search

byt3bl33d3r / DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
GNU General Public License v3.0
1.57k stars 331 forks source link

"Spread Laterally" reports success on non-existant hosts #13

Closed tfriesen closed 3 years ago

tfriesen commented 7 years ago

When DeathStar is trying to spread laterally, the output reports successful spread when it targets a host that doesn't exist. 

[+] Agent: 9G431YUH => Spread laterally using .\localadmin credentials to X.local
[-] Agent: 9G431YUH => Failed to spread laterally using .\localadmin credentials to Y.local: 'error running command: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'

Where host X.local does not exist (found the hostname via outdated GPO), but Y.local does exist.

If I monitor activity by interacting with the active agent, this is what I see:

Invoke-Wmi executed on "X.local"

error running command: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

The second line refers to Y.local.

This may not be fixable because it seems that Invoke-WMI reports success ("executed") when it targets non-existant host. DeathStar is just passing the info along.

byt3bl33d3r commented 7 years ago

I'll see what I can do, but this definitely seems to be something that would have to be changed on Empire's side. Thanks

tfriesen commented 7 years ago

One alternative idea I had would be to, if possible, check if we can connect to a host on port 135 before attempting Invoke-wmi. This has the advantage in that invoke-wmi is... kind of slow... so if you only have one agent, and many dead hosts, it can take a while to go through them.

Thanks for the tool, I've been enjoying testing it out!