-
-
Notifications
You must be signed in to change notification settings - Fork 989
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Caldera operations are getting errors #49
Comments
Noted. I've also encountered a few errors with Caldera along the way and need to test this with a newer version of Python. Will check back here once I get that up and running. What were the scenario details you were using? |
I followed the scenario in this Caldera video - https://www.youtube.com/watch?v=xjDrWStR68E Are the DetectionLab hosts hardened? I checked what the UseLogonCredential value was and the key wasn't set on the Win10 box. I'm guessing that affected Calderas ability to grab creds and move laterally. |
DetectionLab boxes aren't hardened, however I resolved a lot of the Caldera issues tonight by updating the Caldera repo I had on my logger host ( |
@forensic65x the $CompSearcher.FindAll() error you're seeing is because the default logged in account is the local Vagrant user, not the domain vagrant user. This error will appear in the console when that occurs:
I'm using Win10 as the start host and if I logon to Win10 as windomain\vagrant, this step passes successfully After that, I tried it against an adversary with all 29 steps and didn't see any errors: |
Hey @forensic65x - this should be addressed in the latest commit (#50) which uses Python 3.6.4. Let me know if you run into any problems. |
If I logon with the windomain\vagrant account I am able to perform the enumeration steps. Thanks for the suggestion. I did notice my operation showed all greens, but it didn't show all tests and none of the lateral movement/mimikatz appear to be running or running successfully. The hosts stay blue vs changing to red once they are compromised. I thought it was due to Win10 default to not store wdigest in clear text so I tried to add the uselogoncredential registry key using the windomain\vagrant account and got access denied. I thought it might be a UAC issue but that attempt got access denied as well. I then tried to add a new user to the Win10 box using the windomain\vagrant domain admin account and also got access denied. I confirmed that account was in the 'Domain Admins' group and verified the 'Domain Admins' group was in the local Administrators group. I was able to update the uselogoncredential key using the win10\vagrant account. It seems there might be an issue between the Win10 box and the DC.. Are you able to get any of the hosts compromised using Caldera and Win10 as the start? I will do some additional testing but after I restarted the logger I am unable to get Caldera to run. I'll open a separate issue. |
Description of the issue:
Each time I attempt to run an Operation with Caldera it fails to complete. I have performed multiple vagrant reloads and multiple vagrant destroys and then vagrant up to recreate the lab but the issue still occurs on each operation.
Below is the recurring error in Caldera.
Hostname: win10
Command Line: powershell -command -
StdIn: [[powerview]] Get-DomainComputer
StdOut:
Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"
At line:6306 char:20
The text was updated successfully, but these errors were encountered: