impacket 0.9.15

Project's main page at www.coresecurity.com

ChangeLog for 0.9.15:

1. Library improvements

• SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
• Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
• Packet fragmentation for DCE RPC layer mayor overhaul.
• Improved pass-the-key attacks scenarios (by @skelsec)
• Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
  build the search filter yourself)
• IPv6 improvements for DCERPC/LDAP and Kerberos

1. Examples improvements
   • Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
     resides in the same server
   • secretsdump.py
     • Adding support for Win2016 TP4 in LOCAL or -use-vss mode
     • Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
     • Support for different ReplEpoch (DRSUAPI only)
     • pwdLastSet is also included in the output file
     • New structures/flags added for 2016 TP5 PAM support
   • wmiquery.py
     • Adding -rpc-auth-level switch (by @gadio)
   • smbrelayx.py
     • Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
     • Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
2. New Examples
   • GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
     This is part of the kerberoast attack researched by Tim Medin (@TimMedin)
   • ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
     (by @dirkjanm)

impacket_0_9_14: impacket 0.9.14

1. Library improvements:
   • [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
   • [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
   • Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
   • Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
   • NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
   • Kerberos support for TDS (MSSQL)
   • Extended present flags support on RadioTap class
   • Old DCERPC runtime code removed
2. Examples improvements:
   • mssqlclient.py: Added Kerberos authentication support
   • atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
   • smbrelayx.py:
     • If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
     • Added -c option to execute custom commands in the target (by @byt3bl33d3r)
   • secretsdump.py:
     • Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method)
       by default. VSS method is still available by using the -use-vss switch
     • Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
     • Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
     • Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump
     • Add support for multiple password encryption keys (PEK) (by @s0crat)
   • goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
3. New examples:
   • raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
     escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz
   • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)

impacket_0_9_13: impacket 0.9.13

May 2015 - 0.9.13:

1. Library improvements

• Kerberos support for SMB and DCERPC featuring:

  a. kerberosLogin() added to SMBConnection (all SMB versions).
  b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM.
  c. Pass-the-hash, pass-the-ticket and pass-the-key support.
  d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
  e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
  f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

• SMB3 encryption support. Pycrypto experimental version that supports
  AES_CCM is required.

• [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)

• SMBSERVER improvements:

  a. SMB2 (2.002) dialect experimental support.
  b. Adding capability to export to John The Ripper format files

• Library logging overhaul. Now there's a single logger called 'impacket'.

2. Examples improvements:

• Added Kerberos support to all modules (incl. pass-the-ticket/key)
• Ported most of the modules to the new dcerpc.v5 runtime.
• secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
• smbserver.py: support for SMB2 (not enabled by default)
• smbrelayx.py: Added support for MS15-027 exploitation.

3. New examples:

• goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
  psexec session at the target.
• karmaSMB.py: SMB Server that answers specific file contents regardless of
  the SMB share and pathname requested.
• wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
  Consumers/Filters to execute VBS based on a WQL filter or timer specified.
• netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers