- There are many different techniques which can be used to get access into the Domain Controller but not all are recommended. It's better to impersonate the Domain Controller using 'DCSync' to extract the password hashes without requiring interactive logon or copying the Active Directory database file (ntds.dit).
- You can either try other UAC modules in Empire for privilege escalation or you can look for a local vulnerability using privesc/powerup/allchecks module or a Unquoted Service Path Vulnerability to escalate the privileges manually.
- DeathStar follows a series of checklist to look for the credentials. If the standard way didn't work, you need to do some manual reconnaissance to move further.
- It's not mandatory to retrieve the passwords in plain-text. We can always use Pass-The-Hash (PTH)...
Argentina
Australia
Austria
Belgium
Brazil
Bulgaria
Canada
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
France
Germany
Great Britain
Greece
Hungary
India
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Russia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
United States