Impacket

1. Library improvements
* Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets
whenever you find something not working as expected. Libraries and examples should be fully
functional.
* Test coverage [improvements](https://github.com/SecureAuthCorp/impacket/pull/540) by infinnovation-dev
* Anonymous SMB 2.x Connections are not encrypted anymore (by cnotin)
* Support for [multiple PEKs](https://github.com/SecureAuthCorp/impacket/pull/618) when decrypting Windows 2016 DIT files (by mikeryan)

2. Examples improvements
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* [CVE-2019-1019](https://github.com/SecureAuthCorp/impacket/pull/635): Bypass SMB singing for unpatched (by msimakov)
* Added [POC](https://github.com/SecureAuthCorp/impacket/pull/637) code for CVE-2019-1040 (by dirkjanm)
* Added NTLM relays leveraging [Webdav](https://github.com/SecureAuthCorp/impacket/pull/652) authentications (by salu90)

3. New Examples
* [kintercept.py](examples/kintercept.py): A tool for intercepting krb5 connections and for
testing KDC handling S4U2Self with unkeyed checksum (by iboukris)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

infinnovation-dev, cnotin, mikeryan, SR4ven, cclauss, skorov, msimakov, dirkjanm, franferrax, iboukris, n1ngod, c0d3z3r0, MrAnde7son.

1. Library improvements
* [[MS-EVEN]](impacket/dcerpc/v5/even.py) Interface implementation (Initial - by MrAnde7son )

2. Examples improvements
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Socks local admin check (by imaibou)
* Add Resource Based Delegation features (by dirkjanm)
* [smbclient.py](examples/smbclient.py):
* Added ability to create/remove mount points to exploit James Forshaw's
[Abusing Mount Points over the SMB Protocol](https://tyranidslair.blogspot.com/2018/12/abusing-mount-points-over-smb-protocol.html) technique (by Qwokka)
* [GetST.py](examples/getST.py):
* Added resource-based constrained delegation support to S4U (eladshamir)
* [GetNPUsers.py](examples/GetNPUsers.py):
* Added hashcat/john format and users file input (by Zer1t0)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

dirkjanm, MrAnde7son, ibo, franferrax, Qwokka, CaledoniaProject , eladshamir, Zer1t0, martingalloar, muizzk, Petraea, SR4ven, Fist0urs, Zer1t0.

1. Library improvements
* Replace unmaintained PyCrypto for pycryptodome (dirkjanm)
* Using cryptographically secure pseudo-random generators
* Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by qlemaire)
* Test cases adjustments, travis and flake support (cclauss)
* Python3 test cases fixes (eldipa)
* Adding DPAPI / Vaults related structures and functions to decrypt secrets
* [[MS-RPRN]](impacket/dcerpc/v5/rprn.py) Interface implementation (Initial)

2. Examples improvements
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by dirkjanm)
* [secretsdump.py](examples/secretsdump.py):
* Added dumping of machine account Kerberos keys (dirkjanm). `DPAPI_SYSTEM` LSA Secret is now parsed and key contents are shown.
* [GetUserSPNs.py](examples/GetUserSPNs.py):
* Bugfixes and cross-domain support (dirkjanm)

3. New Examples
* [dpapi.py](examples/dpapi.py): Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by MrAnde7son

As always, thanks a lot to all these contributors that make this library better every day (since last version):

dirkjanm, MrAnde7son, franferrax, MrRobot86, qlemaire, cauan, eldipa.

1. Library improvements
* New `[MS-PAC]` [Implementation](impacket/krb5/pac.py).
* [LDAP engine](impacket/ldap): Added extensibleMatch string filter parsing, simple
paging support and handling of unsolicited notification (by kacpern)
* [ImpactDecoder](impacket/ImpactDecoder.py): Add `EAPOL`, `BOOTP` and `DHCP` packet
decoders (by Michael Niewoehner)
* [Kerberos engine](impacket/krb5): `DES-CBC-MD5` support to kerberos added (by skelsec)
* [SMB3 engine](https://github.com/SecureAuthCorp/impacket/commit/f62fc5c3946430374f92404e892f8c48943d411c): If target server supports SMB >= 3, encrypt packets by default.
* Initial `[MS-DHCPM]` and `[MS-EVEN6]` Interface implementation by MrAnde7son
* Major improvements to the [NetBIOS layer](https://github.com/SecureAuthCorp/impacket/commit/0808e45b796741aea4162bd756e3f54522e8045b).
More use of [structure.py](impacket/structure.py) in there.
* [MQTT](https://github.com/SecureAuthCorp/impacket/commit/8cef002928ca52be4e9476a87a54d836b5efa81e) Protocol Implementation and example.
* Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
* Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).

2. Examples improvements
* [GetUserSPNs.py](examples/GetUserSPNs.py):
* `-request-user` parameter added. Requests STs for the SPN associated to the user
specified. Added support for AES Kerberoast tickets (by elitest).
* [services.py](examples/services.py):
* Added port 139 support and related options (by real-datagram).
* [samrdump.py](examples/samrdump.py):
* `-csv` switch to output format in CSV added.
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by dirkjanm.
* [secretsdump.py](examples/secretsdump.py):
* AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA
secrets dump (by Ramzeth).
* [mssqlclient.py](examples/mssqlclient.py):
* Alternative method to execute cmd's on MSSQL (sp_start_job). (by Kayzaks).
* [lsalookupsid.py](examples/lsalookupsid.py):
* Added no-pass and domain-users options (by ropnop).

