Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
License: GNU General Public License v3.0
Version: Latest + Fix for TLS + Fix for "KeyID" bug
When I have 1 low integrity+1 high integrity agents (on same computer) deathstar works without a problem. However when I only got 1 low integrity agent: I got following error:
Agent: HMGZTF7B => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/Cellar/python3/3.6.0/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "deathstar.py", line 59, in __run
self.__run_backup()
File "/usr/local/Cellar/python3/3.6.0/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "deathstar.py", line 544, in spread
invoke_wmi(agent_name, box)
File "deathstar.py", line 468, in invoke_wmi
results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
File "deathstar.py", line 180, in execute_module_with_results
if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
You can find full results below:
*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: HMGZTF7B IP: 192.168.1.200 HostName: HOME-PC UserName: DROP\utku HighIntegrity: 0
[*] Agent: HMGZTF7B => Starting recon
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 9 msg: 'tasked agent HMGZTF7B to run module powershell/management/get_domain_sid'
[+] Agent: HMGZTF7B => Got domain SID: S-1-5-21-1626841790-508290444-985752922
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 10 msg: 'tasked agent HMGZTF7B to run module powershell/situational_awareness/network/powerview/get_group_member'
[+] Agent: HMGZTF7B => Found 1 members of the Domain Admins group: ['DROP\\Administrator']
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 11 msg: 'tasked agent HMGZTF7B to run module powershell/situational_awareness/network/powerview/get_domain_controller'
[+] Agent: HMGZTF7B => Found 1 Domain Controllers: ['WIN-JMCGJI8UARD.drop.local']
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 12 msg: 'tasked agent HMGZTF7B to run module powershell/situational_awareness/network/powerview/user_hunter'
[+] Agent: HMGZTF7B => Found 1 active admin sessions: ['WIN-JMCGJI8UARD.drop.local']
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 13 msg: 'tasked agent HMGZTF7B to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: HMGZTF7B => Found 1 users logged into localhost: ['DROP\\utku']
[*] Agent: HMGZTF7B => Starting lateral movement
[*] Agent: HMGZTF7B => Starting domain privesc
[*] Agent: HMGZTF7B => Attempting to elevate using bypassuac_eventvwr
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 14 msg: 'tasked agent HMGZTF7B to run module powershell/privesc/gpp'
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 15 msg: 'tasked agent HMGZTF7B to run module powershell/situational_awareness/network/powerview/find_localadmin_access'
[DEBUG] Agent: HMGZTF7B => Executed Module => success: True taskID: 16 msg: 'tasked agent HMGZTF7B to run module powershell/privesc/bypassuac_eventvwr'
[+] Agent: HMGZTF7B => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] New Agent => Name: GYHFMP2S IP: 192.168.1.200 HostName: HOME-PC UserName: DROP\utku HighIntegrity: 1
[DEBUG] Agent: GYHFMP2S => Executed Module => success: True taskID: 1 msg: 'tasked agent GYHFMP2S to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] Agent: GYHFMP2S => Found 1 users logged into localhost: ['DROP\\utku']
[*] Agent: GYHFMP2S => Starting domain privesc
[DEBUG] Agent: GYHFMP2S => Executed Shell Command => success: True taskID: 2
[DEBUG] Agent: GYHFMP2S => Executed Module => success: True taskID: 3 msg: 'tasked agent GYHFMP2S to run module powershell/privesc/gpp'
[+] Agent: GYHFMP2S => Enumerated 1 processes
[DEBUG] Agent: GYHFMP2S => Executed Module => success: True taskID: 4 msg: 'tasked agent GYHFMP2S to run module powershell/credentials/mimikatz/logonpasswords'
[+] Agent: GYHFMP2S => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
[+] Agent: GYHFMP2S => Executed Mimikatz
[+] Agent: HMGZTF7B => Current security context has admin access to 1 hosts
[-] Agent: HMGZTF7B => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'required module option missing'}
Hi again,
I was trying to run Death Star on Kali but during my attempts, I got these error
What am I wondering that is the issue about my Linux?
I am having an issue running this on a Centos box running python 2.7. When I try to run it I get an invalid syntax error on line 373
username, domain, *_
Apparently the *_ is invalid. I recently pulled the latest code as I was sure something was not working correctly in the older version.
I'm trying to setup the following on a test network as per your tutorials on your site:
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
PLUS
My setup:
I can get a new agent by copying in the DeathStar launcher powershell command, and Deathstar sees the new Agent but then it dies shortly thereafter. Error message posted below.
[+] New Agent => Name: BDHZE51L IP: 1.2.3.4 HostName: SB-W7-2 UserName: REDACTED HighIntegrity: 1
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 538, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "./DeathStar.py", line 364, in get_loggedon
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_loggedon', agent_name, module_options)
File "./DeathStar.py", line 170, in execute_module_with_results
if result['taskID'] == r['taskID']:
KeyError: 'taskID'
Any idea what the issue could be? After that error Empire just hangs and doesn't do anything else.
Target is a Windows 7 Enterprise machine.
Hey, my name is Manny, I'm intermediate in python. I'm looking for some way I can contribute to this project. Does anyone have suggestions? Thank you!
Just saw these errors come across my sessions - TypeError: 'NoneType' object is not subscriptable
it is affecting modules powershell/situational_awareness/network/powerview/get_group_member, powershell/situational_awareness/network/powerview/find_localadmin_access
Using Empire Version 2.4
DeathStar latest commit 17a618d
Errors seen below:
Agent: 7FBR3X7P => Error executing module 'powershell/situational_awareness/network/powerview/get_group_member': {'error': 'invalid module option'}
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 58, in __run
self.__run_backup()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 570, in pwn_the_shit_out_of_everything
recon(agent_name)
File "./DeathStar.py", line 494, in recon
for member in get_group_member(agent_name, group_sid=domain_sid + '-512'):
File "./DeathStar.py", line 222, in get_group_member
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_group_member', agent_name, module_options)
File "./DeathStar.py", line 179, in execute_module_with_results
if entry['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
[-] Agent: 1XTU19F7 => Error executing module 'powershell/situational_awareness/network/powerview/find_localadmin_access': {'error': 'invalid module option'}
Exception in thread Thread-4:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 58, in __run
self.__run_backup()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 531, in spread
for box in find_localadmin_access(agent_name, no_ping=True, threads=args.threads):
File "./DeathStar.py", line 292, in find_localadmin_access
results = execute_module_with_results('powershell/situational_awareness/network/powerview/find_localadmin_access', agent_name, module_options)
File "./DeathStar.py", line 179, in execute_module_with_results
if entry['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
It just hangs after this. Wondering if any others have seen it or it is just my issue.
I'm trying to use latest deathstar and empire but it seems the old bug is still there. It's hard to define the exact problem since it sometimes work, sometimes doesn't. But let me write the issue here, maybe someone can explain it better.
[-] Agent: K4AX2UV9 => Error executing module 'powershell/lateral_movement/invoke_wmi': {'error': 'module produced an empty script'}
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/Cellar/python3/3.6.0/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "deathstar.py", line 58, in __run
self.__run_backup()
File "/usr/local/Cellar/python3/3.6.0/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "deathstar.py", line 529, in spread
invoke_wmi(agent_name, box)
File "deathstar.py", line 454, in invoke_wmi
results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
File "deathstar.py", line 179, in execute_module_with_results
if entry['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
Please note that old version of deathstar with old version of empire (taskid workaround applied) works without any problem for me
running the latest empire && deathstar everything goes well, until the agent calls in. then 'results' seems to be unpopulated.
debug below:
[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: TPGXMUL5 IP: 1x.x.x.54 HostName: monkeybrain UserName: obfuscated\ooo HighIntegrity: 0
[*] Agent: TPGXMUL5 => Starting recon
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 534, in pwn_the_shit_out_of_everything
recon(agent_name)
File "./DeathStar.py", line 471, in recon
for member in get_group_member(agent_name):
File "./DeathStar.py", line 202, in get_group_member
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_group_member', agent_name, module_options)
File "./DeathStar.py", line 171, in execute_module_with_results
if result['taskID'] == r['taskID']:
KeyError: 'taskID'
as i said in title empire starts, but deathstar fails..
any clue or can i provide other information?
The empire fork to fix functionality this has (EmpireProject/Empire#531) was merged on June 4th. The part of the readme specifying that fork needs to be used until the fork is merged can now be removed.
Just FYI.
Thanks!
Hi, on a freshly installed kali linux (2018.3a) i always get this error when running Deathstar (0.0.1) with Empire (2.5):
_./DeathStar.py
[] Powering up the Death Star
[] Polling for agents
[+] New Agent => Name: C11C8QIO IP: 192.XXX.XXX.44 HostName: desk UserName: bob HighIntegrity: 0
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self.kwargs)
File "./DeathStar.py", line 616, in pwn_the_shit_out_of_everything
recon(agent_name)
File "./DeathStar.py", line 507, in recon
if running_under_domain_account(agent_name):
File "./DeathStar.py", line 680, in running_under_domain_account
if username.split('\')[0] != hostname and username.split('\')[1] != 'SYSTEM':
IndexError: list index out of range
Hi,
pip install ipython
pip install scipy
But none of them solved problem, after a quick research I found the solution for it which is
sudo pip 3 install jupyter
And wanted to help if anyone having this issue, can try it
Hi,
DeathStar.py was able to create a new listener on Empire :
'Created Death Star listener => {'success': 'listener DeathStar successfully started'}'
But it seems that the host of that listener is always "https://127.0.1.1:8443 " , is there any way to change it to my local IP address ?
Thanks
Hi - I'm getting the following error during the recon phase:-
[DEBUG] Agent: 3RA65TYC => Executed Module => success: True taskID: 4 msg: 'tasked agent 3RA65TYC to run module powershell/situational_awareness/network/powerview/get_loggedon'
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 538, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "./DeathStar.py", line 373, in get_loggedon
domain = entry.split()[1]
IndexError: list index out of range
Rgds
Any reason why my host in Empire won't change to the Local IP address? Instead it just stays at 127.0.0.1
Dont know if this is an DeathStar or Empire issue.
I followed the installation instruction, but i´m getting the following error messages:
From DeathStar:
DeathStar# ./DeathStar.py
[*] Powering up the Death Star
[*] Created Death Star listener => {'error': 'failed to start listener DeathStar'}
[*] Polling for agents
From Empire:
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|
280 modules currently loaded
0 listeners currently active
0 agents currently active
(Empire) > 127.0.0.1 - - [30/Oct/2017 16:42:40] "POST /api/admin/login HTTP/1.1" 200 -
127.0.0.1 - - [30/Oct/2017 16:42:41] "GET /api/listeners/DeathStar?token=azqy7s3l1sghzwbidwmudqodl46p1p5cxu0u3j9q HTTP/1.1" 404 -
[*] Starting listener 'DeathStar'
[!] Listener startup on port 8443 failed: global name 'sys' is not defined
[!] Listener failed to start!
It seems like the pwn_the_shit_outta_everything function is just performing its duties as if it weren't multithreaded at all. It hits the spread_threads then those threads take control and do their thing while pwn_the_shit_outta_everything seems to wait and not move on. It doesn't seem like blocking code though from looking at it. Any idea if I'm just imagining things?
Env:Empire version 2.4
[-] Agent: 3AL84ZNU => Error executing module 'powershell/situational_awareness/network/powerview/get_gpo_computer': {'error': 'invalid module option'}
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 564, in privesc
computers = get_gpo_computer(agent_name, result['guid'])
File "./DeathStar.py", line 328, in get_gpo_computer
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_gpo_computer', agent_name, module_options)
File "./DeathStar.py", line 181, in execute_module_with_results
if entry['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
Below is error received, can you check ?
[*] Powering up the Death Star
[*] Created Death Star listener => {u'success': u'listener DeathStar successfully started'}
[*] Polling for agents
[+] New Agent => Name: WYEU4RH7 IP: 10.1.2.136 HostName: XYZABC34413 UserName: ABC\QA1234 HighIntegrity: 0
[*] Agent: WYEU4RH7 => Starting recon
[+] Agent: WYEU4RH7 => Found 3 members for the '"Domain Admins"' group: ['ABC\\vha028_dom', 'ABC\\hcn004_dom', 'ABC\\Admin-ABC']
[+] Agent: WYEU4RH7 => Found 7 Domain Controllers: [u'YUIHM3DCO201.ABC.local', u'YUIHM3DCO202.ABC.local', u'QAZBGDCO201.ABC.local', u'QAZFAFDCO201.ABC.local', u'QAZBGDCO202.ABC.local', u'QAZFASDCO201.ABC.local', u'YUIHM2DCO201.ABC.local']
[+] Agent: WYEU4RH7 => Found 2 active admin sessions: [u'QAZFAFFIL200.ABC.local', u'YUIHM3FIL201.ABC.local']
[+] Agent: WYEU4RH7 => Found 0 users logged into localhost: []
[*] Agent: WYEU4RH7 => Starting lateral movement
[*] Agent: WYEU4RH7 => Attempting to elevate using bypassuac_eventvwr
[*] Agent: WYEU4RH7 => Starting domain privesc
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "DeathStar.py", line 512, in privesc
for result in gpp(agent_name):
File "DeathStar.py", line 327, in gpp
usernames = list(map(str.strip, entry.split(':')[1].strip().split(',')))
TypeError: descriptor 'strip' requires a 'str' object but received a 'unicode'
[+] Agent: WYEU4RH7 => Current security context has admin access to 2 hosts
[-] Agent: WYEU4RH7 => Error executing module 'powershell/lateral_movement/invoke_wmi': {u'error': u'required module option missing'}
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "DeathStar.py", line 500, in spread
invoke_wmi(agent_name, box)
File "DeathStar.py", line 437, in invoke_wmi
results = execute_module_with_results('powershell/lateral_movement/invoke_wmi', agent_name, module_options)
File "DeathStar.py", line 170, in execute_module_with_results
if result['taskID'] == r['taskID']:
TypeError: 'NoneType' object has no attribute '__getitem__'
Hi Guys
I have successfully deployed my first agent on my lab, it has got to "Executed Mimikatz' and is not progressing.
The question is do I leave it or has this finished the processes it has and needs to be terminated?
Thanks
Phil
Version: Latest + Fix for TLS + Fix for "KeyID" bug
We acquired an agent on a system, but the script crashed:
[*] Powering up the Death Star
[*] Polling for agents
[+] New Agent => Name: PD2E7SZA IP: __________HostName: ___________ UserName: ZZZZZZ\SYSTEM HighIntegrity: 1
[+] Agent: PD2E7SZA => Found 1 users logged into localhost: ['YYYYY\\XXXX']
['explorer', '11972', 'x64', 'YYYYYYY\\XXXXXX', 'YYYYYYY', '85,64', 'MB']
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 609, in pwn_the_shit_out_of_everything
for process in tasklist(agent_name, process='explorer'):
File "./DeathStar.py", line 437, in tasklist
raise
RuntimeError: No active exception to reraise
I modified the lines 430 and 431 to account for 6 elements (instead of 5) and the script now appears to be running ok. I assume that's not a valid solution, but I don't immediately know why there are extra elements.
Hi Guys
I am trying to get the DeathStar listener working with Empire 2.4 but despite both installing fine, the stagers will not communicate.
I am running Empire 2.3 on another VPS and this is working perfectly.
Anybody else experiencing this issue?
Thanks
Phil
Machine Info:
OS: Kali Linux 2017.1 AMD-64
Empire Version: Latest pull from GitHub
DeathStar Version: Latest pull from GitHub
Error Info:
[] Powering up the Death Star
[] Created Death Star listener => {'success': 'listener DeathStar successfully started'}
[] Polling for agents
[+] New Agent => Name: NL1SR3W9 IP: x.x.x.x HostName: Dummy_Machine UserName: Domain\Dummy_User HighIntegrity: 1
[] Agent: NL1SR3W9 => Starting recon
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 585, in pwn_the_shit_out_of_everything
recon(agent_name)
File "./DeathStar.py", line 507, in recon
domain_sid = get_domain_sid(agent_name)
File "./DeathStar.py", line 213, in get_domain_sid
results = execute_module_with_results('powershell/management/get_domain_sid', agent_name)
File "./DeathStar.py", line 180, in execute_module_with_results
if result['taskID'] == r['taskID']:
KeyError: 'taskID'
Scenario:
Launched DeathStar with Empire and after getting an agent in Empire DeathStar showed above error
If requests library is outdated, one may get the following error:
Traceback (most recent call last):
File "./DeathStar.py", line 35, in
from requests.packages.urllib3.exceptions import InsecureRequestWarning
ImportError: cannot import name 'InsecureRequestWarning'
I know you're already aware of this. Figured I'd document it cuz we might be able to fix it soon. I'll see about implementing that one liner from harmj0y on the Empire issue tomorrow.
Sorry if this is obvious, but I'm having trouble figuring it out, and can't see anyone that has had this issue (since not having to fork your copy of Empire).
I have a fresh install of Kali (updated). Installed Empire and DeathStar (installed python3 too).
./empire --rest --debug --username empireadmin --password Password123
curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123"}'
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 58
Server: Werkzeug/0.12.2-dev Python/2.7.13
Date: Mon, 18 Sep 2017 15:03:00 GMT{
"token": "u6gw3hgu8lrf71xs40re0sm7vhoovo3g5b4v0aps"
}
The above appears to work. But when trying DeathStar (with and without python3):
./DeathStar.py --url "https://localhost:1337" -u "empireadmin" -p "Password123"
[*] Powering up the Death Star
[-] Connection Error. Check Empire RESTful API
I never get any connection attempts in the empire terminal. So I'm not even sure its trying to make a connection; any idea what I'm missing?
GPP Yielded hundreds of "BLANK" and is wasting time trying to spread laterally using .\BLANK
Hi!
Because of hardcoded group names such as "Domain Admins", DeathStar is not working on domains which are installed in another language. On the following screen-shot, the target domain is installed in french, thus "Domain Admins" is not an existing group (on french DC the group is called "Administrateurs de Domaine").
I think the best solution is to use SID instead (example with pywerview). Unfortunately, I don't have time to PR, but I think the fix is quite simple with the Powerview' modules.
Anyway, great idea and great tool, you rock! 😃
TPWSOS
cause we can since it's Python 3 \o/
I have successfully installed the forked Empire and Deathstar on Kali rolling 2017 VM.
Once I generate the powershell code using "launcher powershell DeathStar" and paste same to any of my windows machine. I dont get any agent connect back. Can you help ?
Would be cool to use the module collection/find_interesting_file, then to pull those files down.
Hey Guys
Newbie here so apologies ;)
When I run Empire, the Empire console launches, therefore I can't run Deathstar until I have quit Empire.
My questions is how do I launch Deathstar once I am at the Empire> prompt?
I have tried running Empire in --headless but that doesn't give a command prompt.
I am running Ubuntu 16.04
Thanks for any advice and merry Christmas!
DeathStar is so overplayed and honestly it doesnt even destroy worlds or solar systems. I suggest a more fitting name?
When DeathStar is trying to spread laterally, the output reports successful spread when it targets a host that doesn't exist.
[+] Agent: 9G431YUH => Spread laterally using .\localadmin credentials to X.local
[-] Agent: 9G431YUH => Failed to spread laterally using .\localadmin credentials to Y.local: 'error running command: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'
Where host X.local does not exist (found the hostname via outdated GPO), but Y.local does exist.
If I monitor activity by interacting with the active agent, this is what I see:
Invoke-Wmi executed on "X.local"
error running command: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
The second line refers to Y.local.
This may not be fixable because it seems that Invoke-WMI reports success ("executed") when it targets non-existant host. DeathStar is just passing the info along.
Where to put DeathStar folder? It complains about couldn't find powershell modules and it just hangs upon getting a new agent. I put DeathStar folder and Empire both under /opt
Hi,
I noticed that the DeathStar listener is created with the IP of my eth0. How can I change that to the ip of my tap0 VPN?
Thanks!
Just realized that this was never addressed, as far as I know: Instead of launching a new listener to handle shells, a "--listener LISTENER_NAME" argument could be added to allow specifying an already extant listener, which it then goes and checks for agents and Does The Magic on. Would really improve/help workflow to be honest.
Getting the following error while executing DeathStar.py (from latest commit 6d89e7d, 4 days ago)
Exception in thread Thread-4:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 620, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "./DeathStar.py", line 404, in get_loggedon
username, domain, *_ = entry.split()
ValueError: not enough values to unpack (expected at least 2, got 1)
Also, I'm getting this error later on:
[+] Agent: XXXXXXXXX=> Found 1 GPO(s) containing credentials using GPP SYSVOL privesc
[-] Agent: XXXXXXXXX=> Error executing module 'powershell/situational_awareness/network/powerview/get_gpo_computer': {'error': 'module name powershell/situational_awareness/network/powerview/get_gpo_computer not found'}
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 564, in privesc
computers = get_gpo_computer(agent_name, result['guid'])
File "./DeathStar.py", line 328, in get_gpo_computer
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_gpo_computer', agent_name, module_options)
File "./DeathStar.py", line 181, in execute_module_with_results
if entry['taskID'] == r['taskID']:
TypeError: 'NoneType' object is not subscriptable
[*] Powering up the Death Star
[-] Connection Error. Check Empire RESTful API
Linux KoF 4.11.0-kali1-amd64 #1 SMP Debian 4.11.6-1kali1 (2017-06-21) x86_64 GNU/Linux
i have this issue in kali linux
HI,
I am facing an issue that after empire&deathstar are installed from your repos, empire gets started and deathstar also connects successful and creates its listener.
after generating a payload for the listener and executing it on a target, a beacon checks in.
But then, the only Modul that starts is the UACBypass (and elevates privileges successful) and after it powershell/situational_awareness/network/powerview/get_loggedon
After that, nothing happens. no error. but also no "recon started" or lateral movement etc.
I am in a windows domain with 1dc, 1server and 1win10 workstation
here are my debug outputs form empire:
[root:.../localTest/Empire/DeathStar]# python3 DeathStar.py -lp 80 --debug (master)
[] Powering up the Death Star
[] Created Death Star listener => {'success': 'listener DeathStar successfully started'}
[*] Polling for agents
[+] New Agent => Name: 6D23WBRA IP: 192.168.0.129 HostName: WEF UserName: WEF\vagrant HighIntegrity: 0
[+] New Agent => Name: HTXLYM74 IP: 192.168.0.129 HostName: WEF UserName: WEF\vagrant HighIntegrity: 1
[DEBUG] Agent: HTXLYM74 => Executed Module => success: True taskID: 13 msg: 'tasked agent HTXLYM74 to run module powershell/situational_awareness/network/powerview/get_loggedon'
[DEBUG] Agent: 6D23WBRA => Executed Module => success: True taskID: 10 msg: 'tasked agent 6D23WBRA to run module powershell/situational_awareness/network/powerview/get_loggedon'
[+] New Agent => Name: SX95G8V3 IP: 192.168.0.129 HostName: WEF UserName: WEF\vagrant HighIntegrity: 0
[DEBUG] Agent: SX95G8V3 => Executed Module => success: True taskID: 1 msg: 'tasked agent SX95G8V3 to run module powershell/situational_awareness/network/powerview/get_loggedon'
[DEBUG] Agent: SX95G8V3 => Result Buffer: {'results': 'wkui1_username wkui1_logon_domain wkui1_oth_domains wkui1_logon_server ComputerName\r\n-------------- ------------------ ----------------- ------------------ ------------\r\nvagrant WEF WEF localhost \r\nvagrant WEF WEF localhost \r\nWEF$ WINDOMAIN localhost \r\nWEF$ WINDOMAIN localhost \r\nWEF$ WINDOMAIN localhost \r\n\r\n\r\n\n\r\n\nGet-NetLoggedon completed!', 'taskID': 1}
[+] Agent: SX95G8V3 => Found 1 users logged into localhost: ['WEF\vagrant']
NOTHING happens anymore, processes are up and respnsive
I am running it on a kali2017.3 vmfusion
looking forward to your feedback.
Best Regards,
Jan
getting this error constantly while running Deathstar.py
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 533, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "./DeathStar.py", line 368, in get_loggedon
username, domain, logon_server,_= entry.split()
ValueError: not enough values to unpack (expected 4, got 3)
I get the following error:
[*] Powering up the Death Star [*] Polling for agents [+] New Agent => Name: M3D46YX5 IP: 10.1.1.1 HostName: XXXXXXX UserName: xxxxx\xxxxx HighIntegrity: 0 [*] Agent: M3D46YX5 => Starting recon Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner self.run() File "DeathStar.py", line 59, in __run self.__run_backup() File "/usr/lib/python3.5/threading.py", line 862, in run self._target(*self._args, **self._kwargs) File "DeathStar.py", line 533, in pwn_the_shit_out_of_everything recon(agent_name) File "DeathStar.py", line 470, in recon for member in get_group_member(agent_name): File "DeathStar.py", line 201, in get_group_member results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_group_member', agent_name, module_options) File "DeathStar.py", line 170, in execute_module_with_results if result['taskID'] == r['taskID']: KeyError: 'taskID'
plz help me
It's as if millions of admins suddenly cried out in terror and were suddenly silenced.
[] Powering up the Death Star
[] Polling for agents
[+] New Agent => Name: ... IP: ... HostName: ... UserName: ...*\Administrator HighIntegrity: 1
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.4/threading.py", line 920, in _bootstrap_inner
self.run()
File "DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.4/threading.py", line 868, in run
self._target(*self._args, **self._kwargs)
File "DeathStar.py", line 538, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "DeathStar.py", line 364, in get_loggedon
results = execute_module_with_results('powershell/situational_awareness/network/powerview/get_loggedon', agent_name, module_options)
File "DeathStar.py", line 170, in execute_module_with_results
if result['taskID'] == r['taskID']:
KeyError: 'taskID'
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "DeathStar.py", line 512, in privesc
for result in gpp(agent_name):
File "DeathStar.py", line 327, in gpp
usernames = list(map(str.strip, entry.split(':')[1].strip().split(',')))
TypeError: descriptor 'strip' requires a 'str' object but received a 'unicode'
I use to not get this as much but now it is quite persistent.
Exception in thread Thread-5:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self.kwargs)
File "./DeathStar.py", line 620, in pwn_the_shit_out_of_everything
for user in get_loggedon(agent_name):
File "./DeathStar.py", line 404, in get_loggedon
username, domain, * = entry.split()
ValueError: not enough values to unpack (expected at least 2, got 1)
Hey,
DeathStar does NOT work on german systems/domains, because the Group "Domain Admins" does not exist. In german it is called "Domänen-Admins".
This will result in :
[+] Agent: .... => Found 0 members for the '"Domain Admins"' group: []
I tried to fix it manually, however using UTF-8 encoding and changing every occurrence of "Domain Admins" in "Domänen-Admins" in the DeathStar.py and [Empire]/* did not fix the issue, but generated the error message:
Agent: .... => Error executing module 'powershell/situational_awareness/network/powerview/get_group_member': Expecting value: line 1 column 1 (char 0)
Maybe someone can help?
Sorry, if I'm doing something wrong. I already tried your Empire fork, as suggested in a similar issue..
[DEBUG] Agent: NFXL2CHU => Executed Module => success: True taskID: 1 msg: 'tasked agent NFXL2CHU to run module powershell/management/get_domain_sid'
[DEBUG] Agent: NFXL2CHU => Result Buffer: {'AgentName': 'NFXL2CHU', 'AgentResults': [None]}
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "./DeathStar.py", line 59, in __run
self.__run_backup()
File "/usr/lib/python3.5/threading.py", line 862, in run
self._target(*self._args, **self._kwargs)
File "./DeathStar.py", line 585, in pwn_the_shit_out_of_everything
recon(agent_name)
File "./DeathStar.py", line 507, in recon
domain_sid = get_domain_sid(agent_name)
File "./DeathStar.py", line 213, in get_domain_sid
results = execute_module_with_results('powershell/management/get_domain_sid', agent_name)
File "./DeathStar.py", line 180, in execute_module_with_results
if result['taskID'] == r['taskID']:
KeyError: 'taskID'
As soon as an agent registers to Empire, DeathStar crashes with the following:-
[] Powering up the Death Star
[] Polling for agents
Traceback (most recent call last):
File "./DeathStar.py", line 805, in
for agent in get_agents()['agents']:
File "./DeathStar.py", line 114, in get_agents
return r.json()
File "/usr/lib/python3/dist-packages/requests/models.py", line 850, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib/python3.5/json/init.py", line 319, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.5/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.5/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
root@kali:/usr/share/DeathStar#
Running on Kali 2017.1, Empire and DeathStar installed from your fork. Note that the agent is also running on Linux (Ubuntu) so may be because non-Windows?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.