Project owner's main page is at www.coresecurity.com.
Complete list of changes can be found at: https://github.com/fortra/impacket/commits/master
-
Library improvements
- Added new Kerberos error codes (@ly4k).
- Added
[MS-TSTS]
Terminal Services Terminal Server Runtime Interface Protocol implementation (@nopernik). - Changed the setting up for new SSL connections (@mpgn, @CT-H00K and @0xdeaddood).
- Added a callback function to smbserver for incoming authentications (@p0dalirius).
- Fix crash in winregistry (@laxa)
- Fixes in IDispatch derived classes in comev implementation (@NtAlexio2)
- Fix CVE-2020-17049 in ccache.py (@godylockz)
- Smbserver: Added SMB2_FILE_ALLOCATION_INFO type determination (@JerAxxxxxxx)
- tds: Fixed python3 incompatibility when receiving over TLS socket (@exploide)
- crypto: Ensure passwords are utf-8 encoded before deriving Kerberos keys (@jojonas)
- ese: Fixed python3 incompatibility when reading from db (@alexisbalbachan)
- ldap queries: Escaped characters are now correctly parsed (@alexisbalbachan)
- Support SASL authentication in ldap protocol (@NtAlexio2)
-
Examples improvements
- GetADUsers.py, GetNPUsers.py, GetUserSPNs.py and findDelegation.py:
- Added dc-host option to connect to specific KDC using its FQDN or NetBIOS name (@rmaksimov and @0xdeaddood).
- GetNPUsers.py
- Printing TGT in stdout despite -outputfile parameter (@alexisbalbachan and @Zamanry)
- Fixed output hash format for AES128/256 (etype 17/18) (@erasmusc)
- GetUserSPNs.py:
- Added LDAP paged search (@ThePirateWhoSmellsOfSunflowers and @SAERXCIT).
- Added a -stealth flag to remove the SPN filter from the LDAP query (@clavoillotte).
- Improved searchFilter (@ShutdownRepo)
- Use LDAP paged search (@ThePirateWhoSmellsOfSunflowers)
- psexec.py:
- Added support for name customization using a custom binary file (@Dramelac).
- smbexec.py:
- Security fixes for privilege escalation vulnerabilities (@bugch3ck).
- Fixed python3 compatibility issues, added workaround TCP over NetBIOS being disabled (@ljrk0)
- secretsdump.py:
- Added a new option to extract only NTDS.DIT data for specific users based on an LDAP filter (@snovvcrash).
- Security fixes for privilege escalation vulnerabilities (@bugch3ck).
- mssqlclient.py:
- Added multiple new commands. Now supports xp_dirtree execution (@Mayfly277, @trietend and @TurtleARM).
- ntlmrelayx.py:
- Added ability to trigger SQLShell when running ntlmrelayx in interactive mode (@sploutchy).
- Added filter option to the socks command in ntlmrelayx CLI (@shoxxdj)
- Added ability to register DNS records through LDAP.
- addcomputer.py, rbcd.py:
- Allow weak TLS ciphers for LDAP connections (@AdrianVollmer)
- Get-GPPPassword.py:
- Better handling of various XML files in Group Policy Preferences (@p0dalirius)
- smbclient.py:
- Added recursive file listing (@Sq00ky)
- ticketer.py:
- Ticket duration is now specified in hours instead of days (@Dramelac)
- Added extra-pac implementation (@Dramelac)
- GetADUsers.py, GetNPUsers.py, GetUserSPNs.py and findDelegation.py:
-
New examples
- net.py Implementation of windows net.exe builtin tool (@NtAlexio2)
- changepasswd.py New example that allows password changing or reseting through multiple protocols (@Alef-Burzmali, @snovvcrash, @bransh, @api0cradle and @p0dalirius)
- DumpNTLMInfo.py New example that dumps remote host information in ntlm authentication model, without credentials. For SMB protocols v1, v2 and v3. (@NtAlexio2)
As always, thanks a lot to all these contributors that make this library better every day (up to now):
@ly4k @nopernik @snovvcrash @ShutdownRepo @kiwids0220 @mpgn @CT-H00K @rmaksimov @arossert @aevy-syn @tirkarthi @p0dalirius @Dramelac @Mayfly277 @S3cur3Th1sSh1t @nobbd @AdrianVollmer @trietend @TurtleARM @ThePirateWhoSmellsOfSunflowers @SAERXCIT @clavoillotte @Marshall-Hallenbeck @sploutchy @almandin @rtpt-alexanderneumann @JerAxxxxxxx @NtAlexio2 @laxa @godylockz @exploide @jojonas @Zamanry @erasmusc @bugch3ck @ljrk0 @Sq00ky @shoxxdj @Alef-Burzmali @bransh @api0cradle @alexisbalbachan @0xdeaddood @NtAlexio2 @sanmopre
-
Library improvements
- Dropped support for Python 2.7.
- Refactored the testing infrastructure (@martingalloar):
- Added
pytest
as the testing framework to organize and mark test cases.Tox
remain as the automation framework, andCoverage.py
for measuring code coverage. - Custom bash scripts were replaced with test cases auto-discovery.
- Local and remote test cases were marked for easy run and configuration.
- DCE/RPC endpoint test cases were refactored and moved to a new layout.
- An initial testing guide with the main steps to prepare a testing environment and run them.
- Fixed a good amount of DCE/RPC endpoint test cases that were failing.
- Added tests for
[MS-PAR]
,[MS-RPRN]
, CCache and DPAPI.
- Added
- Added a function to compute the Netlogon Authenticator at client-side in
[MS-NRPC]
(@0xdeaddood) - Added
[MS-DSSP]
protocol implementation (@simondotsh) - Added GetDriverDirectory functions to
[MS-PAR]
and[MS-RPRN]
(@raithedavion) - Refactored the Credential Cache:
- Added new parseFile function to ccache.py (@rmaksimov)
- Added support for loading CCache Version 3 (@reznok)
- Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)
- Fixed Ccache to Kirbi conversion (@ShutdownRepo)
- Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)
-
Examples improvements
- exchanger.py:
- Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)
- mimikatz.py
- Updated intro to not trigger the AV on windows (@mpgn)
- ntlmrelayx.py:
- Implemented RAW Relay Server (@CCob)
- Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)
- Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)
- Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)
- Added multiple HTTP listeners running at the same time (@SAERXCIT)
- Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)
- Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)
- Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)
- Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)
- Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)
- reg.py:
- Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)
- secretsdump.py:
- Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)
- smbpasswd.py:
- Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @alefburzmali)
- exchanger.py:
-
New examples
- machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)
- keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @alefburzmali @ThePirateWhoSmellsOfSunflowers @jlvcm
-
Library improvements
- Fixed WMI objects parsing (@franferrax)
- Added the RpcAddPrinterDriverEx method and related structures to
[MS-RPRN]
: Print System Remote Protocol (@cube0x0) - Initial implementation of
[MS-PAR]
: Print System Asynchronous Remote Protocol (@cube0x0) - Complying
[MS-RPCH]
with HTTP/1.1 (@mohemiv) - Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)
-
Examples improvements
- getST.py:
- Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)
- ntlmrelayx.py:
- Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)
- Added anonymous session handling in the HTTP server (@0xdeaddood)
- Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)
- Added the implementation of AD CS attack (@ExAndroidDev)
- Disabled the anonymous logon in the SMB server (@ly4k)
- psexec.py:
- Fixed decoding problems on multi bytes characters (@p0dalirius)
- reg.py:
- Implemented ADD and DELETE functionalities (@Gifts)
- secretsdump.py:
- Speeding up NTDS parsing (@skelsec)
- smbclient.py:
- Added 'mget' command which allows the download of multiple files (@deadjakk)
- Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)
- smbpasswd.py:
- Added the ability to change a user's password providing NTLM hashes (@snovvcrash)
- smbserver.py:
- Added NULL SMBv2 client connection handling (@0xdeaddood)
- Hardened path checks and Added TID checks (@martingalloar)
- Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)
- Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)
- wmipersist.py:
- Fixed VBA script execution and improved error checking (@franferrax)
- getST.py:
-
New examples
- rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius
-
Library improvements
- Support connect timeout with SMBTransport (@vruello)
- Speeding up DcSync (@mohemiv)
- Fixed Python3 issue when serving SOCKS5 requests (@agsolino)
- Moved docker container to Python 3.8 (@mgallo)
- Added basic GitHub Actions workflow (@mgallo)
- Fixed Path Traversal vulnerabilities in
smbserver.py
- CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx) - Fixed POST request processing in
httprelayserver.py
(@Rcarnus) - Added cat command to
smbclient.py
(@mxrch) - Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser)
- Python 3.9 support (@meeuw and @cclauss)
-
Examples improvements
- addcomputer.py:
- Enable the machine account created via SAMR (@0xdeaddood)
- getST.py:
- Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)
- Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)
- ntlmrelayx.py:
- Fixed target parsing error (@0xdeaddood)
- wmipersist.py:
- Fixed
filterBinding
error (@franferrax) - Added PowerShell option for semi-interactive shells in
dcomexec.py
,smbexec.py
andwmiexec.py
(@snovvcrash) - Added new parameter to select
COMVERSION
indcomexec.py
,wmiexec.py
,wmipersist.py
andwmiquery.py
(@zexusx26)
- Fixed
- addcomputer.py:
-
New examples
- Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
- smbpasswd.py: This script is an alternative to
smbpasswd
tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss
-
Library improvements
- Added implementation of RPC over HTTP v2 protocol (by @mohemiv).
- Added
[MS-NSPI]
,[MS-OXNSPI]
and[MS-OXABREF]
protocol implementations (by @mohemiv). - Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).
- NDR parser optimization (by @mohemiv).
- Improved serialization of WMI method parameters (by @tshmul).
- Introduce the
[MS-NLMP]
2.2.2.10
VERSION
structure inNTLMAuthNegotiate
messages (by @franferrax). - Added some NETLOGON structs for
NetrServerPasswordSet2
(by @dirkjanm). - Python 3.8 support.
-
Examples improvements
- atexec.py:
- Fixed after MS patches related to RPC attacks (by @mohemiv).
- dpapi.py:
- Added
-no-pass
,pass-the-hash
and AES Key support for backup subcommand.
- Added
- GetNPUsers.py:
- Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).
- GetUserSPNs.py:
- Added new features for kerberoasting (by @mohemiv).
- ntlmrelayx.py:
- Added ability to relay on new Windows versions that have SMB guest access disabled by default.
- Added option to specify the NTLM Server Challenge used when receiving a connection.
- Added relaying to RPC support (by @mohemiv).
- Implemented WCFRelayServer (by @cnotin).
- Added Zerologon DCSync Relay Client (by @dirkjanm).
- Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).
- rpcdump.py:
- Added RPC over HTTP v2 support (by @mohemiv).
- secretsdump.py:
- Added ability to specifically delete a shadow based on its ID (by @phefley).
- Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).
- atexec.py:
-
New examples
- exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
- rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo
-
Library improvements
- New methods into
CCache
class to import/export kirbi (KRB-CRED
) formatted tickets (by @Zer1t0). - Add
FSCTL_SRV_ENUMERATE_SNAPSHOTS
functionality toSMBConnection
(by @rxwx). - Changes in NetBIOS classes in
nmb.py
(select()
bypoll()
read from socket) (by @cnotin). - Timestamped logging added.
- Interactive shell to perform LDAP operations (by @mlefebvre).
- Added two DCE/RPC calls in
tsch.py
(by @mohemiv). - Single-source the version number and standardize on semantic + pre-release + local versioning (by @jsherwood0).
- Added implementation for keytab files (by @kcirtapw).
- Added SMB 3.1.1 support for Client SMB Connections.
- New methods into
-
Examples improvements
- smbclient.py:
- List the VSS snapshots for a specified path (by @rxwx).
- GetUserSPNs.py:
- Added delegation information associated with accounts (by @G0ldenGunSec).
- dpapi.py:
- Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
- Pass the hash support for backup key retrieval (by @imaibou).
- Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
- raiseChild.py:
- Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
- Added flags to bypass badly made detection use cases (by @MaxNad):
- smbexec.py:
- Possibility to rename the PSExec uploaded binary name with the
-remote-binary-name
flag.
- Possibility to rename the PSExec uploaded binary name with the
- psexec.py:
- Possibility to use another service name with the
-service-name
flag.
- Possibility to use another service name with the
- smbexec.py:
- ntlmrelayx.py:
- Added a flag to use a SID as the escalate user for delegation attacks (by @0xe7).
- Support for dumping LAPS passwords (by @praetorian-adam-crosser).
- Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
- Support for multiple relays through one SMB connection (by @0xdeaddood).
- Added support for dumping gMSA passwords (by @cube0x0).
- ticketer.py:
- Added an option to use the SPNs keys from a keytab for a silver ticket(by @kcirtapw)
- smbclient.py:
-
New Examples
- addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
- ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).
- findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.
-
Library improvements
- Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
- Test coverage improvements by @infinnovation-dev
- Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)
- Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)
-
Examples improvements
- ntlmrelayx.py:
- CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)
- Added POC code for CVE-2019-1040 (by @dirkjanm)
- Added NTLM relays leveraging Webdav authentications (by @salu90)
- ntlmrelayx.py:
-
New Examples
- kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.
-
Library improvements
- [MS-EVEN] Interface implementation (Initial - by @MrAnde7son )
-
Examples improvements
- ntlmrelayx.py:
- Socks local admin check (by @imaibou)
- Add Resource Based Delegation features (by @dirkjanm)
- smbclient.py:
- Added ability to create/remove mount points to exploit James Forshaw's Abusing Mount Points over the SMB Protocol technique (by @Qwokka)
- GetST.py:
- Added resource-based constrained delegation support to S4U (@eladshamir)
- GetNPUsers.py:
- Added hashcat/john format and users file input (by @Zer1t0)
- ntlmrelayx.py:
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0.
-
Library improvements
- Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)
- Using cryptographically secure pseudo-random generators
- Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)
- Test cases adjustments, travis and flake support (@cclauss)
- Python3 test cases fixes (@eldipa)
- Adding DPAPI / Vaults related structures and functions to decrypt secrets
- [MS-RPRN] Interface implementation (Initial)
-
Examples improvements
- ntlmrelayx.py:
- Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
- secretsdump.py:
- Added dumping of machine account Kerberos keys (@dirkjanm).
DPAPI_SYSTEM
LSA Secret is now parsed and key contents are shown.
- Added dumping of machine account Kerberos keys (@dirkjanm).
- GetUserSPNs.py:
- Bugfixes and cross-domain support (@dirkjanm)
- ntlmrelayx.py:
-
New Examples
- dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa.
-
Library improvements
- New
[MS-PAC]
Implementation. - LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
- ImpactDecoder: Add
EAPOL
,BOOTP
andDHCP
packet decoders (by Michael Niewoehner) - Kerberos engine:
DES-CBC-MD5
support to kerberos added (by @skelsec) - SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
- Initial
[MS-DHCPM]
and[MS-EVEN6]
Interface implementation by @MrAnde7son - Major improvements to the NetBIOS layer. More use of structure.py in there.
- MQTT Protocol Implementation and example.
- Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
- Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).
- New
-
Examples improvements
- GetUserSPNs.py:
-request-user
parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
- services.py:
- Added port 139 support and related options (by @real-datagram).
- samrdump.py:
-csv
switch to output format in CSV added.
- ntlmrelayx.py:
- Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
- secretsdump.py:
- AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
- mssqlclient.py:
- Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
- lsalookupsid.py:
- Added no-pass and domain-users options (by @ropnop).
- GetUserSPNs.py:
-
New Examples
- ticketer.py: Create Golden/Silver tickets from scratch or
based on a template (legally requested from the KDC) allowing you to customize
some of the parameters set inside the
PAC_LOGON_INFO
structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh. - GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
- getPac.py: Gets the PAC (Privilege Attribute Certificate)
structure of the specified target user just having a normal authenticated user
credentials. It does so by using a mix of
[MS-SFU]
'sS4USelf
+ User to User Kerberos Authentication. - getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
- mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
- sambaPipe.py: Will exploit CVE-2017-7494, uploading and
executing the shared library specified by the user through the
-so
parameter. - dcomexec.py: A semi-interactive shell similar to
wmiexec.py
, but using different DCOM endpoints. Currently supportsMMC20.Application
,ShellWindows
andShellBrowserWindow
objects. (contributions by @byt3bl33d3r). - getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
- getST.py: Given a password, hash, aesKey or TGT in ccache, this
script will request a Service Ticket and save it as ccache. If the account has constrained
delegation (with protocol transition) privileges you will be able to use the
-impersonate
switch to request the ticket on behalf other user.
- ticketer.py: Create Golden/Silver tickets from scratch or
based on a template (legally requested from the KDC) allowing you to customize
some of the parameters set inside the
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.
-
Library improvements
SMB3.create
: defineCreateContextsOffset
andCreateContextsLength
when applicable (by @rrerolle)- Retrieve user principal name from
CCache
file allowing to call any script with-k
and just the target system (by @MrTchuss) - Packet fragmentation for DCE RPC layer mayor overhaul.
- Improved pass-the-key attacks scenarios (by @skelsec)
- Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to build the search filter yourself)
- IPv6 improvements for DCERPC/LDAP and Kerberos
-
Examples improvements
- Adding
-dc-ip
switch to all examples. It allows specifying what the IP for the domain is. It assumes the DC and KDC resides in the same server. secretsdump.py
:- Adding support for Win2016 TP4 in LOCAL or
-use-vss
mode - Adding
-just-dc-user
switch to download just a single user data (DRSUAPI mode only) - Support for different ReplEpoch (DRSUAPI only)
- pwdLastSet is also included in the output file
- New structures/flags added for 2016 TP5 PAM support
- Adding support for Win2016 TP4 in LOCAL or
wmiquery.py
:- Adding
-rpc-auth-level
switch (by @gadio)
- Adding
smbrelayx.py
:- Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
- Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
- Adding
-
New Examples
GetUserSPNs.py
: This module will try to find Service Principal Names that are associated with normal user account. This is part of the kerberoast attack researched by Tim Medin (@timmedin)ntlmrelayx.py
:smbrelayx.py
on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) (by @dirkjanm)
-
Library improvements
[MS-TSCH]
- ATSVC, SASec and ITaskSchedulerService Interface implementations[MS-DRSR]
- Directory Replication Service DRSUAPI Interface implementation- Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
- Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
- NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
- Kerberos support for TDS (MSSQL)
- Extended present flags support on RadioTap class
- Old DCERPC runtime code removed
-
Examples improvements
mssqlclient.py
:- Added Kerberos authentication support
atexec.py
:- It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
smbrelayx.py
:- If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
- Added -c option to execute custom commands in the target (by @byt3bl33d3r)
secretsdump.py
:- Active Directory hashes/Kerberos keys are dumped using
[MS-DRSR]
(IDL_DRSGetNCChanges
method) by default. VSS method is still available by using the -use-vss switch - Added
-just-dc
(Extract only NTDS.DIT NTLM Hashes and Kerberos) and-just-dc-ntlm
(only NTDS.DIT NTLM Hashes) options - Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops.
Use
-resumefile
option. - Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump (
[MS-SAMR]
3.1.1.8.11.5
) - Add support for multiple password encryption keys (PEK) (by @s0crat)
- Active Directory hashes/Kerberos keys are dumped using
goldenPac.py
:- Tests all DCs in domain and adding forest's enterprise admin group inside PAC
-
New examples
raiseChild.py
: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilegeescalation as detailed by Sean Metcalf.netview.py
: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
-
Library improvements
- Kerberos support for SMB and DCERPC featuring:
kerberosLogin()
added to SMBConnection (all SMB versions).- Support for
RPC_C_AUTHN_GSS_NEGOTIATE
at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM. - Pass-the-hash, pass-the-ticket and pass-the-key support.
- Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
- Support for
RC4
,AES128_CTS_HMAC_SHA1_96
andAES256_CTS_HMAC_SHA1_96
ciphers. - Support for
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
.
[MS-SAMR]
: Supplemental Credentials support (used by secretsdump.py)- SMBSERVER improvements:
- SMB2 (2.002) dialect experimental support.
- Adding capability to export to John The Ripper format files
- Library logging overhaul. Now there's a single logger called
impacket
.
- Kerberos support for SMB and DCERPC featuring:
-
Examples improvements
- Added Kerberos support to all modules (incl. pass-the-ticket/key)
- Ported most of the modules to the new dcerpc.v5 runtime.
secretsdump.py
:- Added dumping Kerberos keys when parsing NTDS.DIT
smbserver.py
:- Support for SMB2 (not enabled by default)
smbrelayx.py
:- Added support for MS15-027 exploitation.
-
New examples
goldenPac.py
: MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.karmaSMB.py
: SMB Server that answers specific file contents regardless of the SMB share and pathname requested.wmipersist.py
: Creates persistence over WMI. Adds/Removes WMI Event Consumers/Filters to execute VBS based on a WQL filter or timer specified.
-
Library improvements
- The following protocols were added based on its standard definition
[MS-DCOM]
- Distributed Component Object module Protocol (dcom.py
)[MS-OAUT]
- OLE Automation Protocol (dcom/oaut.py
)[MS-WMI]
/[MS-WMIO]
: Windows Management Instrumentation Remote Protocol (dcom/wmi.py
)
- The following protocols were added based on its standard definition
-
New examples
wmiquery.py
: executes WMI queries and get WMI object's descriptions.wmiexec.py
: agent-less, semi-interactive shell using WMI.smbserver.py
: quick an easy way to share files using the SMB protocol.
-
Library improvements
- New RPC and NDR runtime (located at
impacket.dcerpc.v5
, old one still available)- Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
- Support for
RPC_C_AUTHN_NETLOGON
(experimental) - The following interface were developed based on its standard definition:
[MS-LSAD]
- Local Security Authority (Domain Policy) Remote Protocol (lsad.py)[MS-LSAT]
- Local Security Authority (Translation Methods) Remote Protocol (lsat.py)[MS-NRPC]
- Netlogon Remote Protocol (nrpc.py)[MS-RRP]
- Windows Remote Registry Protocol (rrp.py)[MS-SAMR]
- Security Account Manager (SAM) Remote Protocol (samr.py)[MS-SCMR]
- Service Control Manager Remote Protocol (scmr.py)[MS-SRVS]
- Server Service Remote Protocol (srvs.py)[MS-WKST]
- Workstation Service Remote Protocol (wkst.py)[MS-RPCE]-C706
- Remote Procedure Call Protocol Extensions (epm.py)[MS-DTYP]
- Windows Data Types (dtypes.py)
- Most of the DCE Calls have helper functions for easier use. Test cases added for all calls (check the test cases directory)
- ESE parser (Extensive Storage Engine) (ese.py)
- Windows Registry parser (winregistry.py)
- TDS protocol now supports SSL, can be used from mssqlclient
- Support for EAPOL, EAP and WPS decoders
- VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
- New RPC and NDR runtime (located at
-
New examples
rdp_check.py
: tests whether an account (pwd or hashes) is valid against an RDP serveresentutl.py
: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)ntfs-read.py
: mini shell for browsing an NTFS volumeregistry-read.py
: Windows offline registry readersecretsdump.py
: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS)
-
Library improvements
- SMB version 2 and 3 protocol support (
[MS-SMB2]
). Signing supported, encryption for SMB3 still pending. - Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and
SMB version independent. It will pick the best SMB Version when connecting against the
target. Check
smbconnection.py
for a list of available methods across all the protocols. - Partial TDS implementation (
[MS-TDS]
&[MC-SQLR]
) so we could talk with MSSQL Servers. - Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
- DCERPC Endpoints' new calls
- EPM:
lookup()
: It can work as a general portmapper, or just to find specific interfaces/objects.
- EPM:
- SMB version 2 and 3 protocol support (
-
New examples
mssqlclient.py
: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives you an SQL prompt for your pleasure.mssqlinstance.py
: Lists the MS SQL instances running on a target machine.rpcdump.py
: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to develop new functionality to interact against a target interface.smbexec.py
: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the technique described at https://www.optiv.com/blog/owning-computers-without-shell-access. It also supports instantiating a local smbserver to receive the output of the commandos executed for those situations where no share is available on the other end.smbrelayx.py
: It now also listens on port 80 and forwards/reflects the credentials accordingly.
And finally tons of fixes :).
-
Library improvements
- Added 802.11 packets encoding/decoding
- Addition of support for IP6, ICMP6 and NDP packets. Addition of
IP6_Address
helper class. - SMB/DCERPC:
- GSS-API/SPNEGO Support.
- SPN support in auth blob.
- NTLM2 and NTLMv2 support.
- Default SMB port now 445. If
*SMBSERVER
is specified the library will try to resolve the netbios name. - Pass the hash supported for SMB/DCE-RPC.
- IPv6 support for SMB/NMB/DCERPC.
- DOMAIN support for authentication.
- SMB signing support when server enforces it.
- DCERPC signing/sealing for all NTLM flavours.
- DCERPC transport now accepts an already established SMB connection.
- Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by forwarding named pipes requests).
- Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoid Windows 7 nasty bug when that pipe's not functional.
- DCERPC Endpoints' new calls:
SRVSVC
:NetrShareEnum(Level1)
,NetrShareGetInfo(Level2)
,NetrServerGetInfo(Level2)
,NetrRemoteTOD()
,NetprNameCanonicalize()
.SVCCTL
:CloseServiceHandle()
,OpenSCManagerW()
,CreateServiceW()
,StartServiceW()
,OpenServiceW()
,OpenServiceA()
,StopService()
,DeleteService()
,EnumServicesStatusW()
,QueryServiceStatus()
,QueryServiceConfigW()
.WKSSVC
:NetrWkstaTransportEnum()
.SAMR
:OpenAlias()
,GetMembersInAlias()
.LSARPC
:LsarOpenPolicy2()
,LsarLookupSids()
,LsarClose()
.
-
New examples
ifmap.py
: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.lookupsid.py
: DCE/RPC lookup sid brute forcer example.opdump.py
: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.services.py
: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).test_wkssvc
: DCE/RPC WKSSVC examples, playing with the functions Implemented.smbrelayx
: Passes credentials to a third party server when doing MiTM.smbserver
: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but not enforced. Tested under Windows, Linux and MacOS clients.smbclient.py
: now supports history, new commands also added.psexec.py
: Execute remote commands on Windows machines