Closed forensic65x closed 6 years ago
clong
commented
6 years ago Noted. I've also encountered a few errors with Caldera along the way and need to test this with a newer version of Python. Will check back here once I get that up and running. What were the scenario details you were using?
forensic65x
commented
6 years ago I followed the scenario in this Caldera video - https://www.youtube.com/watch?v=xjDrWStR68E It involves creating an adversary with 7 of the steps. I also tried creating an adversary with all 29 of the steps and then an adversary with just one step - get_creds. In each case I received the powerview error above.
Are the DetectionLab hosts hardened? I checked what the UseLogonCredential value was and the key wasn't set on the Win10 box. I'm guessing that affected Calderas ability to grab creds and move laterally.
clong
commented
6 years ago DetectionLab boxes aren't hardened, however I resolved a lot of the Caldera issues tonight by updating the Caldera repo I had on my logger host ($ cd /home/vagrant/caldera; git pull) and installed python3.6.4, which also seems to run better and doesn't require a patch. If I can get through your test scenario without errors, I'll merge a fix for logger.
clong
commented
6 years ago @forensic65x the $CompSearcher.FindAll() error you're seeing is because the default logged in account is the local Vagrant user, not the domain vagrant user. This error will appear in the console when that occurs:
WARNING:app.operation.operation:Failed to parse with error: DomainIssueError: Domain Issue 0x80005000: Verify that the rat is running under a Domain Account, and that the Domain Controller can be reached.
I'm using Win10 as the start host and if I logon to Win10 as windomain\vagrant, this step passes successfully
After that, I tried it against an adversary with all 29 steps and didn't see any errors:
clong
commented
6 years ago Hey @forensic65x - this should be addressed in the latest commit (#50) which uses Python 3.6.4. Let me know if you run into any problems.
forensic65x
commented
6 years ago If I logon with the windomain\vagrant account I am able to perform the enumeration steps. Thanks for the suggestion.
I did notice my operation showed all greens, but it didn't show all tests and none of the lateral movement/mimikatz appear to be running or running successfully. The hosts stay blue vs changing to red once they are compromised.
I thought it was due to Win10 default to not store wdigest in clear text so I tried to add the uselogoncredential registry key using the windomain\vagrant account and got access denied.
I thought it might be a UAC issue but that attempt got access denied as well. I then tried to add a new user to the Win10 box using the windomain\vagrant domain admin account and also got access denied. I confirmed that account was in the 'Domain Admins' group and verified the 'Domain Admins' group was in the local Administrators group.
I was able to update the uselogoncredential key using the win10\vagrant account.
It seems there might be an issue between the Win10 box and the DC.. Are you able to get any of the hosts compromised using Caldera and Win10 as the start?
I will do some additional testing but after I restarted the logger I am unable to get Caldera to run. I'll open a separate issue.
Description of the issue:
Each time I attempt to run an Operation with Caldera it fails to complete. I have performed multiple vagrant reloads and multiple vagrant destroys and then vagrant up to recreate the lab but the issue still occurs on each operation.
Below is the recurring error in Caldera.
Hostname: win10 Command Line: powershell -command - StdIn: [[powerview]] Get-DomainComputer StdOut: Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)" At line:6306 char:20