Comments (6)
Noted. I've also encountered a few errors with Caldera along the way and need to test this with a newer version of Python. Will check back here once I get that up and running. What were the scenario details you were using?
from detectionlab.
I followed the scenario in this Caldera video - https://www.youtube.com/watch?v=xjDrWStR68E
It involves creating an adversary with 7 of the steps.
I also tried creating an adversary with all 29 of the steps and then an adversary with just one step - get_creds. In each case I received the powerview error above.
Are the DetectionLab hosts hardened? I checked what the UseLogonCredential value was and the key wasn't set on the Win10 box. I'm guessing that affected Calderas ability to grab creds and move laterally.
from detectionlab.
DetectionLab boxes aren't hardened, however I resolved a lot of the Caldera issues tonight by updating the Caldera repo I had on my logger host ($ cd /home/vagrant/caldera; git pull
) and installed python3.6.4, which also seems to run better and doesn't require a patch. If I can get through your test scenario without errors, I'll merge a fix for logger.
from detectionlab.
@forensic65x the $CompSearcher.FindAll() error you're seeing is because the default logged in account is the local Vagrant user, not the domain vagrant user. This error will appear in the console when that occurs:
WARNING:app.operation.operation:Failed to parse with error: DomainIssueError: Domain Issue 0x80005000: Verify that the rat is running under a Domain Account, and that the Domain Controller can be reached.
I'm using Win10 as the start host and if I logon to Win10 as windomain\vagrant, this step passes successfully
After that, I tried it against an adversary with all 29 steps and didn't see any errors:
from detectionlab.
Hey @forensic65x - this should be addressed in the latest commit (#50) which uses Python 3.6.4. Let me know if you run into any problems.
from detectionlab.
If I logon with the windomain\vagrant account I am able to perform the enumeration steps. Thanks for the suggestion.
I did notice my operation showed all greens, but it didn't show all tests and none of the lateral movement/mimikatz appear to be running or running successfully. The hosts stay blue vs changing to red once they are compromised.
I thought it was due to Win10 default to not store wdigest in clear text so I tried to add the uselogoncredential registry key using the windomain\vagrant account and got access denied.
I thought it might be a UAC issue but that attempt got access denied as well. I then tried to add a new user to the Win10 box using the windomain\vagrant domain admin account and also got access denied. I confirmed that account was in the 'Domain Admins' group and verified the 'Domain Admins' group was in the local Administrators group.
I was able to update the uselogoncredential key using the win10\vagrant account.
It seems there might be an issue between the Win10 box and the DC.. Are you able to get any of the hosts compromised using Caldera and Win10 as the start?
I will do some additional testing but after I restarted the logger I am unable to get Caldera to run. I'll open a separate issue.
from detectionlab.
Related Issues (20)
- Velociraptor fails install on dc and wef HOT 5
- Solved: Change network in VirtualBox for logger HOT 1
- Velociraptor does not show hosts. HOT 1
- No devices enrolled in fleet
- WEF network issue HOT 1
- Unable to ssh into logger HOT 2
- ESXi Deployment, Terraform apply fails with ovftool errors HOT 2
- Not able to reach wef and win10 from local PC or other hosts HOT 1
- "version": "2.0",
- "As of 2023-01-01, DetectionLab is no longer being actively maintained". What is an alternative? HOT 5
- AWS AMI not anymore available HOT 2
- Trouble installed using Proxmox. Broken pipe / use of closed network connection
- Winpcap chocolatey installation faliure HOT 1
- Repositorio del backed
- Fork of detectionlab HOT 3
- Expired TLS certificate on ping.detectionlab.network, preventing retrieval of the preseed config for ESXi deployment HOT 3
- An error occurred executing a remote WinRM command
- Everything installs except Velociraptor HOT 7
- Vagrant up error: Failed to power on '/path/filename.vmx
- error in wef and win10 provision: much needed help HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from detectionlab.