Impacket 0.12.0

Impacket 0.12.0:

Project's main page at https://www.coresecurity.com/core-labs/open-source-tools/impacket

ChangeLog for 0.12.0:

1. Library improvements

   • Fixed broken hRSetServiceObjectSecurity method (@rkivys)
   • Removed dsinternals dependency (@anadrianmanrique)
   • Fixed srvs.hNetrShareEnum returning erronous shares (@cnotin)
   • Fixed lmhash computing to support non standard characters in the password (@anadrianmanrique)
   • Assorted fixes when processing Unicode data (@alexisbalbachan)
   • Added [MS-GKDI] Group Key Distribution Protocol implementation (@zblurx)
   • Fixed incorrect padding in SMBSessionSetupAndX_Extended_ResponseData (@rtpt-erikgeiser)
   • Upgraded dependency pyreadline -> pyreadline3 (@anadrianmanrique)
   • SMB Server:
     • Added query information level 0x0109 for smb1 "SMB_QUERY_FILE_STREAM_INFO" (@Adamkadaban)
     • Fixed filename encoding in queryPathInformation (@JerAxxxxxxx)
     • Fixed NextEntryOffset for large directory listings (@robnanola)
     • Fixed server returning an empty folder when cutting and pasting recursive directories (@robnanola)
   • DHCP: Fixed encoding issues (@ujwalkomarla)

2. Examples improvements

   • secretsdump.py:
     • Double DC Sync performance for DCs supporting SID lookups (@tomspencer)
     • Added ability to skip dumping of SAM or SECURITY hives when performing remote operations (@RazzburyPi)
     • Added ability to specify users to skip when dumping NTDS (@RazzburyPi)
   • ticketer.py:
     • Support to create Sapphire tickets (@ShutdownRepo)
   • GetUserSPNs.py, getTGT.py:
     • Support for Kerberoasting without pre-authentication and ST request through AS-REQ (@ShutdownRepo)
   • wmiexec.py:
     • Fix kerberos with remoteHost & add '-target-ip'(@XiaoliChan)
   • ntlmrelayx.py:
     • Added the creation of a new machine account through SMB (@BlWasp)
     • NTLMRelayX Multirelay fixes for target handling, added --keep-relaying flag (@alexisbalbachan)
     • Logging multirelay status when triggering the example (@gabrielg5)
     • Write certificates to file rather than outputting b64 to console (@RazzburyPi)
     • Improved ability to continue relaying to ADCS web enrollment endpoint in order to request multiple certificates for different users (@RazzburyPi)
     • Fixed compatibility issue with other SMB clients connecting to the SOCKS proxy created by ntlmrelayx (@jfjallid)
     • Allow configuration of the SOCKS5 address and port (@rtpt-erikgeiser)
     • Fixed implementation of MSSQLShell (@gabrielg5)
     • Logging notification of received connections in all relay servers (@gabrielg5)
     • Add domain and username to interactive Ldap shell message (@minniear)
     • Enhanced MSSQLShell in NTLMRelayX leveraging TcpShell & output messages (@gabrielg5)
     • LDAP Attack: Bugfixes when parsing responses (@SAERXCIT)
   • getST.py:
     • Added -self, -altservice and -u2u for S4U2self abuse, S4U2self+u2u, and service substitution (@ShutdownRepo)
     • Added ability to set the RENEW ticket option to renew a TGT (@shikatano)
     • Fixed unicode encoding error when using the -impersonate flag (@alexisbalbachan)
   • getTGT.py:
     • Added principalType as new parameter (@DevSpork)
   • reg.py:
     • Start remote registry as unprivileged user in reg.py (@dadevel)
     • Allow adding Binary values (@dc3l1ne)
     • Add missing Null byte for REG_SZ values (@PfiatDe)
     • Support for adding REG_MULTI_SZ values through (@garbrielg5)
   • smbclient.py:
     • Added ability to provide an output file that the smbclient mini shell will write commands and output to (@RazzburyPi)
     • Fixed path parse issue when running tree command (@trietend)
   • smbserver.py:
     • Added parameter "-outputfile" to set smbserver log file(gabrielg5)
   • DumpNTLMInfo.py:
     • Allow execution on non-default ports (@jeffmcjunkin)
     • Fixed KeyError exception when running with a Windows 2003 target (@XiaoliChan)
   • findDelegation.py:
     • Added new column to show if SPN exists (@p0dalirius)
   • mssqlclient.py:
     • Added -target-ip parameter to allow Kerberos authentication without much change in the DNS configuration of the local machine (@Palkovsky)
   • mssqlshell.py:
     • Switching back to original DB after running enum_impersonate command (@exploide)
     • Fixed logging in printReplies showing error messages (@gabrielg5)
   • registry-read.py:
     • Fixed scenario where value name contains backlash (@DidierA)
   • net.py:
     • Fixed User "Account Active" property value (@marcobarlottini)
     • Fixed log messages printing variables in the wrong order (@Cyb3rC3lt)
   • rbcd.py:
     • Handled SID not found in LDAP error (@ShutdownRepo)
   • GetUserSPNs.py:
     • Updated the help information for -outputfile to be consistent with -save (@scarvell)
   • ntfs-read.py:
     • Minor refactor in ntfs-read.py to make it more human-readable (@NtAlexio2)
   • ldap_shell.py:
     • Added support for dirsync and whoami commands (@nurfed1)
   • lookupsid.py:
     • Now supports kerberos auth (@A1vinSmith)
   • samrdump.py:
     • Will fetch AdminComment using MSRPC (@joeldeleep)
   • tstool.py:
     • Added support for kerberos auth, resolves SIDs (@nopernik)

3. New examples

   • describeTicket.py: Ticket describer and decrypter. (@ShutdownRepo)
   • GetADComputers.py: Query's DC via LDAP and returns the COMPUTER objects and the useful attributes such as full dns name, operating system name and version. (@F-Masood)
   • GetLAPSPassword.py: Extract LAPS passwords from LDAP (@zblurx and @dru1d-foofus)
   • dacledit.py: This script can be used to read, write, remove, backup, restore ACEs (Access Control Entries) in an object DACL (Discretionary Access Control List). (@ShutdownRepo) (@BlWasp_) (@wlayzz)
   • owneredit.py: Added this script to abuse WriteOwner (ADS_RIGHT_WRITE_OWNER) access rights. This allows to take ownership of another object, and then edit that object's DACL (@ShutdownRepo) (@BlWasp_)

As always, thanks a lot to all these contributors that make this library better every day (up to now):

@tomspencer @anadrianmanrique @ShutdownRepo @dadevel @gjhami @NtAlexio2 @F-Masood @BlWasp @gabrielg5 @XiaoliChan @omry99 @wlayzz @themaks @alexisbalbachan @RazzburyPi @jeffmcjunkin @p0dalirius @dc3l1ne @jfjallid @Palkovsky @rtpt-erikgeiser @trietend @zblurx @dru1d-foofus @PfiatDe @DidierA @marcobarlottini @PeterGabaldon @m8r1us @5yn @tzuralon @Adamkadaban @scarvell @JerAxxxxxxx @ujwalkomarla @robnanola @SAERXCIT @nurfed1 @A1vinSmith @joeldeleep @nopernik

Impacket 0.11.0

Impacket 0.11.0:

Project's main page at https://www.coresecurity.com/core-labs/open-source-tools/impacket

ChangeLog for 0.11.0:

