Empire Post Exploitation – Unprivileged Agent to DA Walkthrough

empire_logo_black4Let’s say you’ve successfully phished a client, and now have an Empire agent on a victim computer. Congratulations! Establishing an initial foothold on a network, with either a .hta link or an office macro (excellent write-up using this method by @enigma0x3), can be one of the hardest parts of pentesting, and most security practices are designed to prevent you from getting to this point. The next phase seems to be where a lot of new pentesters scratch their heads: post-exploitation. I know I sure did! Let’s walk through one potential real-world path using Empire v1.5 and the OpSec safe modules to obtain our ultimate goal: Domain Administrator privileges.

Once we’re on a box, it’s good to take a look at what you’ve got available to you. I tend to use the “situational_awareness” modules in Empire to discover what account I’m running under, who are the local administrators, domain administrators, network settings, mapped drives, and installed programs and patches. Even if you don’t end up using a lot of this information for exploitation, it can be demonstrative of your access when writing the final report.

In this example, we’re going from an initial beacon to domain administrator.

Once the beacon checks in, and its confirmed that you’re in a domain environment on a managed computer, let’s check the Group Policy Preferences for stored credentials (courtesy @obscuresec http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html).


And if the administrators have stored passwords in the group policy preferences, you’ll see something like this:


Here we have a stored local administrator password in the scheduled tasks preferences.

With local administrator credentials, let’s launch a new agent on the host with admin privileges using “management/runas”. The module “management/spawnas” will work as well, but is not OpSec safe. This may or may not make a difference in your engagement. Though an OpSec safe module is less clean up for you 🙂


Assuming that worked, you should now see that a new agent has checked in with local admin privileges. With local admin access, we can now run the pentesters favorite tools such as Mimikatz to dump plaintext credentials from memory and Responder (known as Inveigh in Powershell, by @kevin_robertson) to poison NBNS and LLMNR queries on the wire. If you’ve done some initial recon, you’ll have a list of potentially privileged users from groups in the domain. For instance, members of the obvious “Domain Admins”, and potentially “Local Administrators” are accounts you’d want to keep an eye out for while Inveigh does its thing.


Inveigh started at 2016-07-05T10:02:33
Listening IP Address =
LLMNR/NBNS Spoofer IP Address =
LLMNR Spoofing Enabled
LLMNR TTL = 30 Seconds
NBNS Spoofing Of Types 00,20 Enabled
NBNS TTL = 165 Seconds
SMB Capture Enabled
HTTP Capture Enabled
HTTPS Capture Disabled
HTTP/HTTPS Authentication = NTLM
WPAD Authentication = NTLM
Ignoring Machine Accounts
Real Time Console Output Enabled
Real Time File Output Disabled
2016-07-05T10:02:34 – NBNS request for WPAD received from – spoofed response has been sent
2016-07-05T10:02:34 – HTTP request for /wpad.dat received from
2016-07-05T10:02:34 – HTTP request for /wpad.dat received from
2016-07-05T10:10:39 – HTTP request for /wpad.dat received from
2016-07-05T10:10:39 – LLMNR request for wpad received from – spoofed response has been sent
2016-07-05T10:10:39 – HTTP NTLMv1 challenge/response captured from

Once Inveigh has captured a hash, lets crack this with john, aka JTR.

root@kali:~/# john –wordlist=~/SecLists/Passwords/merged.txt –format=nt –rules Inveigh_Hashes.txt

And if we’re lucky, and they have a poor or known password, we’ll get a cracked password result:

1 password hashes cracked, 0 left

Finally, with a domain administrator account and password, we can use the lateral_movement/invoke_wmi module to spawn a new Empire agent on the Domain Controller. Or better yet as @bluescreenofjeff has pointed out to me: “use the dcsync module to pull the krbtgt from any computer, and then create the golden ticket without ever compromising the domain controller”. The latter option being more OpSec safe and less likely to raise any alarms.

With Domain Admin access, you can now create accounts, issue yourself a kerberos golden ticket, or use the “credentials/mimikatz/lsadump” module to extract all the password hashes from the DC. Of course, there are other paths to getting this access, and this is but one example.

tl;dr: Unpriv’d agent -> LA via GPP -> Inveigh -> Crack captured DA hash

One thought on “Empire Post Exploitation – Unprivileged Agent to DA Walkthrough

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s