3. New Examples
* [ticketer.py](examples/ticketer.py): Create Golden/Silver tickets from scratch or
based on a template (legally requested from the KDC) allowing you to customize
some of the parameters set inside the `PAC_LOGON_INFO` structure, in particular the
groups, extrasids, duration, etc. Silver tickets creation by machosec and bransh.
* [GetADUsers.py](examples/GetADUsers.py): Gathers data about the domain's users and
their corresponding email addresses. It will also include some extra information
about last logon and last password set attributes.
* [getPac.py](examples/getPac.py): Gets the PAC (Privilege Attribute Certificate)
structure of the specified target user just having a normal authenticated user
credentials. It does so by using a mix of `[MS-SFU]`'s `S4USelf` + User to User
Kerberos Authentication.
* [getArch.py](examples/getArch.py): Will connect against a target (or list of targets)
machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
* [mimikatz.py](examples/mimikatz.py): Mini shell to control a remote mimikatz RPC
server developed by gentilkiwi.
* [sambaPipe.py](examples/sambaPipe.py): Will exploit CVE-2017-7494, uploading and
executing the shared library specified by the user through the `-so` parameter.
* [dcomexec.py](examples/dcomexec.py): A semi-interactive shell similar to `wmiexec.py`,
but using different DCOM endpoints. Currently supports `MMC20.Application`, `ShellWindows` and
`ShellBrowserWindow` objects. (contributions by byt3bl33d3r).
* [getTGT.py](examples/getTGT.py): Given a password, hash or aesKey, this script will
request a TGT and save it as ccache.
* [getST.py](examples/getST.py): Given a password, hash, aesKey or TGT in ccache, this
script will request a Service Ticket and save it as ccache. If the account has constrained
delegation (with protocol transition) privileges you will be able to use the `-impersonate`
switch to request the ticket on behalf other user.

As always, thanks a lot to all these contributors that make this library better every day (since last version):

dirkjanm, real-datagram, kacpern, martinuy, xelphene, blark, the-useless-one, contactr2m, droc, martingalloar, skelsec, franferrax, Fr0stbyt3, ropnop, MrAnde7son, machosec, federicoemartinez, elitest, symeonp, Kanda-Motohiro, Ramzeth, mohemiv, arch4ngel, derekchentrendmicro, Kayzaks, donwayo, bao7uo, byt3bl33d3r, xambroz, luzpaz, TheNaterz, Mikkgn, derUnbekannt.

1. Library improvements
* `SMB3.create`: define `CreateContextsOffset` and `CreateContextsLength` when applicable (by rrerolle)
* Retrieve user principal name from `CCache` file allowing to call any script with `-k` and just the target system (by MrTchuss)
* Packet fragmentation for DCE RPC layer mayor overhaul.
* Improved pass-the-key attacks scenarios (by skelsec)
* Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
build the search filter yourself)
* IPv6 improvements for DCERPC/LDAP and Kerberos

2. Examples improvements
* Adding `-dc-ip` switch to all examples. It allows specifying what the IP for the domain is.
It assumes the DC and KDC resides in the same server.
* `secretsdump.py`:
* Adding support for Win2016 TP4 in LOCAL or `-use-vss` mode
* Adding `-just-dc-user` switch to download just a single user data (DRSUAPI mode only)
* Support for different ReplEpoch (DRSUAPI only)
* pwdLastSet is also included in the output file
* New structures/flags added for 2016 TP5 PAM support
* `wmiquery.py`:
* Adding `-rpc-auth-level` switch (by gadio)
* `smbrelayx.py`:
* Added option to specify authentication status code to be sent to requesting client (by mgeeky)
* Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)

3. New Examples
* `GetUserSPNs.py`: This module will try to find Service Principal Names that are associated with normal user account.
This is part of the kerberoast attack researched by Tim Medin (timmedin)
* `ntlmrelayx.py`: `smbrelayx.py` on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
(by dirkjanm)

1. Library improvements
* `[MS-TSCH]` - ATSVC, SASec and ITaskSchedulerService Interface implementations
* `[MS-DRSR]` - Directory Replication Service DRSUAPI Interface implementation
* Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
* Unicode support (optional) for the SMBv1 stack (by rdubourguais)
* NTLMv2 enforcement option on SMBv1 client stack (by scriptjunkie)
* Kerberos support for TDS (MSSQL)
* Extended present flags support on RadioTap class
* Old DCERPC runtime code removed

2. Examples improvements
* `mssqlclient.py`:
* Added Kerberos authentication support
* `atexec.py`:
* It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
* `smbrelayx.py`:
* If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
* Added -c option to execute custom commands in the target (by byt3bl33d3r)
* `secretsdump.py`:
* Active Directory hashes/Kerberos keys are dumped using `[MS-DRSR]` (`IDL_DRSGetNCChanges` method)
by default. VSS method is still available by using the -use-vss switch
* Added `-just-dc` (Extract only NTDS.DIT NTLM Hashes and Kerberos) and
`-just-dc-ntlm` (only NTDS.DIT NTLM Hashes) options
* Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops.
Use `-resumefile` option.
* Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump (`[MS-SAMR]` `3.1.1.8.11.5`)
* Add support for multiple password encryption keys (PEK) (by s0crat)
* `goldenPac.py`:
* Tests all DCs in domain and adding forest's enterprise admin group inside PAC

3. New examples
* `raiseChild.py`: Child domain to forest privilege escalation exploit. Implements a
child-domain to forest privilegeescalation as [detailed by Sean Metcalf](https://adsecurity.org/?p=1640).
* `netview.py`: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by mubix)