Releases: fortra/impacket
impacket 0.9.15
Project's main page at www.coresecurity.com
ChangeLog for 0.9.15:
- Library improvements
- SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
- Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
- Packet fragmentation for DCE RPC layer mayor overhaul.
- Improved pass-the-key attacks scenarios (by @skelsec)
- Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
build the search filter yourself) - IPv6 improvements for DCERPC/LDAP and Kerberos
- Examples improvements
- Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
resides in the same server - secretsdump.py
- Adding support for Win2016 TP4 in LOCAL or -use-vss mode
- Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
- Support for different ReplEpoch (DRSUAPI only)
- pwdLastSet is also included in the output file
- New structures/flags added for 2016 TP5 PAM support
- wmiquery.py
- Adding -rpc-auth-level switch (by @gadio)
- smbrelayx.py
- Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
- Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
- Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
- New Examples
- GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
This is part of the kerberoast attack researched by Tim Medin (@TimMedin) - ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
(by @dirkjanm)
- GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
impacket_0_9_14: impacket 0.9.14
- Library improvements:
- [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
- [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
- Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
- Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
- NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
- Kerberos support for TDS (MSSQL)
- Extended present flags support on RadioTap class
- Old DCERPC runtime code removed
- Examples improvements:
- mssqlclient.py: Added Kerberos authentication support
- atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
- smbrelayx.py:
- If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
- Added -c option to execute custom commands in the target (by @byt3bl33d3r)
- secretsdump.py:
- Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method)
by default. VSS method is still available by using the -use-vss switch - Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
- Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
- Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump
- Add support for multiple password encryption keys (PEK) (by @s0crat)
- Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method)
- goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
- New examples:
- raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz - netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
- raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
impacket_0_9_13: impacket 0.9.13
May 2015 - 0.9.13:
- Library improvements
-
Kerberos support for SMB and DCERPC featuring:
a.
kerberosLogin()
added toSMBConnection
(all SMB versions).
b. Support forRPC_C_AUTHN_GSS_NEGOTIATE
at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM.
c. Pass-the-hash, pass-the-ticket and pass-the-key support.
d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
e. Support forRC4
,AES128_CTS_HMAC_SHA1_96
andAES256_CTS_HMAC_SHA1_96
ciphers.
f. Support forRPC_C_AUTHN_LEVEL_PKT_PRIVACY
/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
. -
SMB3 encryption support. Pycrypto experimental version that supports
AES_CCM
is required. -
[MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
-
SMBSERVER improvements:
a. SMB2 (2.002) dialect experimental support.
b. Adding capability to export to John The Ripper format files -
Library logging overhaul. Now there's a single logger called 'impacket'.
- Examples improvements:
- Added Kerberos support to all modules (incl. pass-the-ticket/key)
- Ported most of the modules to the new dcerpc.v5 runtime.
- secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
- smbserver.py: support for SMB2 (not enabled by default)
- smbrelayx.py: Added support for MS15-027 exploitation.
- New examples:
- goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
psexec session at the target. - karmaSMB.py: SMB Server that answers specific file contents regardless of
the SMB share and pathname requested. - wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
Consumers/Filters to execute VBS based on a WQL filter or timer specified. - netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers