search

byt3bl33d3r / DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
GNU General Public License v3.0
1.57k stars 331 forks source link

Invoke-wmi failes to execute when prioritizing computers with admin sessions #12

Closed c0d3xpl0it closed 6 years ago

c0d3xpl0it commented 7 years ago

Below is error received, can you check ?

[*] Powering up the Death Star
[*] Created Death Star listener => {u'success': u'listener DeathStar successfully started'}
[*] Polling for agents
[+] New Agent => Name: WYEU4RH7 IP: 10.1.2.136 HostName: XYZABC34413 UserName: ABC\QA1234 HighIntegrity: 0
[*] Agent: WYEU4RH7 => Starting recon
[+] Agent: WYEU4RH7 => Found 3 members for the '"Domain Admins"' group: ['ABC\\vha028_dom', 'ABC\\hcn004_dom', 'ABC\\Admin-ABC']
[+] Agent: WYEU4RH7 => Found 7 Domain Controllers: [u'YUIHM3DCO201.ABC.local', u'YUIHM3DCO202.ABC.local', u'QAZBGDCO201.ABC.local', u'QAZFAFDCO201.ABC.local', u'QAZBGDCO202.ABC.local', u'QAZFASDCO201.ABC.local', u'YUIHM2DCO201.ABC.local']
[+] Agent: WYEU4RH7 => Found 2 active admin sessions: [u'QAZFAFFIL200.ABC.local', u'YUIHM3FIL201.ABC.local']
[+] Agent: WYEU4RH7 => Found 0 users logged into localhost: []
[*] Agent: WYEU4RH7 => Starting lateral movement
[*] Agent: WYEU4RH7 => Attempting to elevate using bypassuac_eventvwr
[*] Agent: WYEU4RH7 => Starting domain privesc
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "DeathStar.py", line 512, in privesc
    for result in gpp(agent_name):
  File "DeathStar.py", line 327, in gpp
    usernames = list(map(str.strip, entry.split(':')[1].strip().split(',')))
TypeError: descriptor 'strip' requires a 'str' object but received a 'unicode'

[+] Agent: WYEU4RH7 => Current security context has admin access to 2 hosts
[-] Agent: WYEU4RH7 => Error executing module 'powershell/lateral_movement/invoke_wmi': {u'error': u'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "DeathStar.py", line 500, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 437, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object has no attribute '__getitem__'
byt3bl33d3r commented 7 years ago

Are you using Python 3?

c0d3xpl0it commented 7 years ago

I am using Kali Rolling 2017 edition and while running Deathstar i mention "python DeathStar" (ie. Python 2.7.13)

image

aaaah, I was using 2.7.13 (my mistake)

c0d3xpl0it commented 7 years ago

I ran the Deathstar with python 3 this time and received below errors. Any cmments

Error -1

[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: 2R76CYMH IP: 10.1.2.136 HostName: LDOHHQABC34413 UserName: ABC\QWE319 HighIntegrity: 0
[*] Agent: 2R76CYMH => Starting recon
[+] Agent: 2R76CYMH => Found 3 members for the '"Domain Admins"' group: ['ABC\\mkc028_dom', 'ABC\\poi004_dom', 'ABC\\Admin-ABC']
[+] Agent: 2R76CYMH => Found 7 Domain Controllers: ['ASDF3DCO201.ABC.local', 'ASDF3DCO202.ABC.local', 'ZXCVBO201.ABC.local', 'ZXCVBFAFDCO201.ABC.local', 'ZXCVBO202.ABC.local', 'ZXCVBFASDCO201.ABC.local', 'ASDF2DCO201.ABC.local']
[+] Agent: 2R76CYMH => Found 3 active admin sessions: ['ZXCVBFAFFIL200.ABC.local', 'ASDF3FIL201.ABC.local', 'ASDF3FIL201.ABC.local']
[+] Agent: 2R76CYMH => Found 0 users logged into localhost: []
[*] Agent: 2R76CYMH => Starting lateral movement
[*] Agent: 2R76CYMH => Starting domain privesc
[*] Agent: 2R76CYMH => Attempting to elevate using bypassuac_eventvwr
[+] New Agent => Name: PZKU4AW8 IP: 10.1.2.152 HostName: ASDF3WTS251 UserName: ABC\QWE319 HighIntegrity: 0
Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 538, in pwn_the_shit_out_of_everything
    for user in get_loggedon(agent_name):
  File "DeathStar.py", line 373, in get_loggedon
    domain = entry.split()[1]
IndexError: list index out of range

Error -2

[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: ASE1DH9R IP: 10.1.2.136 HostName: LDOHHQQCO34413 UserName: ABC\QWE319 HighIntegrity: 0
[*] Agent: ASE1DH9R => Starting recon
[+] Agent: ASE1DH9R => Found 3 members for the '"Domain Admins"' group: ['ABC\\mkc028_dom', 'ABC\\poi004_dom', 'QCO\\Admin-QCO']
[+] Agent: ASE1DH9R => Found 7 Domain Controllers:  ['ASDF3DCO201.ABC.local', 'ASDF3DCO202.ABC.local', 'ZXCVBO201.ABC.local', 'ZXCVBFAFDCO201.ABC.local', 'ZXCVBO202.ABC.local', 'ZXCVBFASDCO201.ABC.local', 'ASDF2DCO201.ABC.local']
[+] Agent: ASE1DH9R => Found 3 active admin sessions: ['ZXCVBFAFFIL200.ABC.local', 'ASDF3FIL201.ABC.local', 'ASDF3FIL201.ABC.local']
[+] Agent: ASE1DH9R => Found 0 users logged into localhost: []
[*] Agent: ASE1DH9R => Starting lateral movement
[*] Agent: ASE1DH9R => Starting domain privesc
[*] Agent: ASE1DH9R => Attempting to elevate using bypassuac_eventvwr
[+] Agent: ASE1DH9R => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: ASE1DH9R => Current security context has admin access to 2 hosts
[-] Agent: ASE1DH9R => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 500, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 437, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
byt3bl33d3r commented 7 years ago
  1. Are you using my empire fork as it says in the readme?
  2. can I have the output of the raw output of the get_loggedon module ?
c0d3xpl0it commented 7 years ago

Yes I am using your Empire fork.

Output of get_loggedon module

(Empire: powershell/situational_awareness/network/powerview/get_loggedon) > execute
(Empire: powershell/situational_awareness/network/powerview/get_loggedon) > 
Job started: 5LT6MZ

wkui1_username  wkui1_logon_domain wkui1_oth_domains wkui1_logon_server ComputerName
--------------  ------------------ ----------------- ------------------ ------------
QWE319          ABC                                  ASDF3DCO201       localhost   
LDOHHQQCO34413$ ABC                                                     localhost   

Get-NetLoggedon completed!

I am not getting why below error comes for all agents

[-] Agent: ASE1DH9R => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 500, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 437, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
c0d3xpl0it commented 7 years ago

Any help on above errors man ?

byt3bl33d3r commented 7 years ago

Heya, so I tried reproducing this without any success. Two things:

  1. I'm going to need the output of the script in debug mode (just add the --debug flag)
  2. Uncomment this line run the script again in debug mode and give me the output of that as well.
c0d3xpl0it commented 7 years ago

Below is output in debug mode.

[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: Y4T9E5SZ IP: 10.1.2.136 HostName: LDOHHQABC34413 UserName: ABC\POI319 HighIntegrity: 0
[*] Agent: Y4T9E5SZ => Starting recon
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 1 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/get_group_member'
[+] Agent: Y4T9E5SZ => Found 3 members for the '"Domain Admins"' group: ['ABC\\mkc123_dom', 'ABC\\asd786_dom', 'ABC\\Admin-ABC']
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 2 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/get_domain_controller'
[+] Agent: Y4T9E5SZ => Found 7 Domain Controllers: ['QWER3DCO201.ABC.local', 'QWER3DCO202.ABC.local', 'RTYUBGDCO201.ABC.local', 'RTYUFAFDCO201.ABC.local', 'RTYUBGDCO202.ABC.local', 'RTYUFASDCO201.ABC.local', 'QWER2DCO201.ABC.local']
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 3 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/user_hunter'
[+] Agent: Y4T9E5SZ => Found 3 active admin sessions: ['RTYUFAFFIL200.ABC.local', 'QWER3FIL201.ABC.local', 'QWER3DCO201.ABC.local']
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 4 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: Y4T9E5SZ => Found 0 users logged into localhost: []
[*] Agent: Y4T9E5SZ => Starting lateral movement
[*] Agent: Y4T9E5SZ => Starting domain privesc
[*] Agent: Y4T9E5SZ => Attempting to elevate using bypassuac_eventvwr
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 5 msg: 'tasked agent Y4T9E5SZ to run module powershell/privesc/gpp'
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 6 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 7 msg: 'tasked agent Y4T9E5SZ to run module powershell/privesc/bypassuac_eventvwr'
[-] Agent: Y4T9E5SZ => Current security context does not have admin access to QWER3DCO202.ABC.local
[DEBUG] Agent: Y4T9E5SZ => Executed Module => success: True taskID: 8 msg: 'tasked agent Y4T9E5SZ to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[+] Agent: Y4T9E5SZ => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: Y4T9E5SZ => Current security context has admin access to 2 hosts
[-] Agent: Y4T9E5SZ => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 500, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 437, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable

After this the script goes in hung state. Hope above output helps to replicate and resolve scenario.

byt3bl33d3r commented 7 years ago

Can you uncomment the line I specified and give me the dubug output please?

c0d3xpl0it commented 7 years ago

Above pasted output is with uncommented line and --debug flag.

image

byt3bl33d3r commented 7 years ago

Ah gotcha, thanks. So There seems to be an issue when executing the invoke_wmi module. Specifically when it prioritizes computers with active admin sessions, seems that a value isn't being properly passed to the function.

Could you add a 

print(agent_name, box)

statement right before line 500, re-run the script and give me the output? Thanks

c0d3xpl0it commented 7 years ago

Is the below indentation correct ?

image

I would try and paste the output here. Do you want me to run again debug mode ?

byt3bl33d3r commented 7 years ago

Yup, perfect. Yes if you can run it again in debug mode that would be great

c0d3xpl0it commented 7 years ago

Same error repeats after adding above suggested line to DeathStar.py

[*] Polling for agents
[+] New Agent => Name: NM4SA2DB IP: 10.1.2.136 HostName: LDOHHQxyz34567 UserName: xyz\ASD123 HighIntegrity: 0
[*] Agent: NM4SA2DB => Starting recon
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 4 msg: 'tasked agent NM4SA2DB to run module powershell/situational_awareness/network/powerview/get_group_member'
[+] Agent: NM4SA2DB => Found 3 members for the '"Domain Admins"' group: ['xyz\\cvb028_dokm', 'xyz\\pop004_dokm', 'xyz\\Admin-xyz']
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 5 msg: 'tasked agent NM4SA2DB to run module powershell/situational_awareness/network/powerview/get_domain_controller'
[+] Agent: NM4SA2DB => Found 7 Domain Controllers: ['QW1QA3DCO201.xyz.local', 'QW1QA3DCO202.xyz.local', 'MNBVBGDCO201.xyz.local', 'MNBVFAFDCO201.xyz.local', 'MNBVBGDCO202.xyz.local', 'MNBVFASDCO201.xyz.local', 'QW1QA2DCO201.xyz.local']
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 6 msg: 'tasked agent NM4SA2DB to run module powershell/situational_awareness/network/powerview/user_hunter'
[+] Agent: NM4SA2DB => Found 4 active admin sessions: ['MNBVFAFFIL200.xyz.local', 'QW1QA3DCO202.xyz.local', 'QW1QA3FIL201.xyz.local', 'QW1QA3FIL201.xyz.local']
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 7 msg: 'tasked agent NM4SA2DB to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: NM4SA2DB => Found 0 users logged into localhost: []
[*] Agent: NM4SA2DB => Starting lateral movement
[*] Agent: NM4SA2DB => Starting domain privesc
[*] Agent: NM4SA2DB => Attempting to elevate using bypassuac_eventvwr
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 8 msg: 'tasked agent NM4SA2DB to run module powershell/privesc/gpp'
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 9 msg: 'tasked agent NM4SA2DB to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[DEBUG] Agent: NM4SA2DB => Executed Module => success: True taskID: 10 msg: 'tasked agent NM4SA2DB to run module powershell/privesc/bypassuac_eventvwr'
[+] Agent: NM4SA2DB => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: NM4SA2DB => Current security context has admin access to 2 hosts
NM4SA2DB 
[-] Agent: NM4SA2DB => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 501, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 437, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
CarterMcKelvain commented 7 years ago

I am getting the same error as mentioned above about the "TypeError: 'NoneType'" It worked on Friday of last week though. I'm going to do some more testing today and if I find anything else out I will post here. Just wanted to let you know that this error happened in other instances as well.

byt3bl33d3r commented 7 years ago

@c0d3xpl0it can you do a git pull and try again? might have resolved this issue in https://github.com/byt3bl33d3r/DeathStar/commit/1dc91823756dff3ddc6067bc5a1d8145343295f5

CarterMcKelvain commented 7 years ago

Not the OP, but I pulled the latest version and ran it on three separate computers. All three were roughly the same as the output below. I enabled debug as well. Does this help at all and do you need me to do anything else to help with troubleshooting? (Please excuse the redactions)

[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: GMCUFK35 IP: REDACTED HostName: REDACTED UserName: REDACTED HighIntegrity: 0
[*] Agent: GMCUFK35 => Starting recon
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 9 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/get_group_member'
[+] Agent: GMCUFK35 => Found REDACTED members for the '"Domain Admins"' group: ['REDACTED']
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 10 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/get_domain_controller'
[+] Agent: GMCUFK35 => Found REDACTED Domain Controllers: ['REDACTED']
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 11 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/user_hunter'
[+] Agent: GMCUFK35 => Found 0 active admin sessions: ['REDACTED']
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 12 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: GMCUFK35 => Found 1 users logged into localhost: ['REDACTED']
[*] Agent: GMCUFK35 => Starting lateral movement
[*] Agent: GMCUFK35 => Starting domain privesc
[*] Agent: GMCUFK35 => Attempting to elevate using bypassuac_eventvwr
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 13 msg: 'tasked agent GMCUFK35 to run module powershell/privesc/gpp'
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 15 msg: 'tasked agent GMCUFK35 to run module powershell/privesc/bypassuac_eventvwr'
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 14 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[-] Agent: GMCUFK35 => Current security context does not have admin access to REDACTED
[DEBUG] Agent: GMCUFK35 => Executed Module => success: True taskID: 16 msg: 'tasked agent GMCUFK35 to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[+] Agent: GMCUFK35 => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: GMCUFK35 => Current security context has admin access to REDACTED hosts
[-] Agent: GMCUFK35 => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "DeathStar.py", line 499, in spread
    invoke_wmi(agent_name, box)
  File "DeathStar.py", line 436, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
InfiniteSuns commented 7 years ago

Any updates on this? Launched with latest Empire (byt3bl33d3r's fork) and DeathStar.

[*] Powering up the Death Star
[*] Created Death Star listener => {'success': 'listener DeathStar successfully started'}
[*] Polling for agents
[+] New Agent => Name: AW4TX153 IP: 10.10.1.13 HostName: WIN7-PC UserName: EVIL\User2 HighIntegrity: 0
[*] Agent: AW4TX153 => Starting recon
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 1 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/get_group_member'
[+] Agent: AW4TX153 => Found 2 members for the '"Domain Admins"' group: ['EVIL\\User3', 'EVIL\\Administrator']
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 2 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/get_domain_controller'
[+] Agent: AW4TX153 => Found 1 Domain Controllers: ['win-ad.evil.corp']
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 3 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/user_hunter'
[+] Agent: AW4TX153 => Found 1 active admin sessions: ['win10.evil.corp']
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 4 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: AW4TX153 => Found 1 users logged into localhost: ['EVIL\\User2']
[*] Agent: AW4TX153 => Starting lateral movement
[*] Agent: AW4TX153 => Starting domain privesc
[*] Agent: AW4TX153 => Attempting to elevate using bypassuac_eventvwr
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 5 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 6 msg: 'tasked agent AW4TX153 to run module powershell/privesc/gpp'
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 7 msg: 'tasked agent AW4TX153 to run module powershell/privesc/bypassuac_eventvwr'
[+] Agent: AW4TX153 => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] New Agent => Name: YVSXR5GN IP: 10.10.1.13 HostName: WIN7-PC UserName: EVIL\User2 HighIntegrity: 1
[DEBUG] Agent: YVSXR5GN => Executed Module => success: True taskID: 1 msg: 'tasked agent YVSXR5GN to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: AW4TX153 => Current security context has admin access to win10.evil.corp
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 8 msg: 'tasked agent AW4TX153 to run module powershell/lateral_movement/invoke_wmi'
[+] Agent: AW4TX153 => Spread laterally using current security context to win10.evil.corp
[DEBUG] Agent: AW4TX153 => Executed Module => success: True taskID: 9 msg: 'tasked agent AW4TX153 to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[+] Agent: YVSXR5GN => Found 1 users logged into localhost: ['EVIL\\User2']
[*] Agent: YVSXR5GN => Starting domain privesc
[DEBUG] Agent: YVSXR5GN => Executed Shell Command => success: True taskID: 2
[DEBUG] Agent: YVSXR5GN => Executed Module => success: True taskID: 3 msg: 'tasked agent YVSXR5GN to run module powershell/privesc/gpp'
[+] Agent: YVSXR5GN => Enumerated 1 processes
[DEBUG] Agent: YVSXR5GN => Executed Module => success: True taskID: 4 msg: 'tasked agent YVSXR5GN to run module powershell/credentials/mimikatz/logonpasswords'
[+] Agent: AW4TX153 => Current security context has admin access to 1 hosts
[-] Agent: AW4TX153 => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "./DeathStar.py", line 59, in __run
    self.__run_backup()
  File "/usr/lib/python3.5/threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "./DeathStar.py", line 499, in spread
    invoke_wmi(agent_name, box)
  File "./DeathStar.py", line 436, in invoke_wmi
    results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
  File "./DeathStar.py", line 170, in execute_module_with_results
    if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
byt3bl33d3r commented 6 years ago

The latest commit might have fixed this issue, let me know if it didn't.

Thanks

byt3bl33d3r commented 6 years ago

Whoops, didn't mean to close

0x023 commented 6 years ago

Hey @byt3bl33d3r

unfortunately im also getting the same errors trown back @ me. Any idea on why and how to solve yet?

Cheers, 0x023

---output--- [DEBUG] Agent: 5P986TY2 => Executed Module => success: True taskID: 3 msg: 'tasked agent 5P986TY2 to run module powershell/situational_awareness/network/powerview/get_loggedon' [DEBUG] Agent: BV4ZE2LD => Executed Module => success: True taskID: 3 msg: 'tasked agent BV4ZE2LD to run module powershell/management/get_domain_sid' [DEBUG] Agent: EBZK5UPC => Executed Module => success: True taskID: 2 msg: 'tasked agent EBZK5UPC to run module powershell/situational_awareness/network/powerview/get_loggedon' Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "./DeathStar.py", line 59, in run self.run_backup() File "/usr/lib/python3.5/threading.py", line 862, in run self._target(*self._args, **self._kwargs) File "./DeathStar.py", line 589, in pwn_the_shit_out_of_everything for user in get_loggedon(agent_name): File "./DeathStar.py", line 393, in get_loggedon results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_loggedon', agent_name, module_options) File "./DeathStar.py", line 180, in execute_module_with_results if result['taskID'] == r['taskID']: KeyError: 'taskID'

Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "./DeathStar.py", line 59, in run self.run_backup() File "/usr/lib/python3.5/threading.py", line 862, in run self._target(*self._args, **self._kwargs) File "./DeathStar.py", line 585, in pwn_the_shit_out_of_everything recon(agent_name) File "./DeathStar.py", line 507, in recon domain_sid = get_domain_sid(agent_name) File "./DeathStar.py", line 213, in get_domain_sid results = execute_module_with_results('powershell/management/get_domain_sid', agent_name) File "./DeathStar.py", line 180, in execute_module_with_results if result['taskID'] == r['taskID']: KeyError: 'taskID'

Exception in thread Thread-3: Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "./DeathStar.py", line 59, in run self.run_backup() File "/usr/lib/python3.5/threading.py", line 862, in run self._target(*self._args, **self._kwargs) File "./DeathStar.py", line 589, in pwn_the_shit_out_of_everything for user in get_loggedon(agent_name): File "./DeathStar.py", line 393, in get_loggedon results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_loggedon', agent_name, module_options) File "./DeathStar.py", line 180, in execute_module_with_results if result['taskID'] == r['taskID']: KeyError: 'taskID'

---output-end---

byt3bl33d3r commented 6 years ago

39 seems to have fixed this. Closing.