Impacket

1. Library improvements
* Added new Kerberos error codes (ly4k).
* Added `[MS-TSTS]` Terminal Services Terminal Server Runtime Interface Protocol implementation (nopernik).
* Changed the setting up for new SSL connections (mpgn, CT-H00K and 0xdeaddood).
* Added a callback function to smbserver for incoming authentications (p0dalirius).
* Fix crash in winregistry (laxa)
* Fixes in IDispatch derived classes in comev implementation (NtAlexio2)
* Fix CVE-2020-17049 in ccache.py (godylockz)
* Smbserver: Added SMB2_FILE_ALLOCATION_INFO type determination (JerAxxxxxxx)
* tds: Fixed python3 incompatibility when receiving over TLS socket (exploide)
* crypto: Ensure passwords are utf-8 encoded before deriving Kerberos keys (jojonas)
* ese: Fixed python3 incompatibility when reading from db (alexisbalbachan)
* ldap queries: Escaped characters are now correctly parsed (alexisbalbachan)
* Support SASL authentication in ldap protocol (NtAlexio2)

2. Examples improvements
* [GetADUsers.py](examples/GetADUsers.py), [GetNPUsers.py](examples/GetNPUsers.py), [GetUserSPNs.py](examples/GetUserSPNs.py) and [findDelegation.py](examples/findDelegation.py):
* Added dc-host option to connect to specific KDC using its FQDN or NetBIOS name (rmaksimov and 0xdeaddood).
* [GetNPUsers.py](examples/GetNPUsers.py)
* Printing TGT in stdout despite -outputfile parameter (alexisbalbachan and Zamanry)
* Fixed output hash format for AES128/256 (etype 17/18) (erasmusc)
* [GetUserSPNs.py](examples/GetUserSPNs.py):
* Added LDAP paged search (ThePirateWhoSmellsOfSunflowers and SAERXCIT).
* Added a -stealth flag to remove the SPN filter from the LDAP query (clavoillotte).
* Improved searchFilter (ShutdownRepo)
* Use LDAP paged search (ThePirateWhoSmellsOfSunflowers)
* [psexec.py](examples/psexec.py):
* Added support for name customization using a custom binary file (Dramelac).
* [smbexec.py](examples/smbexec.py):
* Security fixes for privilege escalation vulnerabilities (bugch3ck).
* Fixed python3 compatibility issues, added workaround TCP over NetBIOS being disabled (ljrk0)
* [secretsdump.py](examples/secretsdump.py):
* Added a new option to extract only NTDS.DIT data for specific users based on an LDAP filter (snovvcrash).
* Security fixes for privilege escalation vulnerabilities (bugch3ck).
* [mssqlclient.py](examples/mssqlclient.py):
* Added multiple new commands. Now supports xp_dirtree execution (Mayfly277, trietend and TurtleARM).
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Added ability to trigger SQLShell when running ntlmrelayx in interactive mode (sploutchy).
* Added filter option to the socks command in ntlmrelayx CLI (shoxxdj)
* Added ability to register DNS records through LDAP.
* [addcomputer.py](examples/addcomputer.py), [rbcd.py](examples/rbcd.py):
* Allow weak TLS ciphers for LDAP connections (AdrianVollmer)
* [Get-GPPPassword.py](examples/Get-GPPPassword.py):
* Better handling of various XML files in Group Policy Preferences (p0dalirius)
* [smbclient.py](examples/smbclient.py):
* Added recursive file listing (Sq00ky)
* [ticketer.py](examples/ticketer.py):
* Ticket duration is now specified in hours instead of days (Dramelac)
* Added extra-pac implementation (Dramelac)

3. New examples
* [net.py](examples/net.py) Implementation of windows net.exe builtin tool (NtAlexio2)
* [changepasswd.py](examples/changepasswd.py) New example that allows password changing or reseting through multiple protocols (Alef-Burzmali, snovvcrash, bransh, api0cradle and p0dalirius)
* [DumpNTLMInfo.py](examples/DumpNTLMInfo.py) New example that dumps remote host information in ntlm authentication model, without credentials. For SMB protocols v1, v2 and v3. (NtAlexio2)

As always, thanks a lot to all these contributors that make this library better every day (up to now):

ly4k nopernik snovvcrash ShutdownRepo kiwids0220 mpgn CT-H00K rmaksimov arossert aevy-syn tirkarthi p0dalirius Dramelac Mayfly277 S3cur3Th1sSh1t nobbd AdrianVollmer trietend TurtleARM ThePirateWhoSmellsOfSunflowers SAERXCIT clavoillotte Marshall-Hallenbeck sploutchy almandin rtpt-alexanderneumann JerAxxxxxxx NtAlexio2 laxa godylockz exploide jojonas Zamanry erasmusc bugch3ck ljrk0 Sq00ky shoxxdj Alef-Burzmali bransh api0cradle alexisbalbachan 0xdeaddood NtAlexio2 sanmopre

1. Library improvements
* Dropped support for Python 2.7.
* Refactored the testing infrastructure (martingalloar):
* Added `pytest` as the testing framework to organize and mark test
cases. `Tox` remain as the automation framework, and `Coverage.py`
for measuring code coverage.
* Custom bash scripts were replaced with test cases auto-discovery.
* Local and remote test cases were marked for easy run and configuration.
* DCE/RPC endpoint test cases were refactored and moved to a new layout.
* An initial testing guide with the main steps to prepare a testing environment and run them.
* Fixed a good amount of DCE/RPC endpoint test cases that were failing.
* Added tests for `[MS-PAR]`, `[MS-RPRN]`, CCache and DPAPI.
* Added a function to compute the Netlogon Authenticator at client-side in `[MS-NRPC]` (0xdeaddood)
* Added `[MS-DSSP]` protocol implementation (simondotsh)
* Added GetDriverDirectory functions to `[MS-PAR]` and `[MS-RPRN]` (raithedavion)
* Refactored the Credential Cache:
* Added new parseFile function to ccache.py (rmaksimov)
* Added support for loading CCache Version 3 (reznok)
* Modified fromKRBCRED function used to load a Kirbi file (0xdeaddood)
* Fixed Ccache to Kirbi conversion (ShutdownRepo)
* Fixed default NTLM server challenge in smbserver (rtpt-jonaslieb)

2. Examples improvements
* [exchanger.py](examples/exchanger.py):
* Fixed a bug when a Global Address List doesn't exist on the server (mohemiv)
* [mimikatz.py](examples/mimikatz.py)
* Updated intro to not trigger the AV on windows (mpgn)
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Implemented RAW Relay Server (CCob)
* Added an LDAP attack dumping information about the domain's ADCS enrollment services (SAERXCIT)
* Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be
used against multiple targets (0xdeaddood)
* Added an option to disable the multi-relay feature (zblurx and 0xdeaddood)
* Added multiple HTTP listeners running at the same time (SAERXCIT)
* Support for the ADCS ESC1 and ESC6 attacks (hugo-syn)
* Added Shadow Credentials attack (ShutdownRepo, Tw1sm, nodauf and p0dalirius)
* Added the ability to define a password for the LDAP attack addComputer (ShutdownRepo)
* Added rename_computer and modify add_computer in LDAP interactive shell (capnkrunchy)
* Implemented StartTLS (ThePirateWhoSmellsOfSunflowers)
* [reg.py](examples/reg.py):
* Added save function to allow remote saving of registry hives (ShutdownRepo and scopedsecurity)
* [secretsdump.py](examples/secretsdump.py):
* Added an option to dump credentials using the Kerberos Key List attack (0xdeaddood)
* [smbpasswd.py](examples/smbpasswd.py):
* Added an option to force credentials change via injecting new values into SAM (snovvcrash and alefburzmali)
3. New examples
* [machine_role.py](examples/machine_role.py): This script retrieves a host's role along with its
primary domain details (simondotsh)
* [keylistattack.py](examples/keylistattack.py): This example implements the Kerberos Key List
attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (0xdeaddood)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

rmaksimov simondotsh CCob raithedavion SAERXCIT Maltemo dirkjanm reznok ShutdownRepo scopedsecurity Tw1sm nodauf p0dalirius zblurx hugo-syn capnkrunchy mohemiv mpgn rtpt-jonaslieb snovvcrash alefburzmali ThePirateWhoSmellsOfSunflowers jlvcm

1. Library improvements
* Fixed WMI objects parsing (franferrax)
* Added the RpcAddPrinterDriverEx method and related structures to `[MS-RPRN]`: Print System Remote Protocol (cube0x0)
* Initial implementation of `[MS-PAR]`: Print System Asynchronous Remote Protocol (cube0x0)
* Complying `[MS-RPCH]` with HTTP/1.1 (mohemiv)
* Added return of server time in case of Kerberos error (ShutdownRepo and Hackndo)

2. Examples improvements
* [getST.py](examples/getST.py):
* Added support for a custom additional ticket for S4U2Proxy (ShutdownRepo)
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Added Negotiate authentication support to the HTTP server (LZD-TMoreggia)
* Added anonymous session handling in the HTTP server (0xdeaddood)
* Fixed error in ldapattack.py when trying to escalate with machine account (Rcarnus)
* Added the implementation of AD CS attack (ExAndroidDev)
* Disabled the anonymous logon in the SMB server (ly4k)
* [psexec.py](examples/psexec.py):
* Fixed decoding problems on multi bytes characters (p0dalirius)
* [reg.py](examples/reg.py):
* Implemented ADD and DELETE functionalities (Gifts)
* [secretsdump.py](examples/secretsdump.py):
* Speeding up NTDS parsing (skelsec)
* [smbclient.py](examples/smbclient.py):
* Added 'mget' command which allows the download of multiple files (deadjakk)
* Handling empty search count in FindFileBothDirectoryInfo (martingalloar)
* [smbpasswd.py](examples/smbpasswd.py):
* Added the ability to change a user's password providing NTLM hashes (snovvcrash)
* [smbserver.py](examples/smbserver.py):
* Added NULL SMBv2 client connection handling (0xdeaddood)
* Hardened path checks and Added TID checks (martingalloar)
* Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (0xdeaddood)
* Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (martingalloar)
* [wmipersist.py](examples/wmipersist.py):
* Fixed VBA script execution and improved error checking (franferrax)

3. New examples
* [rbcd.py](examples/rbcd.py): Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (ShutdownRepo and p0dalirius) (based on the previous work of tothi and NinjaStyle82)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

deadjakk franferrax cube0x0 w0rmh013 skelsec mohemiv LZD-TMoreggia exploide ShutdownRepo Hackndo snovvcrash rmaksimov Gifts Rcarnus ExAndroidDev ly4k p0dalirius

1. Library improvements
* Support connect timeout with SMBTransport (vruello)
* Speeding up DcSync (mohemiv)
* Fixed Python3 issue when serving SOCKS5 requests (agsolino)
* Moved docker container to Python 3.8 (mgallo)
* Added basic GitHub Actions workflow (mgallo)
* Fixed Path Traversal vulnerabilities in `smbserver.py` - CVE-2021-31800 (omriinbar AppSec Researcher at CheckMarx)
* Fixed POST request processing in `httprelayserver.py` (Rcarnus)
* Added cat command to `smbclient.py` (mxrch)
* Added new features to the LDAP Interactive Shell to facilitate AD exploitation (AdamCrosser)
* Python 3.9 support (meeuw and cclauss)

2. Examples improvements
* [addcomputer.py](examples/addcomputer.py):
* Enable the machine account created via SAMR (0xdeaddood)
* [getST.py](examples/getST.py):
* Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (jakekarnes42)
* Compute NTHash and AESKey for the Bronze Bit attack automatically (snovvcrash)
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Fixed target parsing error (0xdeaddood)
* [wmipersist.py](examples/wmipersist.py):
* Fixed `filterBinding` error (franferrax)
* Added PowerShell option for semi-interactive shells in `dcomexec.py`, `smbexec.py`
and `wmiexec.py` (snovvcrash)
* Added new parameter to select `COMVERSION` in `dcomexec.py`, `wmiexec.py`,
`wmipersist.py` and `wmiquery.py` (zexusx26)

3. New examples
* [Get-GPPPassword.py](examples/Get-GPPPassword.py): This example extracts and decrypts
Group Policy Preferences passwords using streams for treating files instead of mounting
shares. Additionally, it can parse GPP XML files offline (ShutdownRepo and p0dalirius)
* [smbpasswd.py](examples/smbpasswd.py): This script is an alternative to `smbpasswd` tool and
intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (snovvcrash)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

mpgn vruello mohemiv jagotu jakekarnes42 snovvcrash zexusx26 omriinbar Rcarnus nuschpl mxrch ShutdownRepo p0dalirius AdamCrosser franferrax meeuw and cclauss

1. Library improvements
* Added implementation of RPC over HTTP v2 protocol (by mohemiv).
* Added `[MS-NSPI]`, `[MS-OXNSPI]` and `[MS-OXABREF]` protocol implementations (by mohemiv).
* Improved the multi-page results in LDAP queries (by ThePirateWhoSmellsOfSunflowers).
* NDR parser optimization (by mohemiv).
* Improved serialization of WMI method parameters (by tshmul).
* Introduce the `[MS-NLMP]` `2.2.2.10` `VERSION` structure in `NTLMAuthNegotiate` messages (by franferrax).
* Added some NETLOGON structs for `NetrServerPasswordSet2` (by dirkjanm).
* Python 3.8 support.

2. Examples improvements
* [atexec.py](examples/atexec.py):
* Fixed after MS patches related to RPC attacks (by mohemiv).
* [dpapi.py](examples/dpapi.py):
* Added `-no-pass`, `pass-the-hash` and AES Key support for backup subcommand.
* [GetNPUsers.py](examples/GetNPUsers.py):
* Added ability to enumerate targets with Kerberos KRB5CC (by rmaksimov).
* [GetUserSPNs.py](examples/GetUserSPNs.py):
* Added new features for kerberoasting (by mohemiv).
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Added ability to relay on new Windows versions that have SMB guest access disabled by default.
* Added option to specify the NTLM Server Challenge used when receiving a connection.
* Added relaying to RPC support (by mohemiv).
* Implemented WCFRelayServer (by cnotin).
* Added Zerologon DCSync Relay Client (by dirkjanm).
* Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by Hackndo).
* [rpcdump.py](examples/rpcdump.py):
* Added RPC over HTTP v2 support (by mohemiv).
* [secretsdump.py](examples/secretsdump.py):
* Added ability to specifically delete a shadow based on its ID (by phefley).
* Dump plaintext machine account password when dumping the local registry secrets(by dirkjanm).

3. New examples
- [exchanger.py](examples/exchanger.py): A tool for connecting to MS Exchange via
RPC over HTTP v2 (by mohemiv).
- [rpcmap.py](examples/rpcmap.py): Scan for listening DCE/RPC interfaces (by mohemiv).

As always, thanks a lot to all these contributors that make this library better every day (since last version):

mohemiv mpgn Romounet ThePirateWhoSmellsOfSunflowers rmaksimov fuzzKitty tshmul spinenkoia AaronRobson ABCIFOGeowi40 cclauss cnotin 5alt franferrax Dliv3 dirkjanm Mr-Gag vbersier phefley Hackndo

1. Library improvements
* New methods into `CCache` class to import/export kirbi (`KRB-CRED`) formatted tickets (by Zer1t0).
* Add `FSCTL_SRV_ENUMERATE_SNAPSHOTS` functionality to `SMBConnection` (by rxwx).
* Changes in NetBIOS classes in `nmb.py` (`select()` by `poll()` read from socket) (by cnotin).
* Timestamped logging added.
* Interactive shell to perform LDAP operations (by mlefebvre).
* Added two DCE/RPC calls in `tsch.py` (by mohemiv).
* Single-source the version number and standardize on semantic + pre-release + local versioning (by jsherwood0).
* Added implementation for keytab files (by kcirtapw).
* Added SMB 3.1.1 support for Client SMB Connections.

2. Examples improvements
* [smbclient.py](examples/smbclient.py):
* List the VSS snapshots for a specified path (by rxwx).
* [GetUserSPNs.py](examples/GetUserSPNs.py):
* Added delegation information associated with accounts (by G0ldenGunSec).
* [dpapi.py](examples/dpapi.py):
* Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by dirkjanm).
* Pass the hash support for backup key retrieval (by imaibou).
* Added feature to decrypt a user's masterkey using the MS-BKRP (by imaibou).
* [raiseChild.py](examples/raiseChild.py):
* Added a new flag to specify the RID of a user to dump credentials (by 0xdeaddood).
* Added flags to bypass badly made detection use cases (by MaxNad):
* [smbexec.py](examples/smbexec.py):
* Possibility to rename the PSExec uploaded binary name with the `-remote-binary-name` flag.
* [psexec.py](examples/psexec.py):
* Possibility to use another service name with the `-service-name` flag.
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Added a flag to use a SID as the escalate user for delegation attacks (by 0xe7).
* Support for dumping LAPS passwords (by praetorian-adam-crosser).
* Added LDAP interactive mode that allow an attacker to manually perform basic operations
like creating a new user, adding a user to a group , dump the AD, etc. (by mlefebvre).
* Support for multiple relays through one SMB connection (by 0xdeaddood).
* Added support for dumping gMSA passwords (by cube0x0).
* [ticketer.py](examples/ticketer.py):
* Added an option to use the SPNs keys from a keytab for a silver ticket(by kcirtapw)

3. New Examples
- [addcomputer.py](examples/addcomputer.py): Allows add a computer to a domain using LDAP
or SAMR (SMB) (by jagotu)
- [ticketConverter.py](examples/ticketConverter.py): This script converts kirbi files,
commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by Zer1t0).
- [findDelegation.py](examples/findDelegation.py): Simple script to quickly list all
delegation relationships (unconstrained, constrained, resource-based constrained) in
an AD environment (by G0ldenGunSec).

As always, thanks a lot to all these contributors that make this library better every day (since last version):

jagotu, Zer1t0 ,rxwx, mpgn, danhph, awsmhacks, slasyz, cnotin, exploide, G0ldenGunSec, dirkjanm, 0xdeaddood, MaxNad, imaibou, BarakSilverfort, 0xe7, mlefebvre, rmaksimov, praetorian-adam-crosser, jsherwood0, mohemiv, justin-p, cube0x0, spinenkoia, kcirtapw, MrAnde7son, fridgehead, MarioVilas.