configuring DNS in this room is annoying

is there anything wrong or is it just me?

I keep getting** server can't find thmdc.za.tryhackme.com: NXDOMAIN

can someone help?

Can you verify your account and show us

!docs verify

I think I spoke to you in the tech chat. You told me to try and reset it by pressing the red button which I have and it did not make a difference. There seems to be other people facing this issue as well. Is there not a standard step by step solution for this issue?

I watched your video. Did you run into the same issue? I was not sure how you managed to get it to work in the video because your saved button was greyed out

Are you on the attack box or your own VM?

own VM

Kali I take it?

Which subnet are you on in the breaching ad room?

Yep Kali 10.200.55.101

Okay, can you ping the DC directly via IP? Just ping <dc ip address>

Yep

but it is nslookup that does not work

Okay so are you setting your IP with network configuration, then going to console as root and doing systemctl restart networkmanager --- AFTER connecting to the VPN?

Yep but not as root

I'm not sure if it makes a difference but try as root or sudo -- if you run pimpmykali.sh (google it) you can re-enable root login in Kali

are you editing the systemd file or the etc file

and are you putting it at the top

Each time I did it, I just added DNS to the advance network configuration GUI and then restarted network manager. I have completed every room and that worked for me

With my own Kali VM for context

no

as root

cd /etc

then nano /resolv.vonf

then put it at the top

if you restar network manager as well it removes

it

once changes have been made to the etc/resolv.conf how do I save it

ctrl x and the hit y

systemctl restart resolv.conf?

no

no what panda said above

thats only for systemd

which never works

So once I save it then it needs a reboot?

to apply changes?

no

I never actually did those steps on mine though -- i literally just updated my advanced network configuration with the DNS, saved it, then restarted network manager -- I never had an issue -- I didn't edit the resolv.conf file but that should work too

because its automatically taking it as a DNS setting

sometimes that DOES work but ive always edited the conf

yeah that seems a more sure way to do it

make sure you put it at the top

so it p1's that IP

Then beneath that something like 8.8.8.8 to make sure I have internet access as well right?

okay so

one sec

this is what it should look like

dont worry about the commented out or the ip i have

oh so just one nameserver

nothing beneath it correct?

IF you have anything beneath it just leave it

but the ip nameserver NEEDS to be at the top

So theoretically once I save it and even if I was to restart Kali it would be the latest changes that I made that will appear correct?

no

do not restart kali

because it will rmeove it

duno wy

oh does it always do that? and is there a way to not make it remove it? I am guessing not?

but everytime i restart my machine or Network Man it removes it

im not sure

id just remove it after the box is done so remove clutter

liek i said once it is in, restart the vpn connection and NSlookup

@frank stratus -- let us know if it works. If it doesn't, I might be able to jump on a screenshare with you and do some more troubleshooting. Wrapping up a work meeting at the moment

So the network manager overwrites all the resolv files? is this correct?

i believe so if you reboot it

Guys :-; Im currently trying to setup the openldap server, Since I'm on arch I cannot use dpkg-reconfigure so I'm following the arch wiki. :-;
after making the config file I'm facing the following issue while adding the config file . https://wiki.archlinux.org/title/OpenLDAP . I don't know much about ldap. can anyone help? tried googling up but couldn't come up with anything helpful

I tried deleting all the contents of /etc/openldap/snapd.d and tried the command again. Then I received the following error.

Hello. I finished the room. However, I have not privilege escalated on the domain controller. This task seems to be out of scope but I want to just do it as a challenge. Was the DC meant to be pwned or is it actually maintained and trying to own it might not be a feasible task for a beginner like me? Thank you in at advance whoever answers.

Hey there, remember this network is just to show how you can breach AD. You will compromise the entire domain in Exploiting AD.

There are ways your could compromise this DC yes, and you can try them if you want to do a bit of self-exploration, but you will be guided through the process in the Exploiting AD network. 🙂

From where I can get the DNS host address of the DC?

DNS=<THMDC IP>

Also it is not working in the THM hosted attackbox or kali machines. I tried both

plz lmk what I am missing here

It is in the network diagram when you join the room?

I see thanks for this, more clarity you can mention this in the note of the room as well

I tried adding the IP as described in the task 1, not working in my case

Try changing /etc/resolve.conf

so it matches 10.200.27.101

If you read the task, you will see that there is a specific section for doing DNS on Kali. I would really recommend reading the task in full before trying the very first thing. In these networks, there are a lot of Notes (in bold) that tell you about exceptions and edge cases. If you don't read these, you will get stuck for quite a while.

Since Kali does DNS through network manager, the systemd-resolve method will not work for you. You can either follow the process described in the task to add the DNS server to network manager, or you can directly modify your /etc/resolv.conf file that network manager uses.

You can also use nslookup za.tryhackme.com 10.200.27.101 to verify that DNS is working in the network. If this works, but nslookup za.tryhackme.com does not, then it means there is still something wrong with your configuration of DNS. However if the first command fails, chances are there is something wrong with the network (might not be started perhaps) and then you should ask for support.

DNS solving is vital for AD hacking (due to Kerberos authentication), so I would really suggest you take the time to work through this and get it sorted.

any pros

anyone ? 0_0

Please reset the network as no response is coming from the dns

Task 5, using the attack box now because I couldn't get any hashes from responder on my vpn host. Same issue with AttackBox, have left it running and not catching anything. I reset hosts which didnt seem to help.

It said that in 10 - 30 mins the simulated services will try to authenticate. Did you leave the responder running for 30+ mins?

I just got the hash from the server

Why cant' we directly download the file from the pxeboot.za.tryhackme.com?

I did. I gave up on my kali/VPN and used AttackBox. Set up DNS, was able to ping hosts. Ran responder on validated tun0 interface.

Still no luck... for whatever reason can't share screenshot in here

You have to verify first

!docs verify

ty

Gave +1 Rep to @gaunt shell

You need to kill the services with "Error starting **" message

Checkout the process occupying the port number using sudo lsof -i :[PORTNO]

noob question
may I know what is the meaning of this on AD networks?

3 days of access left

the room kicks you out after ten days but you can simply click the 'join' button to get back :)

thanks @young vale for the info

Gave +1 Rep to @young vale

Yes,

I also didnt get this prompt and it worked in my case

@drifting rain

Check the message he deleted when you can

It doesn't have to be just Hydra.

Yeah i know pinged him because i saw his status as online and i usually ping him anyways 😄

This solved my issue as well. Was unaware that spacing between lines would cause an issue. Thanks!

Gave +1 Rep to @dense cedar

Hi guys, any suggestion to dump AD hashes? am practicing and I have checked smb, rdp and AD including kerberos, but no luck

what account privs do you have

Hi
In Task 4 LDAP Bind Credentials

First I set Hosting a Rogue LDAP Server, and then I tried ldapsearch ~supportedSASLMechanisms.
But ladapsearch output was only "dn:".

Could you tell me to fix it.

a user with no privileges, no access to smb or desktop

In Task 4 (LDAP Bind Credentials), when I run ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms, I don't get any output other than dn: (I should be seeing "supportedSASLMechanisms: PLAIN" and "supportedSASLMechanisms: LOGIN" after dn:), which leads me to believe that my olcSaslSecProps.ldif file is not configured correctly. I also get an error after clicking on "Test Settings" that says the " LDAP Connection failed: The LDAP server is unavailable.".

The contents of my olcSaslSecProps.ldif file:

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Still nothing and I've reconfigured slapd 3 times now

Don't know if thiis has anything to do with this issue but when I'm configuring slapd, I don't get asked the question about which LDAP database to use.

voted for a network reset because I keep getting the error "LDAP Connection failed: The LDAP server is unavailable." when clicking on "Test Settings"

I guys, can anyone explain me why johntheripper and hashcat down't work in this task?

I've downloaded password list from site, and i saw write up in internet, so the password is in the list.. I really don't understand

Need a bit of information here to help: Have you tried the nc listener and did you get a callback?

Also, if you scroll up in the messages on this channel you will see that on kali it is a common issue where LDAP does not show the authentication messages.

Yes, I looked at most of the messages regarding this issue and tried starting nc. I received no connections to where I was listening (port 389)

Might be due to the incorrect value being in the hash file? You sure you copied that correctly?

i'm pretty sure..

Then you might be doing something wrong on the website. What IP are you specifying in the browser there for the LDAP connection? If NC does not work, LDAP won't work either

You can DM me your hash file and I can run a comparison check for you if you want

oh my god I didn't even pay attention to the server field. sorry about that, all good now!

Glad you got it sorted. Remember that is like the fundamental concept of an LDAP-passback attack that you point the "printer" to yourself to intercept the stored creds. So if you find this on an assessment, you would have to change that IP to yours

Right, didn't even realize that. Thanks again!

