1) Library improvements
* SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by rrerolle)
* Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by MrTchuss)
* Packet fragmentation for DCE RPC layer mayor overhaul.
* Improved pass-the-key attacks scenarios (by skelsec)
* Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
build the search filter yourself)
* IPv6 improvements for DCERPC/LDAP and Kerberos
2) Examples improvements
* Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
resides in the same server
a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode
b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
c. Support for different ReplEpoch (DRSUAPI only)
d. pwdLastSet is also included in the output file
e. New structures/flags added for 2016 TP5 PAM support
a. Adding -rpc-auth-level switch (by gadio)
a. Added option to specify authentication status code to be sent to requesting client (by mgeeky)
b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
3) New Examples
* GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
This is part of the kerberoast attack researched by Tim Medin (timmedin)
* ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
1) Library improvements
* [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
* [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
* Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
* Unicode support (optional) for the SMBv1 stack (by rdubourguais)
* NTLMv2 enforcement option on SMBv1 client stack (by scriptjunkie)
* Kerberos support for TDS (MSSQL)
* Extended present flags support on RadioTap class
* Old DCERPC runtime code removed
2) Examples improvements
* mssqlclient.py: Added Kerberos authentication support
* atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
* If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
* Added -c option to execute custom commands in the target (by byt3bl33d3r)
a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method)
by default. VSS method is still available by using the -use-vss switch
b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and
-just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 126.96.36.199.11.5)
e. Add support for multiple password encryption keys (PEK) (by s0crat)
* goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
3) New examples
* raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640
* netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by mubix)
1) Library improvements
* Kerberos support for SMB and DCERPC featuring:
a. kerberosLogin() added to SMBConnection (all SMB versions).
b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will
negotiate Kerberos. This also includes DCOM.
c. Pass-the-hash, pass-the-ticket and pass-the-key support.
d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
* [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
* SMBSERVER improvements:
a. SMB2 (2.002) dialect experimental support.
b. Adding capability to export to John The Ripper format files
* Library logging overhaul. Now there's a single logger called 'impacket'.
2) Examples improvements
* Added Kerberos support to all modules (incl. pass-the-ticket/key)
* Ported most of the modules to the new dcerpc.v5 runtime.
* secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
* smbserver.py: support for SMB2 (not enabled by default)
* smbrelayx.py: Added support for MS15-027 exploitation.
3) New examples
* goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
psexec session at the target.
* karmaSMB.py: SMB Server that answers specific file contents regardless of
the SMB share and pathname requested.
* wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
Consumers/Filters to execute VBS based on a WQL filter or timer specified.
1) The following protocols were added based on its standard definition
* [MS-DCOM] - Distributed Component Object module Protocol (dcom.py)
* [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py)
* [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py)
2) New examples
a. wmiquery.py: executes WMI queries and get WMI object's descriptions.
b. wmiexec.py: agent-less, semi-interactive shell using WMI.
c. smbserver.py: quick an easy way to share files using the SMB protocol.
1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available)
a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
b. Support for RPC_C_AUTHN_NETLOGON (experimental)
c. The following interface were developed based on its standard definition:
* [MS-LSAD] - Local Security Authority (Domain Policy) Remote Protocol (lsad.py)
* [MS-LSAT] - Local Security Authority (Translation Methods) Remote Protocol (lsat.py)
* [MS-NRPC] - Netlogon Remote Protocol (nrpc.py)
* [MS-RRP] - Windows Remote Registry Protocol (rrp.py)
* [MS-SAMR] - Security Account Manager (SAM) Remote Protocol (samr.py)
* [MS-SCMR] - Service Control Manager Remote Protocol (scmr.py)
* [MS-SRVS] - Server Service Remote Protocol (srvs.py)
* [MS-WKST] - Workstation Service Remote Protocol (wkst.py)
* [MS-RPCE]-C706 - Remote Procedure Call Protocol Extensions (epm.py)
* [MS-DTYP] - Windows Data Types (dtypes.py)
Most of the DCE Calls have helper functions for easier use. Test cases added for
all calls (check the test cases directory)
2) ESE parser (Extensive Storage Engine) (ese.py)
3) Windows Registry parser (winregistry.py)
4) TDS protocol now supports SSL, can be used from mssqlclient
5) Support for EAPOL, EAP and WPS decoders
6) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
7) New examples
a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server
b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)
c. ntfs-read.py: mini shell for browsing an NTFS volume
d. registry-read.py: Windows offline registry reader
e. secretsdump.py: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS)
1) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending.
2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.
It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available
methods across all the protocols.
3) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers.
4) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
5) DCERPC Endpoints' new calls
a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects.
6) New examples
a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives
you an SQL prompt for your pleasure.
b. mssqlinstance.py: Lists the MS SQL instances running on a target machine.
c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the
UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
develop new functionality to interact against a target interface.
d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
technique described at https://www.optiv.com/blog/owning-computers-without-shell-access. It also
supports instantiating a local smbserver to receive the output of the commandos executed for those situations
where no share is available on the other end.
e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly.
And finally tons of fixes :).
1) Added 802.11 packets encoding/decoding
2) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class.
a. GSS-API/SPNEGO Support.
b. SPN support in auth blob.
c. NTLM2 and NTLMv2 support.
d. Default SMB port now 445. If *SMBSERVER is specified the library will try to resolve the netbios name.
e. Pass the hash supported for SMB/DCE-RPC.
f. IPv6 support for SMB/NMB/DCERPC.
g. DOMAIN support for authentication.
h. SMB signing support when server enforces it.
i. DCERPC signing/sealing for all NTLM flavours.
j. DCERPC transport now accepts an already established SMB connection.
k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by
forwarding named pipes requests).
l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's
4) DCERPC Endpoints' new calls
a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(),
b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(),
StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
c. WKSSVC: NetrWkstaTransportEnum().
d. SAMR: OpenAlias(), GetMembersInAlias().
e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose().
5) New examples
a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list
of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is
listed and/or listening.
b. lookupsid.py: DCE/RPC lookup sid brute forcer example.
c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first
256 operation numbers in turn and reports the outcome of each call.
d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).
e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented.
f. smbrelayx: Passes credentials to a third party server when doing MiTM.
g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but
not enforced. Tested under Windows, Linux and MacOS clients.
h. smbclient.py: now supports history, new commands also added.
i. psexec.py: Execute remote commands on Windows machines