search

byt3bl33d3r / DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
GNU General Public License v3.0
1.58k stars 329 forks source link

Use SID instead of hardcoded name #18

Closed ThePirateWhoSmellsOfSunflowers closed 7 years ago

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Hi!

Because of hardcoded group names such as "Domain Admins", DeathStar is not working on domains which are installed in another language. On the following screen-shot, the target domain is installed in french, thus "Domain Admins" is not an existing group (on french DC the group is called "Administrateurs de Domaine").

deathstarcensored

I think the best solution is to use SID instead (example with pywerview). Unfortunately, I don't have time to PR, but I think the fix is quite simple with the Powerview' modules.

Anyway, great idea and great tool, you rock! :smiley:

TPWSOS

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Hi! My bad, in my case, the DC was installed in English but the user for the agent YFSABWEZ was a name with non-ascii characters in it and Powerview is not compatible with such name. Launching the stager with a ascii only login works perfectly. So it's more a Powerview bug than a Deathstar bug... However, using SID is still a good idea to make DeathStar not language dependent. Empire doesn't have Get-DomainSID module but the whole Powerview script is already included on the project, so you just have to write the python part, PR and voilà ! :)

TPWSOS

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Hi! I've just found time to PR Empire to add Get-DomainSID module. See #606.

TPWSOS :sunflower:

byt3bl33d3r commented 7 years ago

Just FYI, waiting on https://github.com/EmpireProject/Empire/pull/657 to get merged, then will address this.

Thanks <3

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Hi! Ha yes, I found the same problem (GroupName mandatory) but I didn't have the time to PR. Good job too.

:sunflower:

byt3bl33d3r commented 7 years ago

Done! Thanks again

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Good work ! :sunflower:

ThePirateWhoSmellsOfSunflowers commented 7 years ago

Hi! The user_hunter function is still using an harcoded name for the domain admins group's name.

https://github.com/byt3bl33d3r/DeathStar/blob/5f93ba438700ebc4605f6c72d00a16ab87f6e6e1/DeathStar.py#L264

However, as far as I know Powerview is not able to hunt based on a SID :disappointed: