Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Caldera operations are getting errors #49

Closed
forensic65x opened this issue Jan 22, 2018 · 6 comments
Closed

Caldera operations are getting errors #49

forensic65x opened this issue Jan 22, 2018 · 6 comments

Comments

@forensic65x
Copy link

  • Operating System Version: Mac OS 10.13.2
  • Provider (VirtualBox/VMWare): Virtualbox
  • Vagrant Version: 2.0.1
  • Packer Version: 1.0
  • Is the issue reproducible or intermittent? Reproducible

Description of the issue:

Each time I attempt to run an Operation with Caldera it fails to complete. I have performed multiple vagrant reloads and multiple vagrant destroys and then vagrant up to recreate the lab but the issue still occurs on each operation.

Below is the recurring error in Caldera.

Hostname: win10
Command Line: powershell -command -
StdIn: [[powerview]] Get-DomainComputer
StdOut:
Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"
At line:6306 char:20

  •         else { $Results = $CompSearcher.FindAll() }
    
  •                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    • FullyQualifiedErrorId : COMException
@clong
Copy link
Owner

clong commented Jan 22, 2018

Noted. I've also encountered a few errors with Caldera along the way and need to test this with a newer version of Python. Will check back here once I get that up and running. What were the scenario details you were using?

@forensic65x
Copy link
Author

I followed the scenario in this Caldera video - https://www.youtube.com/watch?v=xjDrWStR68E
It involves creating an adversary with 7 of the steps.
I also tried creating an adversary with all 29 of the steps and then an adversary with just one step - get_creds. In each case I received the powerview error above.

Are the DetectionLab hosts hardened? I checked what the UseLogonCredential value was and the key wasn't set on the Win10 box. I'm guessing that affected Calderas ability to grab creds and move laterally.

@clong
Copy link
Owner

clong commented Jan 23, 2018

DetectionLab boxes aren't hardened, however I resolved a lot of the Caldera issues tonight by updating the Caldera repo I had on my logger host ($ cd /home/vagrant/caldera; git pull) and installed python3.6.4, which also seems to run better and doesn't require a patch. If I can get through your test scenario without errors, I'll merge a fix for logger.

@clong
Copy link
Owner

clong commented Jan 23, 2018

@forensic65x the $CompSearcher.FindAll() error you're seeing is because the default logged in account is the local Vagrant user, not the domain vagrant user. This error will appear in the console when that occurs:

WARNING:app.operation.operation:Failed to parse with error: DomainIssueError: Domain Issue 0x80005000: Verify that the rat is running under a Domain Account, and that the Domain Controller can be reached.

I'm using Win10 as the start host and if I logon to Win10 as windomain\vagrant, this step passes successfully

image

After that, I tried it against an adversary with all 29 steps and didn't see any errors:
image

@clong
Copy link
Owner

clong commented Jan 23, 2018

Hey @forensic65x - this should be addressed in the latest commit (#50) which uses Python 3.6.4. Let me know if you run into any problems.

@clong clong closed this as completed Jan 26, 2018
@forensic65x
Copy link
Author

If I logon with the windomain\vagrant account I am able to perform the enumeration steps. Thanks for the suggestion.

I did notice my operation showed all greens, but it didn't show all tests and none of the lateral movement/mimikatz appear to be running or running successfully. The hosts stay blue vs changing to red once they are compromised.

I thought it was due to Win10 default to not store wdigest in clear text so I tried to add the uselogoncredential registry key using the windomain\vagrant account and got access denied.

I thought it might be a UAC issue but that attempt got access denied as well. I then tried to add a new user to the Win10 box using the windomain\vagrant domain admin account and also got access denied. I confirmed that account was in the 'Domain Admins' group and verified the 'Domain Admins' group was in the local Administrators group.

I was able to update the uselogoncredential key using the win10\vagrant account.

It seems there might be an issue between the Win10 box and the DC.. Are you able to get any of the hosts compromised using Caldera and Win10 as the start?

I will do some additional testing but after I restarted the logger I am unable to get Caldera to run. I'll open a separate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants