deployed across the environment.
- `-socks` mode keeps the session resident in memory. proxychains-fronted tooling (secretsdump, evil-winrm, smbclient) runs through it without any password ever being handed to the tool. The SOCKS session itself serves as the credential.

When relay isn't an option (signing enforced across the board), the captured NetNTLMv2 still gets fed to hashcat mode 5600 against rockyou. We've yet to watch that come up empty.

The defender's priority list is short: require SMB signing everywhere, kill LLMNR / NBT-NS / mDNS, kill WPAD, deploy DHCP snooping along with DHCPv6 Guard plus RA Guard, roll out LAPS so local admin accounts aren't uniform, and finally move NTLM into audit-then-block. A single Group Policy change covers most of the relay attack surface.

The complete post, including the Responder.conf pre-flight tweaks, the full ntlmrelayx walkthrough (`-c`, default SAM auto-dump, `-socks` plus `-tf` plus proxychains), the offline-cracking fallback, the defender-side event correlation (4624 / 4625 / 8001 / 5145), and the Defender for Identity rule mapping, is linked in the comments.

If a real relay attempt has never been pointed at your network, the exposure is already running.

05/20/2026

9:00:00 AM, we connected to the network.
9:00:11 AM, we walked away with six domain credential hashes belonging to three separate users.

Eleven seconds. A Monday morning. Before anyone had finished their first cup of coffee.

The technique is LLMNR / NBT-NS poisoning. NBT-NS goes back to the late 1980s and LLMNR to 2007, yet both remain enabled out of the box on every current Windows release, Windows 11 24H2 and Windows Server 2025 included, and we encounter them on internal assessments week after week.

Nothing fancy is required. Drop a laptop onto any available network jack (a conference room, a vacant cubicle, the wall port in the lobby), launch Responder, and sit back. Whenever a Windows host fails to resolve a name through DNS (a typo, an outdated mapped drive, a retired server, a WPAD query, a dead shortcut, or an entry lingering in Office's "Recent Files"), it broadcasts asking the local network for help. Responder happily replies. The Windows client then willingly hands its logged-in user's NTLMv2 credentials over to whatever machine responded.

What happens to those hashes next:

- They get cracked offline (hashcat, mode 5600). During the last engagement, we pulled Domain Admin out of a single captured LLMNR hash using off-the-shelf hardware.
- They get relayed live through ntlmrelayx. A single grabbed authentication produced SAM hash dumps from seven hosts inside the environment. The hash was simply passed along; nothing was cracked; no vulnerability was exploited.
- They get correlated. Hashes we never crack still expose usernames, which machines map to which users, patterns of network behavior, and which accounts hold admin rights based on which relays succeed.

The mitigation has been documented publicly for more than ten years. Yet we keep discovering LLMNR / NBT-NS turned on in roughly nine out of every ten environments we review.

The complete breakdown, covering the Responder switches we used, the NetNTLMv2 capture itself, both the cracking and relaying workflows, the telltale defender-side indicator (Event 3012 in the `Microsoft-Windows-DNS-Client/Operational` log channel), and the full set of GPO, registry, and DHCP fixes, is linked in the comments.

How recently has anyone verified that your network is only replying to the hosts it's supposed to?

04/30/2024

Can AI fix health problems you didn’t even know you had? Several researchers are trying to find that out (https://bit.ly/3wg8HPW).

04/25/2024

We’re all tied to our chargers these days. Learn how to charge effectively with this list of the best charging devices for personal or business use (https://tinyurl.com/3vkek6rn).

04/24/2024

Have you looked into autonomous technology lately? Here are three ways it could transform your business (https://tinyurl.com/2s4k5stp).

04/23/2024

Planning to beef up your cybersecurity solutions this year? Check out these important tips on what to look for when vetting new security platforms (https://tinyurl.com/3eu6py3y).

04/18/2024

If you’re a leader at a small or mid-sized business, here are three top cybersecurity trends you’re going to want to know about (https://tinyurl.com/2vydd3ew).

04/17/2024

Attending school online has been a thing for a while now, but what about attending in the Metaverse? A new VR high school is being launched which will be just the beginning of a whole new way to learn (https://tinyurl.com/ynfs8saa).

AlphaONE Operations

05/25/2026

05/22/2026

05/21/2026

05/20/2026

04/30/2024

04/25/2024

04/24/2024

04/23/2024

04/18/2024

04/17/2024

Address

Telephone

Website

Alerts

Shortcuts

Share

Category