A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Building the DeathStar: getting Domain Admin with a push of a button (a.k.a. how I almost automated myself out of a job) - Marcello Salvati Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Building the DeathStar: getting Domain Admin with a push of a button (a.k.a. how I almost automated myself out of a job)
Marcello Salvati
Derbycon 2017

Ever since the advent of tools like PowerSploit, Empire, Bloodhound and CrackMapExec pentesting Active Directory has become a pretty straight forward and repetitive process for 95% of all the environments that I get dropped into. This begs the question: can the process of going from an unprivileged domain user to Domain Admin be automated? Well obviously, since this talk is a thing, the answer is yes! Introducing the DeathStar: a Python script that leverages Empire 2.0's RESTful API to automate the entire AD pentesting process from elevating domain rights, spreading laterally and hunting down those pesky Domain Admins! This talk will mainly focus on how DeathStar works under the hood, how to properly defend against it and the most common AD misconfigurations/vulnerabilities that I see in almost every environment which allow for this script to be so effective. It will then conclude with live demos of the tool in action (which hopefully will not fail miserably) and some final considerations from yours truly.

Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it). His boss Liz asked him about ten times to re-write his bio because "It was too good. He had to make it less good. We didn't want people to cry in shame when they read it. It was like a poem ... sniff.. *a single tear is shed*". By day a security consultant, by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code he has recently devoted his attention to the wonderful rabbit hole that is Active Directory which has become his favorite thing to 0wn.

@byt3bl33d3r

Back to Derbycon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast