In the course of their audit engagements Oneconsult penetration testers are increasingly finding identical passwords used for local administrative users on backend systems and even more often on workstations. Although these passwords are stored as a NTLM hash, an attacker still has ample opportunities to misuse this situation for lateral movement inside a company’s IT infrastructure. This article covers attacks and mitigation opportunities. [read the German article]