Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned. Service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve, Tivoli are obvious examples.
Select each of these service accounts in turn and try to guess its password - it's not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you don't exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up.
If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you will gain Domain Admin access, allowing you create your own administrator account, join the domain legitimately and help yourself to any information on any server.
This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk