Let’s say you’ve successfully phished a client, and now have an Empire agent on a victim computer. Congratulations! Establishing an initial foothold on a network, with either a .hta link or an office macro (excellent write-up using this method by @enigma0x3), can be one of the hardest parts of pentesting, and most security practices are designed to prevent you from getting to this point. The next phase seems to be where a lot of new pentesters scratch their heads: post-exploitation. I know I sure did! Let’s walk through one potential real-world path using Empire v1.5 and the OpSec safe modules to obtain our ultimate goal: Domain Administrator privileges.

Once we’re on a box, it’s good to take a look at what you’ve got available to you. I tend to use the “situational_awareness” modules in Empire to discover what account I’m running under, who are the local administrators, domain administrators, network settings, mapped drives, and installed programs and patches. Even if you don’t end up using a lot of this information for exploitation, it can be demonstrative of your access when writing the final report.

In this example, we’re going from an initial beacon to domain administrator.

Once the beacon checks in, and its confirmed that you’re in a domain environment on a managed computer, let’s check the Group Policy Preferences for stored credentials (courtesy @obscuresec http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html).

And if the administrators have stored passwords in the group policy preferences, you’ll see something like this:

Here we have a stored local administrator password in the scheduled tasks preferences.

With local administrator credentials, let’s launch a new agent on the host with admin privileges using “management/runas”. The module “management/spawnas” will work as well, but is not OpSec safe. This may or may not make a difference in your engagement. Though an OpSec safe module is less clean up for you 🙂

Assuming that worked, you should now see that a new agent has checked in with local admin privileges. With local admin access, we can now run the pentesters favorite tools such as Mimikatz to dump plaintext credentials from memory and Responder (known as Inveigh in Powershell, by @kevin_robertson) to poison NBNS and LLMNR queries on the wire. If you’ve done some initial recon, you’ll have a list of potentially privileged users from groups in the domain. For instance, members of the obvious “Domain Admins”, and potentially “Local Administrators” are accounts you’d want to keep an eye out for while Inveigh does its thing.

Once Inveigh has captured a hash, lets crack this with john, aka JTR.

And if we’re lucky, and they have a poor or known password, we’ll get a cracked password result:

Finally, with a domain administrator account and password, we can use the lateral_movement/invoke_wmi module to spawn a new Empire agent on the Domain Controller. Or better yet as @bluescreenofjeff has pointed out to me: “use the dcsync module to pull the krbtgt from any computer, and then create the golden ticket without ever compromising the domain controller”. The latter option being more OpSec safe and less likely to raise any alarms.

With Domain Admin access, you can now create accounts, issue yourself a kerberos golden ticket, or use the “credentials/mimikatz/lsadump” module to extract all the password hashes from the DC. Of course, there are other paths to getting this access, and this is but one example.

tl;dr: Unpriv’d agent -> LA via GPP -> Inveigh -> Crack captured DA hash