Try to paste you hash directly .. like ---
hashcat -m 5600 heybsvd73jdbdiienendiienedu8 passwordlist.txt

i know this is beyond the scope of the lab, but has anyone tried doing task 4 ldap bind with Responder (for fun and practice)? the ldap server apparently supports simple bind, so it should work. but i'm not having much luck with figuring out how to enable it. i can get the ssp hash but not cleartext

Very interesting approach to try and do the challenge. I'm not sure however if responder has the capability to downgrade communications? Hence that's why you get the hash and not the cleartext password. You could however now try to crack that challenge to get the password

been trying for a few hours to rewrite some sections. i can make ity send a CLADP pong but not force it to downgrade the auth

Let's me know if you get something working there, would be really interesting 🙂

major challenge is that its all based on hex codes and i cant find a reference for them anywhere. example https://github.com/lgandx/Responder/blob/master/servers/LDAP.py#L170

Haha good luck, I'll keep my malicious slapd server in the mean time 😉

Hey , in task 6 , whenever i try to open http://pxeboot.za.tryhackme.com , browser showing SERVER NOT FOUND

-- i connected with breachingad with openvpn
-- change DNS=10.200.54.101 in /etc/systemd/resolved.conf
-- also added DNS in Advance network manager ..
My ping is working with 10.200.54.101

Also restarted both services of systemd & NetworkManager

@celest fable Please don't post random job offers, there would be a proper channel for that #jobs-board.

Are you using kali? If so, maybe just do cat /etc/resolv.conf - Check the order of your DNS servers. The room's DNS server should be the first entry since it is a prioritised list

i already did this room , anywy thankx.

Hello everyone.

I am trying to do breaching active directory and i am struggling with dns configuration i tried to use GUI and /etc/resolv.conf both is not working can someone help me?

I use vmware

Can you provide more details on the steps you are following for DNS? Are you using kali? If so, there is a specific set of steps you need to follow that is explained in the task.

Provide output from the following after performing the steps please:

1. nslookup za.tryhackme.com <DC IP>
2. cat /etc/resolv.conf

I use kali I followed the steps using GUI did not work i tried to modify/etc/resolv.conf manually still same

It give me connection timeout.

Right now away from my laptop

I'll need output from the two commands in order to provide additional assistance. 90% of the time it is that you have an additional entry in etc/resolv.conf which gets used first. So then you just need to make sure the room's DNS server is first since that is a prioritised list.

Just wanted to ask does it affect to change network adaptor like using NAT or bridge?

Hello guys i am trying to configure DNS but keep getting "** server can't find thmdc.za.tryhackme.com: NXDOMAIN" although i modified /etc/resolv.conf any idea? i am using kali 2020 as VM

It should not since you still need to run the actual VPN for the network? Have you done that?

Already solved thanks

Hi !

I'm stuck at the LDAP passback... Does anyone know why I can't see nothing when checking enabled auth mechanisms ?

Running this version of kali with freshly installed & reconfigured LDAP as shown in the instructions :

Hey there, known issue on kali. You should be able to just proceed with the rest of the attack

Ok thanks !

@dense cedar Sry for asking for your help again but I'm ending up with this message from the printer settings page : LDAP Connection failed: The distinguished name contains invalid syntax.

From the text in the room:

If you configured your rogue LDAP server correctly and it is downgrading the communication, you will receive the following error: "This distinguished name contains invalid syntax".

oh ||sh*t||

So that means it is working, are you getting anything on your TCPDump? if not, did you get something from NC?

I got from NC

nothing from TCPDump

Then TCP dump should also work, have you tried spamming the test settings button a couple times? Sometimes TCPdump lags. Else, just again verify with NC and then move back to TCPdump

Looks fine, just confirm that tun1 is the correct adapter. It might be tun0. If you want me to check, run ifconfig and route -n and send output

And then just spam the Test Settings button on the webapp a couple times

i did ip a and it was tun1 with the same IP than my OVPN connection

So everything else based on the output should be fine, so then if NC is working but not TCPdump, I'm a tad bit lost unless it is an incorrect interface, since at that point you are getting the connection back

I'll work a bit on it and I'll tell you 🙂 thannks 👍

👍 Good luck there, I'm calling it for the night. Sure you will get it

I had a network issue where my VPN restarted every 5 seconds… reboot and it was ok

Thanks for your time 👌🏻🔥

hello, I've ran responder for almost one hour and I still don't have captured hash

I did the previous task without problems, nslookup is working for the DC and ping too

Stupid question, but should I configure the DNS in a real world attack like in this room?

Like is there going to be a machine like THMDC

I was on a kali VM so I switched to the attack box and did responder for several hours and it's not working either, I've done all the others task except that one... even my attacking box has given up and terminated without giving me an hash 😆

Is the Attacking AD module going to be archived and put into a room at a later date? I saw that there was only 2 days left for this particular room and was curious if there was going to be a way to access these rooms in the future.

This is only to point to this particular network.
You'd only need to do this if you're conducting an internal pentest. If I'm not mistaken.
That being said, THMDC is specifically referencing "Try Hack Me Domain Controller", if I had to take a guess.

Hello, I can't connect to breaching-ad. I connected VPN and started the network. Thanks

Did u follow the procedure for Kali ?

@rain spear

nvm, I got it

Might be good to give the network a reset perhaps? Otherwise, DM me your VPN file and I'll see what is happening in the network

Yeah you would have to. It is very rare that a client will provide you with a domain-joined machine, which would automatically have configuration like DNS. So often times during assessments this is a manual process

The timer is just until the network kicks you out. We do this to ensure that we can kick inactive members which reduces the number of active networks we required. Once kicked you can just simply click join room again and everything will be working including your current progress

oh cool! so does this mean the network labs are around indefinitely?

@somber ledge

-ban 951185780175437854 -ddays 1 scam

🔨 Banned Bille.san#6392 indefinitely

hey ty but I completed the that task by looking at a walkthrough 😅

Gave +1 Rep to @dense cedar

I remember I had similar problem with the throwback network but it was eventually sorted out

Indeed it does, you can just rejoin them at any time when you are ready again

hi i am stuck on dns configuration its not working for me

I have tried Kali method but nslookup is saying (;; connection timed out; no servers could be reached
)

Hello all, I am trying out LDAP pass back attack. I am using in browser attackbox. So the server address in the LDAP settings (Printer Settings) is given as Attackbox IP. I have turned the nc listening to 389. when i save and test settings i am not getting any response in netcat.

Anybody could help me on this?

Can u provide screenshots of ur setup ?

IP adresses, Settings page + nc terminal

Why am I not allowed to paste the screenshot?

How could I paste the screenshot?

You are not verified

Check With THM bot

yes done, Thank you

I have stopped the slapd service also

Restart the slapd service

Did you reconfigured it ?

With sudo dpkg-reconfigure slapd

And added the weak configuration in it ?

Depackaging steps comes after receiving the connection back in the netcat from printersettings, right?

I am not receiving the nc listening if I have changed the printer settings. I have provided my Attackbox IP in the Server field of Printer settings. But still my nc is not receiving any connection.

Ah yes true

Everything seems correct on your side…

Did u asked for Network reset ?

Does this have anything to do with Network reset?

Depending on what others have done to the Network, some things may be broken

Ok, will try to reset the network

Try cat /etc/resolv.conf and send the output

It should not be your attackbox IP, it should be the IP associated with the tun adapter. The AttackBox simply executes the VPN profile for you. Check the note in the task that talks about how you can find the correct IP associated with your specific VPN adapter, since you might have multiple adapaters.

See here:

It's working now somehow my breach.ovpn file had some issue I replaced it and it's working

Thank you @dense cedar

Gave +1 Rep to @dense cedar

Hello, I have been solving Breaching AD room and at Authentication Relay part it says that NTLM challenges are encrypted with user's hash. As far as I know that is not true at all. Challenge value is never encrypted. I have also checked RFC but could not find any information on challenge being encrypted with user's hash. And also when we capture with Responder, we are capturing responses not challenges. In my opinion, the word challenge has been confused with response through the module. I would appreciate for the clarification. Thanks.

Challenge value is never encrypted
That is true challenge from the server is not encrypted. It is rather a random string generated. The client is then supposed to encrypt that with its NTLM hash and then send back to the server. The server then passthrough this information (both challenge and response) to the authentication server (in case of AD, it is DC) and then the DC tries to decrypt the challenge (because it has hash of all the users) and return the response back to the server.

This will give you an abstract understanding about the concept https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

This part and also Once we have a couple, we can start to perform some offline cracking of the challenges in the hopes of recovering their associated NTLM passwords part must change. And also in the blog post you have sent, there are some misunderstanding also. There is no such a thing as client challenge. There is a blob which includes client nonce. You can check out the RFC for a better explanation. https://curl.se/rfc/ntlm.html#ntlmv2Response

The protocol itself is described as a challenge/response protocol: https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm

You are correct that the blob part is call a nonce, but that doesn't really explain the process to users quite well. Using words like challenge and response makes things simpler. Please also see the following directly from Microsoft's documentation that explains the challenge encryption part (step 4):

The following steps present an outline of NTLM noninteractive authentication. The first step provides the user's NTLM credentials and occurs only as part of the interactive authentication (logon) process.

1. (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

2. The client sends the user name to the server (in plaintext).

3. The server generates a 8-byte random number, called a challenge or nonce, and sends it to the client.

4. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.

5. The server sends the following three items to the domain controller:

• User name
• Challenge sent to the client
• Response received from the client

6. The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

7. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

What I think is perhaps mis-interpreted in the diagram, which makes sense, is that it is the "server" that encrypts the "user" challenge. That is definitely not the case. It is the "user" that encrypts the challenge to generate the response for the "server". So I'll tweak the diagram a bit to make that clearer

Exactly. That was the part confused me. DC uses the user's hash to encrypt the challenge so it can compare the result with the cilent's response. But we are capturing the client's response with Responder not challenge. When I red the guide in the room, I understood it like we were capturing the challenge and trying to crack it. Don't get me wrong. I just saw a possible misleading information and wanted to correct it to contribute ❤️

All good! Thanks for reporting, we need to make sure that the information that is provided is accurate, and I can see how the diagram can be misleading so I'll fix that.

There is also common terminology that is used in the CyberSec space. So you are 100% correct that we are actually cracking the client responses, not the server challenges. However, it is fairly common out there to loosely refer to the part that is going to get cracked as the "NTLM Challenge". This is to distinguish the cracking of these vs NTLM hashes, which refers to actual NTLM MD4 hashes. Similar to cracking "Kerberos Challenges", which isn't actual Kerberos challenges. But I agree to ensure the information we provide is sound, hence we should call them client responses in the text.

I'll go make the updates later this week!

Gave +1 Rep to @fierce juniper

Update has been made to the text and the diagram. Thanks again for reporting this

Gave +1 Rep to @fierce juniper

Glad to contribute 🙏 Keep up the great work ❤️

Evening guys. Im stuck on the BreachingAD room

Configuring the dns settings

this needs to be your main dns... so you should change from automatic dhcp to dhcp ip address only

Okay it works

Thank you sm

Thanks *

Gave +1 Rep to @trim mica

also anyone on the 10.200.25 subnet??? seem that the pxeboot site gives 0 response

started the reset process to see if that fix it

also as they state in the tutorial part of how to configure dns... add another dns server like googles 8.8.8.8 after the vpn dns to still access the internet

would 1.1.1.1 also work?

Or is it 8.8.8.8

And do I add this to the "Additional search domains" or by the "Additional Static Adressess"?

yeah but that would be cloudflare

oh right

you add it after the 10.200 ip seperated by a comma

Okay it works now. thank you sm

no problem

having used linux and network manager a lot shadow is used to its quirks

Yet again it's probably me being stupid but when trying to run the spaying script I get this error?

hmmm

ls

think that means they don't have some module they need installed via pip on that kali machine

could be wrong though

Got it working

yeah

Had to install requests-ntlm with pip

YAY

How to get this working?

hello guys how hack a wifi pc or mobile?

@quartz pewter

Whose wifi

Ah, nevermind

-ban 993126830007664752 joined to ask how to hack a wifi

🔨 Banned daivis#8704 indefinitely

Have you checked if it's actually working by going to http://ntlmauth.za.tryhackme.com/ in the attackbox browser? Sometimes NS lookup doesn't cooperate

I checked, it's not working

I was having same problem using my own machine so tried using attack box, but same error

Not sure off the top of my head then, you might be able to update resolv.conf instead? but it may get over-written in the attackbox

If anyone is able to solve this error then please help

What this means? I cannot access it more than 2 days or what?

Yes, then you can re-enter the room.

Why is that?🤔

The network rooms have numerous running instances at once, to cut down on cost users are removed from the room so that if you finish a room you're not still using resources.

that does not reset the answers right???

i.e if shadow rejoins the answers are still answered???

No, the answers are left alone.

DNS setting up part of this room is real pain. I am still having problems

Are you in a VM or attackbox?

Attack Box

.

can you

cat /etc/resolv.conf

shadow is lost with manoobs problems so dunno how to trouble shoot and help

Also can you

cat /etc/systemd/resolved.conf

@deep torrent

wait, i am sending

seems to be working now, idk how lol

Sometimes the nslookup decides it isn't working.

And gives you a false reply.

thanks

Hey, apologies if this has been asked already, but I'm stuck on configuring slapd in Section 4 - LDAP Bind Credentials.
We are supposed to downgrade the authentication protocols used by slapd by creating a ldif file and using ldapmodify to update the config. I've followed the instructions exactly but ldapsearch does not return any results and it seems like these authentication mechanisms aren't supported by slapd? are there additional dependencies that need to be installed for SASL auth to work with slapd?

$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind: Authentication method not supported (7)
        additional info: SASL(-4): no mechanism available: security flags do not match required

$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:

This is in my Kali VM, not attackbox.

Oh, just saw this is a known issue on Kali and that the attack should still work

It works

how did you solve it @ocean plinth

See their last message: Oh, just saw this is a known issue on Kali and that the attack should still work

sometimes resolve.d needs a double-reset to work for some reason

if that's what ur using

the Breaching AD net's been stuck on reset for days. Can't interact/ join. Does anyone know what's happening?

Try leaving the network and rejoining, or a force refresh of the page.

i don't believe I'm joined

I'd suggest joining it then 😄

network state has been on reset for like 4 days, at least on my end

screenshot time

yup

can't start it either

Try leaving via the little cog in the top right

Also, CTRL-F5

you mean reset progress? i believe I've tried that.

what's going on man? 😄

it's not cached or anything.

no, Leave, and rejoin

oh my ...

ty

Gave +1 Rep to @unique mist

Did that work?

about to find out

openvpn's giving me a hard time

think something's wrong with network manager. it was doing this to me the last time and I just switched over to network d

and I don't understand it. it works for other people

I think I'll just switch

👍

what's happening?

just got internet back up after switching to networkd. I'm set up DNS and see what happens.

as far as the Breaching -AD it's up and running

So, quick question.

I was playing with the password spraying script just messing around and now I can't seem to connect.

is there intrusion prevention or something? heh

like did I get blocked?

it says failed to establish connection. no route to host

shouldn't be. there's a small chance you crashed the box and might need to reset, but you might want to try ping the DC first

yeah she's toast

what have i done lol...

restart again

wait the domain controller responds to pings???

no. so i borked it or something

normally windows machines don't tend to repsond to pings

that's true

no ICMP

This one should do (it's the standard step in troubleshooting these networks)

Good, now I'll have to wait for someone else to vote

what subnet?

10.200.54.101

for the DC

Refresh the page, I'm pretty sure that subnet has stopped...

?

what in the world...

I can vote for reset if you like, but i think you just need to press the lil blue start button

Caching issues ftw

it was started earlier. it responded

what in the

yup, they time out, it's worth checking and extending them

i did go over an hour, so maybe

Just keep it in mind next time 🙂

i seem to not be capturing the full message from za.tryhackme's printer service (LDAP) or something got messed up

It captures up to the point of "invalid DN". I'm almost positive I've set this up correctly with Slap.

I'm not sure what's happening.

my distinguished name is za.tryhackme.com. Not sure where I messed it up.

wait...

yeah, I'm authenticated

reset

this is captured with tcpdump. it keeps saying invalid DN

ahh, but during configuration i do not get the option to choose my db-type. I'll check to see...

nope... it's still mdb

that wouldn't give an invalid dn error anyway

...

hold on...

no wonder

dc=nodomainza.tryhackme.com... no idea how that happened

please tell me something I can't understand.
what could be wrong then.?)

NAT addapter
Parrot
Oracle VM VirtualBox

I did
systemctl restart systemd-resolved
sudo systemctl restart NetworkManager

You're using the wrong VPN profile by the looks of it. You need to download the breaching AD profile from https://tryhackme.com/access?type=networks

Hello I'm using attackbox and can ping the dc, but cant nslookup even after adding dc ip to the /etc/systemd/resolved.conf and restarting systemd-resolved

if manually set the server in nslookup, i can resolve dc fqdn but otherwise i cant

Unfortunately I don't have permission to upload images here I guess

Yes, indeed, I somehow missed this moment.
thank you very much, RobertABT.
now everything is ok

You'll need to verify if you want to post screenshots

!docs verify

By the way, anyone who uses Parrot may encounter the fact that the external Internet will stop working after the settings.
As an option, have a NAT and a Bridge in the settings.
By configuring the adapters in this way.

And you will be happy.

That's because you haven't set 8.8.8.8 as a DNS Server (you've set it as a Search domain). To set it as a DNS server so external lookups work you should put 10.200.xx.101,8.8.8.8 in the DNS Servers bit (xx is the subdomain of the network you happen to be in). I will agree that the NetworkManager GUI is not clear.

yes, you rarely have to climb there. that's for sure.

The joys of doing fancy stuff in simulated environments 😄 (Some setup required) Helps the learning when you do get it though.

$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:

Anybody had this issue here? Not getting what is expected with the ldapsearch.

nvm.. I see it posted once I scrolled up..

Hello All,

When I try to use responder I get Error starting on TCP server on port 389, check permissions orother servers running

I tried to look into the PID by lsof -i:389, but nothing runs on 389. How to resolve this?

You may recall earlier running an LDAP server slapd? That's on 389.

I've been trying for a couple days to figure out what's going on with ldap.
Everything looks right. I receive Invalid.DN. There is nothing wrong with how I've set this up. Maybe there's a small detail I missed but I've followed step-by-step.

Here's a couple configs:

┌──(root㉿HP-DeskJet-3755)-[/etc/ldap/slapd.d]
└─# cat 'cn=config.ldif'     
    
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 c163bca2
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: aad289b4-c5b5-103c-80be-27d0a6001545
creatorsName: cn=config
createTimestamp: 20220911003732Z
olcSaslSecProps: noanonymous,minssf=0,passcred
entryCSN: 20220911003911.601380Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20220911003911Z

┌──(root㉿HP-DeskJet-3755)-[/etc/ldap/slapd.d/cn=config]
└─# cat 'olcDatabase={1}mdb.ldif' 

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e2741582
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=za,dc=tryhackme,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=za,dc=tryhackme,dc=com
olcRootPW:: e1NTSEF9VysrNEJEM09aLzhRR0J1VFB4SGwvSHhxZ3JHK0tKZng=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: aad3a858-c5b5-103c-80c7-27d0a6001545
creatorsName: cn=admin,cn=config
createTimestamp: 20220911003732Z
entryCSN: 20220911003732.338968Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20220911003732Z

It looks fine to me.

Invalid.DN is what i'm getting back.

I dunno what any of that is, I was able to moreorless just follow the steps. I've not had to look at anything like that.

It's the configs, trying to check what isnt' right. I also followed the steps word for word

both files look the same as mine other than uuid and times.

I'm not on a deskjet printer, though. just a default kali 2022.03 VM.

HP-DeskJet is just a ploy lol

yeah, i don't understand it either

no clue what it's whining about

i've been looking around for days for some kind of hint

what commands ends up throwing the Invalid.DN error?

Just running the pass-back attack. I'll listen with tcpdump and it goes through it's process, then at the end throws it... Invalid.DN and leaves.

No password.

It get's only so far and claims that I have a bad DN name

You sure the password isn't given maybe a packet before that one?

or two

Well, i've looked through it a few times and it's not giving it to me.

Ill take a SS

I do also see Invalid.DN in my capture several times, but I also have a few with the password. I admit, when I first hit the button, nothing came in, so I probably hit it like 4 more times and a bunch then came in.

the word "pass" will be part of it.

It did take a few times to hand it over. I don't know what was wrong, but I got it. thanks

Gave +1 Rep to @idle blaze

yay! I'm glad you got it! 😄

I bullied that printer

give me ur lunch money

Hi All,
I'm doing task right now,
i start the responder but didn't capture any username with the challenge

i wait about 40 mins btw

i also use Printer Settings "Test Setting" to test my responder, i do captured the username

I also have not gotten an auth attempt either on my own system or the attackbox.

If you send me your VPN file I can see what is happening with the service. However a reset of the network should fix any weird issue as well

If you send me your VPN file I can see what is happening with the service. However a reset of the network should fix any weird issue as well

I can't seem to resolve THMDC again ,i haven't changed anything,
Checked ip it's the same nothing's changed , restarted systemd-resolved ,
vpn is connected i even regenerated it still nothing
Network state shows running

Hello again...hopefully for the last time today haha. I am currently working on Breaching AD. I am this portion:
Before using the rogue LDAP server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file, called with the following content:

My question is WHERE do we create that file on our kali machine? Thank you!

yes you create that file on your own kali machine or on the attackbox if you are using that

Lol, i understand that much. where in my kali? i.e. /etc, /usr, etc.

what should the path to the file be?

does not matter much as long as when you run the ldap thingy you specify the correct path to said config file

oh....well ok. Seems easy enough. Thank you for your reply 🙂

Gave +1 Rep to @trim mica

Steps to follow:

1. Make sure the network is active - ping <CHILD DC IP>
2. Make sure DNS is working in the network - nslookup za.tryhackme.loc <CHILD DC IP>

If both of those are true, then the DNS issue is client side. Then the fix will be based on whatever OS you are using. If your on the AttackBox, systemd is still the safest bet. If you are on Kali, network manager should ideally be used

Network is active but I can't ping the ip
So nslookup doesn't work,
I use parrot os and i already set dc's ip as a dns server in the network manager

Confirm that the error you are getting when you try to ping is a no route to host error from the VPN IP?

If so, then the network is not active. Contrary to what the UI says. There is a UI issue where if the network times out and a user selects extend instead of start, the UI believes the network is active where it is not.

You can try to trick the UI by inspecting element, re-enabling the start button and pressing it. However, if it is being stubborn and won't accept that, you will have to wait until the network time expires.

O thank you, I didn't know there was an issue with the ui

Gave +1 Rep to @dense cedar

ugh, can't ping the DC.

or resolve dns or any of that

have you made sure the network is started???

yep i started it

What error do you get when you ping? If it is no route to host, please read the message I posted about 5 messages ago

Looks like my issue is more vpn related

fixed that. the network is stuck in "resetting" now

Hello, I just started configuring DNS on my machine, followed the instructions yet I'm having ** server can't find thmdc.za.tryhackme.com: NXDOMAIN ( I can ping the DC tho..) :/

I can't even ping the DC.

Up to a few minutes ago, I was thinking that I was just doing it wrong. Now I"m nmap scanning everything in sight, in case the IP displayed might have been wrong. Can't find a thing, though.

@dense cedar (sorry for ping)
someone updated mcafee-sitelist-pwd-decryption for python3 and i confirm it works
https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/c0e20ac0ac1588e0937d06dbced734202fd6d33f/mcafee_sitelist_pwd_decrypt.py

maybe consider using that instead?

Looks awesome! I'm on leave, but when I get back will take a look and see if I can update to using this one!

Hi guys
I'm not able to connect with AD domain

Please help me

After changing the resolved.xonf file

I restarted the services also

But it's showing "server can't find thmdc.za.tryhackme.xom"

Anybody here @short drift

I never had to change anything in resolved on my own kali 2022.3 instance. I did have to connect to the network, edit my DNS entries in connections (10.200.x.101,my_local_dns), and then restart NetworkManager.

After doing that, a ping to the DC, getting credentials from the distributor site, and an ssh into the first host (using the hostname, not the IP address) usually proved everything was fine.

did u used the correct IP address for the resolved.conf?

Are you on your own machine or the attackbox? is the network running (refresh the page and check), can you ping the DC, what happens if you run dig instead of nslookup?

This is a silly question, but can someone explain why I have to configure my DNS to be able to connect to a Active Directory network? Can't I just connect to a domain-joined computer via RDP or SSH, just like any other machine?

Pretty sure it's explained in the material, but if you're wanting to use older, less secure ntlm Auth you need to be able to connect to the machine via it's FQDN, rather than its IP, as that will generally default to Kerberos auth

You're right. It was in the material. I posted the comment before getting to that part. Thank you

Gave +1 Rep to @unique mist

hi guys, would love some help in task 1, i have done all the steps but nslookup doesnt work for me, any advice?
the input:
nslookup thmdc.za.tryhackme.com
the output:
Server: 213.57.2.5
Address: 213.57.2.5#53
** server can't find thmdc.za.tryhackme.com: NXDOMAIN

also when i ping the DC i get a response
but when i attempt to browse to http://ntlmauth.za.tryhackme.com in task 3 i get site not found.

Mmm, that does not look correct. Can you give more information on your setup? Are you using attackbox or kali? Which steps did you follow for DNS configuration?

Same problem here, did you find a solution?

Again, same as for them, I need more information if you want me to debug the matter. Provide the information as requested and I can try to debug

Good evening everyone, please, i will be most grateful if someone could help me out.

I have done everything I can and still, the network IP does not connect or reflect on the page while the "Network state" is running. Please, I will appreciate a lot for any assistance or help rendered.

Thank you house.
🙇 🙏

can you run curl 10.10.10.10/whoami if you get an ip back when running the openvpn and this command then you are connected

is it normal I cannot connect to breachad network ?

vpn breachad connects correctly, but then its impossible to ping or nslookup THMDC server

I did dns confugurations accordingly

Ok solved I just reset the Network (wait for 5 asking resets) and worked

I'm so sorry for the late response, I had some issues lately.

I have done that and this is what I get:

my network is stuck on resetting for part 30 mins, any help on how can I fix it.

I have reloaded the page several times and also have reconnected to the vpn a few times now

that sounds bad.... have you tried the vpn troubleshoot script????

!vpnscritp

!vpnscript

Can I ask if it is normal that my route to the breachingad network is via docker?

Thanks in advance!

didn't work

oh that comment was not for you.... have you tried leaving and rejoining the room??? that sometimes fixes that type of error

oh ok, mb.
still same though

Hi everyone, I'm trying to do the 'Breaching Active Directory' Room, but I too have the problem that the room is stuck at 'Resetting'. I tried first yesterday and today, the state persists. Other Network Rooms can be started or stopped, but in 'Breaching Active Directory' the buttons are disabled. Any lead or idea?

Hey, can you send your submit and I'll report it for them to investigate?

Hi. Can you elaborate what you mean with "send your submit"? Do you need a screenshot or other technical information?

Meant to say *subnet, thanks will send this through

Gave +1 Rep to @surreal nexus

Ah, I see. Thank you very much for your time

Sent through, will let you know if I get any feedback

Much appreciated!

Seems to be ok now, the network is in stopped state! Thank you!

Gave +1 Rep to @dense cedar

I have the same problem like this, can someone help me?

Hello, what does "2 days of access left " on the top left of the room mean? Do I have to finish this room in 2 days and after it will be gone forever for me?

After two days you are removed from the room, then you can just rejoin. Nothing happens with your progress, it just allows us to remove inactive users from networks to reduce the amount of networks required

Ah ok thanks for the explanation.

Gave +1 Rep to @dense cedar

Anyone having issues getting the printer to sent LDAP requests out to either the DC or our rogue LDAP service?

worked for me without problems two days ago.

Hi, I'm getting 404's for all the files on the pxeboot.za.tryhackme.com webserver. anyone else getting this or had this issue?

Nvm. Just realized I only need the name of the file at this point.

I think something is wrong, actually. I run the command to tftp the file from ssh on THMJMP1, and i get a connection error. However, I can ping the THMMDT server.

Looks like the files were regenerating. I was successful with a new filename.

Hey team, having trouble connecting to THMDC (10.200.89.101) and IIS (10.200.89.201) - successfully connected to THM via OpenVPN on my mac and can ping 10.10.10.10, however, can't seem to access the IPs given above.

Also - any tips on setting up DNS entries on Mac? Have done some looking online and tried both changed DNS settings in System Preferences > Network > Advanced > DNS and manually entering the THMDC's IP as well as editing the /private/etc/hosts file however nslookup thmdc.za.tryhackme.com still gives me ** server can't find thmdc.za.tryhackme.com: NXDOMAIN Any help appreciated. Cheers

Do you use the special breaching-ad VPN co.fig?

Also, nslookup does not use the /etc/hosts but does a real DNS query. Try ping instead.

Ah yes I think that was the issue - I must have breezed over the line regarding the newly generated breaching-ad config file and was just using my old one. Thanks for the help @neon swan

Gave +1 Rep to @neon swan

Before I was facing issue in setting DNS but atleast connected with breachad network. Now once i execute the thm-troubleshoot script as mentioned in previous issues here now I can't even connect with vpn. I tried generating new vpn file and can not even connect with that.

finally that worked

There is a suggestion for Kali VM to set up alternative DNS with Advanced Network Settings. However this doesn't work for me. Can anyone please confirm if it works for them, since I'd like to know if its VBOX-Kali issue or I'm doing smthn wrong here (tried to set up fallback DNS for both interfaces (vpn and local eth0)), as well as forcing dig to use eth0 assigned IP (vbox NAT network in 10.0.2.0/24 range) with @8.8.8.8 (connection do DC and DC DNS works fine). THNX

oh, and ping -I eth0 8.8.8.8 works fine

#breaching-ad Running the Attack box, on task 5 when running either
sudo responder -I tun0
or
sudo responder -I tun1

I get the following error:
[!] Error: tun0: Interface not found
[!] Error: tun1: Interface not found

I have terminated the machine and as of this moment it is on 3/5 for reset

Is anyone aware of any clues, suggestions or advice on how to get responder running?

After enough votes, I was able to reset the network state, but I am still getting the error:
[!] Error: tun1: Interface not found

Does anyone have any suggestions or advice on what I should try?

Hi everyone! My instance of the network had some issues during boot, I cannot resolve names so it must be something on the DC, I would like to terminate it and boot it again but I'm alone and it needs 5 votes... (DC ip: 10.200.24.101) My ip is on 10.50.22.X subnet

check the interface name with ifconfig, it should be "breachad" for this vpnpack

actually the only page that is not loading is "http://printer.za.tryhackme.com/settings" because I can access "http://ntlmauth.za.tryhackme.com/" with no issue. Can it be something on my end?

I'm unable to do anything with this network anymore as well. It was initially working for me for a short period of time, but then it completely stopped. I reset my attackbox, which returned no resolution. I waited for the network time to timeout, then restarted the network, and still am getting nothing.

Whenever I try and do an nslookup thmdc.za.tryhackme.com command, I get "connection timed out; no servers could be reached"

Hello everybody. I have a problem in task 6 when I try to download the PXE boot image in tftp. it results always "Connect request failed" . Do you have an issue for that?

Hello everyone, I have a problem with the DNS on that box - https://tryhackme.com/room/breachingad

• I use openvpn to connect to the network. The OpenVPN Access Details page tell me all is OK.
• I check my IP adress with ip a command. I have the same adress on the network than on the OpenVPN Access Details.
• I change my /etc/resolv.conf like this:
  search za.tryhackme.com
  nameserver 10.200.4.101
  (NB: it was impossible for me to do systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com)
• For the task 3, it is impossible to reach http://ntlmauth.za.tryhackme.com/ (with firefox or with ping) and I don't understand why because 10.200.4.101 should be the new DNS server and give me the IP of http://ntlmauth.za.tryhackme.com/

Thank you for your help!

Hey It happened to me yesterday, I close all my VPN connection, than I retrieved a new openVPN conf file for basic THM network, I got connected, I then retrieved a new breachingad openVPN connection and get connected too, I have 2 new interfaces tun0 and breachingad. I have changed the /etc/resolv.conf and put the ip of the DNS server and it works. Do not restart the networking.service unless it will erase you resolv.conf file

Thank you, I will have a look. Right now, I am doing the box with the THM attack box. I am not fan about it but the DNS is OK.
And I don't know why but I couldn't find anything about the command systemd-resolve. There is something with systemd-resolved (with a 'd') but I don't know how to use it.
I'll test what you did and write the result here.

Gave +1 Rep to @proud bridge

Yes just tell me if it works, I didn't manage to find this systemd-resolve on my kali.

Hello, I did the same things as you did but it's not working for me 😦 impossible to use the DC as a DNS. I think the problem comes from /etc/resolv.conf . Mine is:
search za.tryhackme.com
nameserver 10.200.25.101
What is weird is that I still can go on internet and when I do nmap -A -Pn 10.200.25.101 , I have a 53/tcp open domain Simple DNS Plus
If you have an idea, tell me...

NB: I tested on the attack box and I can go on the internet from the attack box. So the network should be connected to internet (I thought it was not the case...)

When you do a nslookup Google.com what dns server answers you ?

nslookup google.com gives me:
;; communications error to 10.200.25.101#53: timed out
;; communications error to 10.200.25.101#53: timed out
;; communications error to 10.200.25.101#53: timed out
;; no servers could be reached

Let’s talk in private message

Hey guys,
I'm trying to run the password spraying script but apparently I'm missing the requests_ntlm module. I tried installing it using pip but it tells me that the module exists already. Any idea how to fix this? Thanks!

is your python a python2 maybe?

Thanks for your reply. Using python2 throws the same error.

Gave +1 Rep to @neon swan

And python3? Because you installed it as a py3 package.

Hey there,

Can you try to update the package? If that doesn't work, then it might be the kali issue where they discontinued support from MD4 hashes. Which is silly, cause NTLM uses MD4. I know in the latest versions of kali they have fixed this to now include MD4 support again

Hi

How r u fucking uppppp

are you ok?

Guys can anyone help me in understanding this network ? I got some questions, that need to be answered, anyone interested please dm

Anyone find a fix for this? Running into same issue ...

This works on Task 7 with python3!
https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/master/mcafee_sitelist_pwd_decrypt.py

HI .. I have started room https://tryhackme.com/room/breachingad Question is : -

What is the username of the third valid credential pair found by the password spraying script?
When I am trying to reach http://ntlmauth.za.tryhackme.com/ through browser , it is not working. I guess DNS is not been configured properly. Tried mentioned way but not working , please help

Are you using the special breaching-ad VPN? Can you access the dns server and manually resolve the domain?

cat /etc/resolv.conf

thanks 🙂 just resolved the issue

Gave +1 Rep to @wooden minnow

Hi PapiMM
Was just reading through this thread and saw your question. Did you get it fixed?
You have to use
sudo responder -I breachad

Hi, i was unable to connect to http://ntlmauth.za.tryhackme.com. Any help?

Did you change the DNS settings for the breachad interface?
I had some problems resolving the dns name query.
I added the ip address for the DNS server to the network configuration GUI (since it reset itself after editing the /etc/resolv.conf)
to see if it's the DNS query that fails (because of your DNS settings), try using nslookup with the DNS servers ip:
nslookup @10.200.49.101 ntlmauth.za.tryhackme.com/

Is 10.200.49.101 their subnet?

no the subnet is another thing 🙂 it tells you the network address. it would most often be (for home networks) 255.255.255.0
10.200.49.101 was the IP address for the DNS server running while I did the room 🙂
Yours would probably be something like 10.200.xx.101
Where xx is some two-dedgit number

I know what it is.

But there is many subnets running, you're telling them to look up an IP that they might not be a part of.

Well, if your attached to the Breachad VPN, it should be connected 🙂

You're missing my point.

YOUR subnet was 49.

Mine is 20.

ah yes! your's 20 🙂

So I'm asking you if you know their subnet is 49.

Otherwise it won't work.

nslookup thmdc.za.tryhackme.com is the command they would need.

No, you should put 10.200.20.101 in 🙂
I'm guessing THM has multiple instances om the network running 🙂

That's what I'm trying to tell you...

THM does have multiple instances running.

Just like wreath/holo/throwback

yea but you want to query the specific nameserver, despite your dns settings 🙂
You can do that with the @ tag, like:
nslookup @worldly fog.200.20.101 thmdc.za.tryhackme.com

I've done all the network rooms.

My point it, you're telling someone to look for a subnet they might not even be in.

I was trying to give advice on how to troubleshoot, thinking you were smart enough to know you shouldn't use the same DNS server as I did. I was clearly right, so, I don't know why you are turning this into an argument whilst I tried to help - responding to the little information you gave, in a friendly manner also. If you want to argue, please disregard my last messages and carry on.

But they might not, is all I'm saying.

Ah, I agree! But you are doing a AD enumerating and breaching. So, I'm guessing you knew a bit above average 🙂
But, yea, maybe I should have stated that in the initial message. Anyways, I hope you get it to work! 🙂

I don't have an issue, like I said I can do it perfectly fine. 😄

cool cool cool 🙂

Is anyone else having an issue with task 5 not sending ANYTHING SMB related? Nothing. Been waiting and checking for the past 2 hours

I verified that LDAP works just fine through Responder. Just nothing SMB traffic being sent on the network.

It worked fine for me 🙂 did you remember to use responder with the breachad interface? I got a NTLMv2-SSP return from the SMB protocol containing the username and hash 🙂

Oh, I used the attackbox for this one.

I was using my own Kali. No SMB connections established in 3+ hours. Sent the test connection through LDAP for the printer while using Responder just to verify that Responder could receive anything. And it could. I scanned the server it was supposed to be coming from and it had SMB open so I tried enumerating it and it wouldn't let me (not sure if no shares were created or not). Essentially, whatever script they had set up to push an SMB filecopy/transfer or whatever was absolutely not working. At least on the .28 network machine.

yea, didn't even bother running any SMB enumerating, Sorry I can't be of any more help.

hey guys, i got a question . i'm connected to breachingad VPN, i updated my DNS, the nslookup looks ok, but i cannot reach http://ntlmauth.za.tryhackme.com

Can you ping the IP?

resolved, 10x

I’m having problems with Task 5the breaching ad ovpn doesn’t give me a tun0 or tun1 interface for responder to use

I think the interface is called "breachad"?

Ok I’m dumb I tunneled in on the fact that in the text for the task it said tun1 or tun0 that’s definitely it thank you

Gave +1 Rep to @dense cedar

how you solved it ?

i am with the same problem

Anybody having trouble with the creds for ntlm auth?

Was hoping to test the script a bit more. Is there an actual lockout set up?

make sure that you enter inputs correctly

http://ntlmauth.za.tryhackme.com doesnt resolve

3rd network room ive tried today and all im having is problems

my kali machine is not resolving thmdc dns ip

even with

/etc/resolv.conf

or with network manager

i'am using automatic dhcp in n-manager gui

and after restarting the network manager when i re check the dns in additional dns servers i find it empty

weird

even with /etc/resolv.conf when excuting [sudo systemctl restart NetworkManager] and [sudo systemctl restart networking.service] the resolv.conf file restore my default configuration and deletes anything new

any urgent help

😦

when in root shell

i run this command to get the network manager gui as root

nm-connection-editor

so i get this output

text too long .. can't upload picture

FIXED !!

for me the resolve doesn´t work either

I'm stuck on this as well since the cmd to set the dns server for the breachad interface cant be implemented with systemd-resolve in my personal kali attack box. I tried to get the equivelant resolvectl cmd together but I just get various errors despite the format of my cmd being shaped like the help seems ot suggest...

alright - I got it by adding nameserver $THMDCIP above nameserver 1.1.1.1 in my /etc/resolv.conf file

welp... i take that back it immediately stopped working as it switched nameservers when it couldnt get to the internet thru thm's ip... edit: actually the resolv.conf file was overwritten?

Hi, I am another person having issues with task 5. Namely, no authentication request comes in. I have tried running responder on both tun0 (which FYI does not show up every time on the Attackbox) and breachad, nothing comes in. I did get what looked like a SQL server connection attempt from a Chinese cloud IP at one point...but no room task request.

FWIW I am also getting "Error starting TCP server on port 80..." on the Attackbox when using the preinstalled version of responder. Three errors like that for 80/3389/389.

Hey I am doing Task6 from the "Breaching AD" room. The problem is that when i try to GET the pxeboot .bcd file from the thmmdt machine I receive a "Connect request failed", I am not exactly sure why that could be. Can somebody give me any tips.

Isn't the interface called breachad? Can you check your ifconfig output again

what is the role of pxeboot.za.tryhackme.com other than listing BCD files? is there any? if not cant we just do the same thing in THMMDT

Can you paste your full command here

tbf the instructions say use tun0 or tun1 but all the guidance here says use the breachad interface. I tried both yesterday, but still, nothing comes in.

(both meaning the tunx interface that was present w/ ip a, and also breachad

I just did it again it worked for me

Wait ll dm you see and if we could do this right this time

If its ok with you

I'll start up the room again, bbiab, thanks for the offer

tftp -i 10.200.27.202 GET "\Tmp\x64{70E30706-B7E4-44DB-8C98-FA7B4DC5D563}.bcd" conf.bcd

I've tried the command without the quotations too

I've connected to the dns and to the domain and I can ping the device

can you paste the nslookup thmmdt.za.tryhackme.com output

└─$ nslookup thmmdt.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    thmmdt.za.tryhackme.com
Address: 10.200.27.202

you here? I had to do other work stuff but have it loaded back up now. I verified that thmdc.za.tryhackme.com points to 10.200.28.101, ran responder on breachad (10.50.26.56), nothign

also every single time I run responder from the AttackBox it does this

Thats because the ports are already in use. Try using your own VM

I did, no change. I gave up

Can you post the responder and ifconfig output

I should clarify, on the VM I no longer received the above errors like in the screenshot, but even after pinging the DC, other hosts on the network to verify connectivity, no messages EVER came into responder

I appreciate your help but I am done with this room, I've wasted enough time on it.

far too much

Just try one last time

Dont give up

Respectfully, no! I have wasted hours on this room that I could have spent learning other things and I'm sure I will have another opportunity to use responder in due time. Thanks for your time tho

Delete and install responder

Ok

same situation for me

Anyone have any good resources for learning pentesting AD running on samba?

Hi all. I’m finishing off the configuration files task, specifically transferring the file ma.db to my attack box (in browser). I keep getting the following error. Any ideas?

My terminal showed the exact same message. As N S mentioned, the ports are in use. No need to use another VM. The job runs every 30 mins. Just need to leave responder running but make sure that you are listening on the breachad interface.

Alternatively, if you have had the attack box running for nearly 3 hours, DNS could have been reset. This is mentioned on the first page (IIRC). Restart the systemd-resolved service.

I have added the following entry to the bottom of the list: /etc/ssh/ssh_config

ServerAliveInterval 480

I killed my ssh session and established another session, ran the copy command again without any broken pipe error. Only downside now, I can’t see the file on my attacking box anywhere 😒

Finally found the problem (me!). I should be running the SCP transfer command from a terminal on my attacking box and not running the command from the thmjmp1 server. It is a pull not a push!

Gotcha, IME even leaving the responder for up to an hour on breachad, no response 🤷🏽‍♀️

For Task 4, LDAP Bind Credentials, I'm using the AttackBox. I have the olcSaslSecProps.ldif set as instructed. However, when I execute ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && service slapd restart, I receive an error "ldapmodify: wrong attributeType at line 3, entry "cn=config"

any thoughts how to get past this? Nothing turned up in the searching I've been performing thus far in Discord here

Can you maybe send the actual output of your command and the ldif file you are creating here so we can see what you are doing?

having issues with the DNS and IP for breaching AD anyone shed some light on how to successfully get the dns to register?

hello, could you tell me why does this network say "2 days of access left" - does it mean it will be retired after that time? i am subscribed

Is the site for ntlm auth down for anyone else? http://ntlmauth.za.tryhackme.com/

I'm connected to the network vpn and have tried on the attack box

No need to worry. Just after 2 days you are removed to save ressources. You can reenter anytime.Progress is kept.

makes sense, thank you

Hi, Im on the https://tryhackme.com/room/breachingad room, task 5. First task using responder.
Im using my own kali attack machine.

Are you supposed to only use the AD VPN or are you also supposed to have the "regular" VPN" ON?

I tried ''sudo responder -I tun0'' but I received a "interface not found",.
I tried "sudo responder -I breachad" but no events.
Tried to put on my normal VPN for THM then I got a tun0 when doing "ip a" but when starting responder with this tun0 I had no events either.

i think the traffic over vpn is simulated and runs once every 30 minutes @normal cave

Do you know if I'm supposed to have the BreachAD vpn activated or the "regular" THM vpn?

the breachad i believe

Have you done it? Did you do "sudo responder -I breachad"?

yes, but I was using the attackbox

Ah

the thing is the attacks work in local network and wouldn't work over vpn in a real scenario, so it's simulated for the purpose of the exercise

so i guess you just need to wait a bit

Hmm, okey, ill just leave it on, but dunno feels fishy.

yeah but unfortunately to exploit this you would have to put a jumphost in the LAN of the targeted hosts

during pentests the client usually gets a physical box like intel nuc to plug into the starting network

so it can be accessed remotely by the team but also has a local interface within the LAN

Yeah, deffo interesting!

Suddently it worked. I had RDP running on port 3389 interfering with the responder, I killed it and now I got a hash. Dunno if that was the issue or I was just real unlucky with the timing of the server.

Anyways, works now, ty!

good, no problem

Can someone request a reset for this network? Hasn't been working for a while

http://printer.za.tryhackme.com doesn't work either

You have to configure ur dns first

not sure if youve done that

but you have to add za.tryhackme.com to ur dns configurations

on both attackbox and personal VM

I did breaching AD and another one yesterday it was fine for me

oh wait, I didn't

would you mind telling me how?

Don't think i've ever done that for a room before

I have to leave for the gym in 5 minutes so i cant give you instructions right now but the Room your doing should tell you how to configure them

in short for personal VM you have to do it in either the network manager or the file i cant remember correctly

for attackbox its relatively simple afaik but i usually use my vm

nvm I got it

thanks!

In Task 4, everything is working, roque ldap is configured and running. I use tcpdump, start the traffic and then.....
It tells me: 'user no t found'
why? I just left it like it is, what is wrong here?

oh, and i don't get any password

oh, nevermind. I restarted all and now it works

i cant figure out for the life of me even following the guide i get lost at Set your DNS IP here to the IP for THMDC in the network diagram above"

how did you fix this?

I've never had a room give me more problems than this one. just pure configuration.

How to stop netcat on a specific port?

https://tryhackme.com/room/breachingad

Having some trouble just running nslookup thmdc.za.tryhackme.com to see if I'm connected. I'm on a kali box but no luck even after connecting with openvpn to the network

Are you using the correct VPN profile? Each of the networks has their own VPN profile

Yes, the breachad one for openvpn

can you ping the IP address of the DC? Did you configure your DNS to point to the DC as the DNS server?

No I haven't yet unfortunately. That's one thing I was confused on as well. It recommends to do the NS lookup and use that IP, but since that's not resolving, should I just add the IP I see in the visualization?

There should be instructions on what ip to add to the dns settings

When I did it I did ip,1.1.1.1 so I was still able to reach google

1.1.1.1 is just cloud flare, did you add something else too specific for this AD network?

Yes the ip you put is in the instructions on setting it up

The ip,1.1.1.1 is what I put in dns and it worked

Yes, just add the IP of thmdc as your DNS (10.200.189.101 on my screen, but use whatever IP is listed for THMDC in your network map at the top of the room

this will be your primary DNS while in this room

Will do, thanks very much!

Gave +1 Rep to @sage epoch

Actually, i faced the same problem. However, eventually manage to get the hash.

you try to start the responder first before start the network. this may shorten the time. what i did is let it run when i went for my bath. After came out, i saw the hash.

oh yeah what happened here? responder worked like wonders the first try for me, but i had to utilize the attackbox unfortunaely

I'm having a problem with setting up the dns actually

The steps are outdated to the current version of kali

Also having problems with Task4 capturing the password, I trashed my ParrotOS trying to get slapd working and ended up setting up an Ubuntu box and re-running the setup, I seem to be able to Add the config however the ldapsearch query returns extra mechanisms and I cant seem to remove them
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

The Capture shows it using the GSS-SPNEGO, so I expect its using top down, I've spent all yesterday and today trying to purge these but it seems that ldap doesnt like being too open.
Can anyone advise on how to purge this list and retain only plain and login

thanks this came in super useful after a long day

Thanks, this came in super useful after a long day

Gave +1 Rep to @near salmon

Hey, I am doing task 3 where we are supposed to access a site and then password spray it, but the site won't resolve even though I setup the dns and a nslookup works perfectly fine. Anyone know what might be the issue? Here is my resolv.conf file (the top name server being the AD DC)

Ah I am dumb, I got it working like this. I swear every time I post a question here I figure it out on my own like 2 seconds later

Worked on my version of kali (newest). What’s your dns settings in network manager

wdym?

How did you set it up?

With kali network manager

did you manage to solve this? i used the following commands: resolvectl dns breachad dns <ip>, resolvectl dns breachad domain za.tryhackme.com. u can also use resolvectl to check statuses of the links

What OS are you using

kali linux

Go into your Ethernet settings through the GUI and set an additional DNS as the main AD ip

It will be under the ipv4 tab

yeah i tried that before too. were u able to resolve through this way? i can resolve but I cant access ntlmauth.za.tryhackme.com and printer.za.tryhackme.com after finishing the password spray and logging on, weird

Are you first connected through openvpn to the AD network?

yes, i was able to access 10.200.25.201 and see the answer for task 3 last question

I think they are just having network issues, was just working on a box, but gave up since I started to get randomly disconnected

I can't seem to setup DNS correctly on my machine with resolvectl.. any help on doing it with resolvectl instead of systemd-resolve?

Alright seems like hosts works fine for that..

Hi, I am struggling with the PXE section "Microsoft Deployment Toolkit" I am attempting to retrieve the PXE image from the server via TFTP with no luck. The command I am running is: "tftp -i 10.200.54.202 GET "\Tmp\x64{9D0F3471-D2FB-475F-B263-2FE41D80E254}.bcd" conf.bcd" Nearly identical to the command shown in the instructions. am I missing something dumb?

The response is Connect request failed.

NMAP scan shows TFTP is closed, and well TFTP is acting like it isn't even on that host. I am very stuck.

I was able to resolve the issue. The filename had been regenerated while I was working on this. So it needed to be updated.

Hello, at the task 3 i can't access to http://ntlmauth.za.tryhackme.com/
I am on the AttackBox

Hellow, I was wondering, is it advisable to use kerbrute to ennumerate active directory users ? (just to ennumerate users, not to bruteforce their passwords)

Wouldn't it be detectable easily ?

I just ran through the task - worked flawlessly and I found four hits on the password spray. Check your VPN, DNS and so on (Task 1)

Debugging your initial connection to the network.

As mentioned when the networks released, DNS is a part of AD testing whether you like it or not. This is because one of the two major AD authentication protocols, Keberos, relies on DNS to create tickets. Tickets cannot be associated with IPs, so DNS is a must.

If you are going to test AD networks on security assessment, you will have to equip yourself with the skills required to solve DNS. You therefore have two options:

• Hardcode entries in your /etc/hosts file - Works great, but on a network of 10000 hosts probably not the way to go
• Actually fix your DNS to point to the name servers in the network - Harder to do, but in the long run yields good results

Whenever a task is not working for you, your first thought should be: "Is my DNS working?" I've personally wasted countless hours on assessments wondering why my tooling is not working, only to realise my DNS has changed. 99% of the time, it's DNS.

How to connect your DNS to the THM AD network:

1. Follow the steps provided in the initial task on DNS configuration - If you use a different OS that AttackBox or Kali, you are probably going to have to google your equivalent configuration
2. Run ping <THM DC IP> - This will verify that the network is actually live. If you get no response, chances are your network is not started or in the "bricked mode" (see below) state
3. Run nslookup tryhackme.com <THM DC IP> - This will verify that the THM Name server is active. If the PING worked but this does not, time to contact support here since something is wrong. I'd also suggest hitting the network reset button
4. Run nslookup tryhackme.com - If the first nslookup command worked, but this second one does not, you did something wrong with your DNS configuration and need to go back to step 1.

These AD networks are rated medium, which means if you just joined THM, this is probably not where you should start your learning journey. AD is massive, and you will need to apply the mindset of "figuring stuff out" if you want to make a success of testing it. However, if above all it still fails for you, please be as descriptive on what your are trying and doing to enable support to help you as efficiently as possible.

Network Bricked Mode state

If you are unable to ping the DC, but the network on your network diagram shows that the network is started, your network has probably entered the "bricked state"

What has happened?

One of the users in your network subnet clicked on the UI "Extend" button when the network timer reached zero. This causes a bug where the backend thinks that they network is still live, but in fact it is not.

What can you do?

The best thing to do is to wait until the network time expires, then press the "Start" button again. However, you can also attempt a bypass, which does sometimes work:

1. Refresh your network THM room page
2. Right click on the Start button and say inspect element
3. Remove the disabled state from the HTML button
4. Click the Start button

In certain cases, this can help to resync the backend, so give it 5 minutes to see if that worked for you. Otherwise, we are back to square one about waiting for the network time to expire.

I have problems reaching the DC. Able to ping it but can’t perform nslookups… have y’all ran into the same issue?

Must I be on the jumphost in order to perform DNS lookup?

I figured out. Kali’s network manager is not reliable. Please go to config file directly to change nameservers.

I just reset BreachingAD but i can't ping from the attackbox and from the VPN. I tried 4 times at different times but i can't ping THMDC

Are you perhaps running the VPN and the attackbox at the same time? If so, this would be the problem, since both are fighting for VPN access. Terminate both and just start one at a time

Hi there! The password spraying script is (for me) only working with python 3.9, not 3.10 - why is that? I am using a Kali Linux VM

python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com
[*] Starting passwords spray attack using the following password: Changeme123
Traceback (most recent call last):
File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

In Task5 Authentication Relays when I try to crack the password with hashcat, I get nothing back - I put the whole hash in a file with username, etc. - otherwise hashcat doesn't recognise it as a hash
|| svcFileCopy::ZA:71f1c9c54e6aa27d:E31CCD3F0F070B83149D986555EDBB23:01010000000000008000E2F1CC3AD901C3958C5A348B233A0000000002000800550030004F00350001001E00570049004E002D0037004C0049004300490059004500440033005900530004003400570049004E002D0037004C004900430049005900450044003300590053002E00550030004F0035002E004C004F00430041004C0003001400550030004F0035002E004C004F00430041004C0005001400550030004F0035002E004C004F00430041004C00070008008000E2F1CC3AD901060004000200000008003000300000000000000000000000002000004549C9C6EA4B85F712870CE1BA887CFD5410A6D1A9390E4C7F186AAF0236E6670A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00350030002E0032002E00320037000000000000000000 ||

command: hashcat.exe -m 5600 hash.txt passwordlist.txt --force

Any ideas what is going wrong?

In a recent update in kali, they dropped support for MD4 hashing. Which was a pretty stupid move, since NTLM makes use of MD4, meaning they broke all NTLM authentication things. If you go way up back in the message history, you will see that a user logged a bug with kali, which was fixed in later versions

I'm DM'ing you a captured challenge to use as comparison, last user that had this problem had not copied the full hash

Alright, thank you very much 🙂

Hi,
I am unable to ping/resolve the THMDC DNS Server.
This is my /etc/resolv.conf

search home za.tryhackme.com
nameserver 10.200.54.101
nameserver 192.168.81.2

options timeout:1
options attempts:2

Hi I have a question for LLMNR attack
I used responder on breachad network is that correct or I have to connent to tun0
I believe I’ve been waiting more than 30 minutes still nothing been captured

I think this lab is broken and there is no ntlm authentication

does your responder command look like this?
sudo responder -I breachad

Yes

Hey, I'm in front of the same problem. Did you manage to solve it?

I did get it done, can't recall what I did, sorry.
I might have used the Hackthebox machine

No problem. I was able to capture the credentials in the tcpdump but the ldapsearch command still wont show any auth methods 😄

That might have been it, the creds dump but auth methods don't show and you end up spending an age trying to get the first part right.

Hello

I've been trying to connect to the VPN of breachingad with no success, until now, that I discovered how.

You have to edit the openVpn file that you download from THM access' page and look for the line that says cipher AES-256-CBC and change it to --data-ciphers AES-256-CBC

that way, the VPN stop saying "error negotiating cipher with server"

I found it in the video https://www.youtube.com/watch?v=b9rJVqsXVyI

you may pin my comments in this channel so that other users are able to debug it quicker than I had (1.5h... =( )

I tried to access http://ntlmauth.za.tryhackme.com, but it doesn't let me for some reason.

This is my configuration on /etc/resolv.conf

Have you restarted the services?

sudo systemctl restart NetworkManager

That's not the answer I was looking for but yes, I restarted the service

what happens when you use:
nslookup thmdc.za.tryhackme.com

Weird thing is that if I restart networkmanager, /etc/resolv.conf got reset.

it is normal, you should add the IP of the DC, as the DNS, in the GUI of kali linux

it worked for me

I am getting a new timed out error

It's working now. Thanks @charred epoch

Gave +1 Rep to @charred epoch

Youre welcome

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcPlainAuthOnly.ldif
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: security flags do not match required

Can somebody please help me?
Why I am getting this error when I change conf.

Hey guys. In breaching-ad page, under "Created by am03bam4n" , it shows 3 days of access left. What does this mean ? I just started subscription yesterday.

I think it is just before they hard reset the room. Nothing to do with your Subscrition 🙂 I saw the same when i did the room and that is over a week ago.

thanks mate

Gave +1 Rep to @frail skiff

Great room, thanks to creators 🙂

in the breaching-ad room I got stuck at task 5, when they said there is a server in the domain that performs NTLMv2 authentication every 30 minutes... they let you set up responder with the command: responder -I breachad... but then the NTLMv2 authentication doesnt get captured... Can someone help me please I even tried to follow instructions on other blogs that completed the module but I without any luck...

if I do ss -tulpn I can see port 1433 open... that should be the good one for that kind of authentication...

@dense cedar

Nothing happens if I try to get responder work on attack box... Plus, If I use wireshark I can tell that there are no NTLMv2 protocol going on or LDAP protocols going on, and i tried it for ages...

once i set sudo responder -I breachad ... i should be just waiting for the server authentication with NTLMv2 daemon to run right?

this is my /etc/resolv.conf:

Generated by NetworkManager

search lan za.tryhackme.com
nameserver 10.200.28.101
nameserver [HERE there is my private gateway IP]

Ship me the internet IP that is in your VPN profile and your specific tun IP. I can SSH in an take a look to see if the server is doing what it should

You are not running the attackbox and another VM right? Cause that message with your VPN connection which means you won't get it.

It makes an SMB connection, so port 1433 is not used at all here

Can't connect with openvpn. I can't ping THMC ip.

I regenerated the vpn config, but the result stills the same. It doesn't show "Initialization ... completed" something like that when I tried to connect with openvpn.

This is before I pressed CTRL+C

have you tried the vpn troubleshoot script???

!vpnscript

I am going to take a look at it

I got it fixed thanks to your suggestion.

Gave +1 Rep to @trim mica

no problem

Tried checking multiple conversations about this, but haven't been able to find a definitive answer. I'm working on Task 3 and I'm having issues with the Python script, more specifically whenever I try to run it, it throws an error saying some modules being imported are missing.. I don't have experience in Python so I wanted some guidance on what I need to do to fix the script so it works as intended. I also tried running it under Python 2 since people were saying that may have been the issue.

Sooooo this is why it helps to know how Python works. I had to get those libraries/modules through pip. Still having issues with name resolution but at least there's that and I can probably do testing based on it

Edit: lol as soon as I say that it works

Ok I solved this issue by regenerating the VPN file