1. Library improvements

   • Added new Kerberos error codes (@ly4k).
   • Added [MS-TSTS] Terminal Services Terminal Server Runtime Interface Protocol implementation (@nopernik).
   • Changed the setting up for new SSL connections (@mpgn, @CT-H00K and @0xdeaddood).
   • Added a callback function to smbserver for incoming authentications (@p0dalirius).
   • Fix crash in winregistry (@laxa)
   • Fixes in IDispatch derived classes in comev implementation (@NtAlexio2)
   • Fix CVE-2020-17049 in ccache.py (@godylockz)
   • Smbserver: Added SMB2_FILE_ALLOCATION_INFO type determination (@JerAxxxxxxx)
   • tds: Fixed python3 incompatibility when receiving over TLS socket (@exploide)
   • crypto: Ensure passwords are utf-8 encoded before deriving Kerberos keys (@jojonas)
   • ese: Fixed python3 incompatibility when reading from db (@alexisbalbachan)
   • ldap queries: Escaped characters are now correctly parsed (@alexisbalbachan)
   • Support SASL authentication in ldap protocol (@NtAlexio2)

2. Examples improvements

   • GetADUsers.py, GetNPUsers.py, GetUserSPNs.py and findDelegation.py:
     • Added dc-host option to connect to specific KDC using its FQDN or NetBIOS name (@rmaksimov and @0xdeaddood).
   • GetNPUsers.py
     • Printing TGT in stdout despite -outputfile parameter (@alexisbalbachan and @Zamanry)
     • Fixed output hash format for AES128/256 (etype 17/18) (@erasmusc)
   • GetUserSPNs.py:
     • Added LDAP paged search (@ThePirateWhoSmellsOfSunflowers and @SAERXCIT).
     • Added a -stealth flag to remove the SPN filter from the LDAP query (@clavoillotte).
     • Improved searchFilter (@ShutdownRepo)
     • Use LDAP paged search (@ThePirateWhoSmellsOfSunflowers)
   • psexec.py:
     • Added support for name customization using a custom binary file (@Dramelac).
   • smbexec.py:
     • Security fixes for privilege escalation vulnerabilities (@bugch3ck).
     • Fixed python3 compatibility issues, added workaround TCP over NetBIOS being disabled (@ljrk0)
   • secretsdump.py:
     • Added a new option to extract only NTDS.DIT data for specific users based on an LDAP filter (@snovvcrash).
     • Security fixes for privilege escalation vulnerabilities (@bugch3ck).
   • mssqlclient.py:
     • Added multiple new commands. Now supports xp_dirtree execution (@Mayfly277, @trietend and @TurtleARM).
   • ntlmrelayx.py:
     • Added ability to trigger SQLShell when running ntlmrelayx in interactive mode (@sploutchy).
     • Added filter option to the socks command in ntlmrelayx CLI (@shoxxdj)
     • Added ability to register DNS records through LDAP.
   • addcomputer.py, rbcd.py:
     • Allow weak TLS ciphers for LDAP connections (@AdrianVollmer)
   • Get-GPPPassword.py:
     • Better handling of various XML files in Group Policy Preferences (@p0dalirius)
   • smbclient.py:
     • Added recursive file listing (@Sq00ky)
   • ticketer.py:
     • Ticket duration is now specified in hours instead of days (@Dramelac)
     • Added extra-pac implementation (@Dramelac)

3. New examples

   • net.py Implementation of windows net.exe builtin tool (@NtAlexio2)
   • changepasswd.py New example that allows password changing or reseting through multiple protocols (@Alef-Burzmali, @snovvcrash, @bransh, @api0cradle and @p0dalirius)
   • DumpNTLMInfo.py New example that dumps remote host information in ntlm authentication model, without credentials. For SMB protocols v1, v2 and v3. (@NtAlexio2)

As always, thanks a lot to all these contributors that make this library better every day (up to now):

@ly4k @nopernik @snovvcrash @ShutdownRepo @kiwids0220 @mpgn @CT-H00K @rmaksimov @arossert @aevy-syn @tirkarthi @p0dalirius @Dramelac @Mayfly277 @S3cur3Th1sSh1t @nobbd @AdrianVollmer @trietend @TurtleARM @ThePirateWhoSmellsOfSunflowers @SAERXCIT @clavoillotte @Marshall-Hallenbeck @sploutchy @almandin @rtpt-alexanderneumann @JerAxxxxxxx @NtAlexio2 @laxa @godylockz @exploide @jojonas @Zamanry @erasmusc @bugch3ck @ljrk0 @Sq00ky @shoxxdj @Alef-Burzmali @bransh @api0cradle @alexisbalbachan @0xdeaddood @Sanmopre

Impacket 0.10.0

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.10.0:

1. Library improvements

   • Dropped support for Python 2.7.
   • Refactored the testing infrastructure (@martingalloar):
     • Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.
     • Custom bash scripts were replaced with test cases auto-discovery.
     • Local and remote test cases were marked for easy run and configuration.
     • DCE/RPC endpoint test cases were refactored and moved to a new layout.
     • An initial testing guide with the main steps to prepare a testing environment and run them.
     • Fixed a good amount of DCE/RPC endpoint test cases that were failing.
     • Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.
   • Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)
   • Added [MS-DSSP] protocol implementation (@simondotsh)
   • Added GetDriverDirectory functions to [MS-PAR] and [MS-RPRN] (@raithedavion)
   • Refactored the Credential Cache:
     • Added new parseFile function to ccache.py (@rmaksimov)
     • Added support for loading CCache Version 3 (@reznok)
     • Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)
     • Fixed Ccache to Kirbi conversion (@ShutdownRepo)
   • Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)

2. Examples improvements

   • exchanger.py:
     • Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)
   • mimikatz.py
     • Updated intro to not trigger the AV on windows (@mpgn)
   • ntlmrelayx.py:
     • Implemented RAW Relay Server (@CCob)
     • Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)
     • Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)
     • Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)
     • Added multiple HTTP listeners running at the same time (@SAERXCIT)
     • Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)
     • Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)
     • Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)
     • Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)
     • Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)
   • reg.py:
     • Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)
   • secretsdump.py:
     • Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)
   • smbpasswd.py:
     • Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @Alef-Burzmali!)

3. New examples

   • machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)
   • keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @Alef-Burzmali @ThePirateWhoSmellsOfSunflowers @jlvcm

Impacket 0.9.24

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.24:

1. Library improvements

   • Fixed WMI objects parsing (@franferrax)
   • Added the RpcAddPrinterDriverEx method and related structures to [MS-RPRN]: Print System Remote Protocol (@cube0x0)
   • Initial implementation of [MS-PAR]: Print System Asynchronous Remote Protocol (@cube0x0)
   • Complying MS-RPCH with HTTP/1.1 (@mohemiv)
   • Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)

2. Examples improvements

   • getST.py:
     • Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)
   • ntlmrelayx.py:
     • Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)
     • Added anonymous session handling in the HTTP server (@0xdeaddood)
     • Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)
     • Added the implementation of AD CS attack (@ExAndroidDev)
     • Disabled the anonymous logon in the SMB server (@ly4k)
   • psexec.py:
     • Fixed decoding problems on multi bytes characters (@p0dalirius)
   • reg.py:
     • Implemented ADD and DELETE functionalities (@Gifts)
   • secretsdump.py:
     • Speeding up NTDS parsing (@skelsec)
   • smbclient.py:
     • Added 'mget' command which allows the download of multiple files (@deadjakk)
     • Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)
   • smbpasswd.py:
     • Added the ability to change a user's password providing NTLM hashes (@snovvcrash)
   • smbserver.py:
     • Added NULL SMBv2 client connection handling (@0xdeaddood)
     • Hardened path checks and Added TID checks (@martingalloar)
     • Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)
     • Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)
   • wmipersist.py:
     • Fixed VBA script execution and improved error checking (@franferrax)

3. New examples

   • rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius

Impacket 0.9.23

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.23:

1. Library improvements

   • Support connect timeout with SMBTransport (@vruello)
   • Speeding up DcSync (@mohemiv)
   • Fixed Python3 issue when serving SOCKS5 requests (@agsolino)
   • Moved docker container to Python 3.8 (@mgallo)
   • Added basic GitHub Actions workflow (@mgallo)
   • Fixed Path Traversal vulnerabilities in smbserver.py - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx)
   • Fixed POST request processing in httprelayserver.py (@Rcarnus)
   • Added cat command to smbclient.py (@mxrch)
   • Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@adamcrosser)
   • Python 3.9 support (@meeuw and @cclauss)

2. Examples improvements

   • addcomputer.py:
     • Enable the machine account created via SAMR (@0xdeaddood)
   • getST.py:
     • Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)
     • Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)
   • ntlmrelayx.py:
     • Fixed target parsing error (@0xdeaddood)
   • wmipersist.py:
     • Fixed filterBinding error (@franferrax)
     • Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)
     • Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)

3. New examples

   • Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
   • smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @adamcrosser @franferrax @meeuw and @cclauss

impacket 0.9.22

Project's main page at https://www.secureauth.com/labs/impacket/

ChangeLog for 0.9.22:

1. Library improvements

   • Added implementation of RPC over HTTP v2 protocol (by @mohemiv).
   • Added MS-NSPI, MS-OXNSPI and MS-OXABREF protocol implementations (by @mohemiv).
   • Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).
   • NDR parser optimization (by @mohemiv).
   • Improved serialization of WMI method parameters (by @tshmul).
   • Introduce the MS-NLMP 2.2.2.10 VERSION structure in NTLMAuthNegotiate messages (by @franferrax).
   • Added some NETLOGON structs for NetrServerPasswordSet2 (by @dirkjanm).
   • Python 3.8 support.

2. Examples improvements

   • atexec.py: Fixed after MS patches related to RPC attacks (by @mohemiv).
   • dpapi.py: Added -no-pass, pass-the-hash and AES Key support for backup subcommand.
   • GetNPUsers.py: Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).
   • GetUserSPNs.py: Added new features for kerberoasting (by @mohemiv).
   • ntlmrelayx.py:
     • Added ability to relay on new Windows versions that have SMB guest access disabled by default.
     • Added option to specify the NTLM Server Challenge used when receiving a connection.
     • Added relaying to RPC support (by @mohemiv).
     • Implemented WCFRelayServer (by @cnotin).
     • Added Zerologon DCSync Relay Client (by @dirkjanm).
     • Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).
   • rpcdump.py: Added RPC over HTTP v2 support (by @mohemiv).
   • secretsdump.py:
     • Added ability to specifically delete a shadow based on its ID (by @phefley).
     • Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).

3. New examples

   • exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
   • rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).

As always, thanks a lot to all these contributors that make this library better every day (since last version):
@mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo

impacket 0.9.21

Project's main page at www.secureauth.com

ChangeLog for 0.9.21:

1. Library improvements

   • New methods into CCache class to import/export kirbi (KRB-CRED) formatted tickets (by @zer1t0).
   • Add FSCTL_SRV_ENUMERATE_SNAPSHOTS functionality to SMBConnection (by @rxwx).
   • Changes in NetBIOS classes in nmb.py (select() by poll() read from socket) (by @cnotin).
   • Timestamped logging added.
   • Interactive shell to perform LDAP operations (by @mlefebvre).
   • Added two DCE/RPC calls in tsch.py (by @mohemiv).
   • Single-source the version number and standardize on symantic + pre-release + local versioning (by @jsherwood0).
   • Added implementation for keytab files (by @kcirtapw).
   • Added SMB 3.1.1 support for Client SMB Connections.

2. Examples improvements

   • smbclient.py: List the VSS snapshots for a specified path (by @rxwx).
   • GetUserSPNs.py: Added delegation information associated with accounts (by @G0ldenGunSec).
   • dpapi.py:
     • Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
     • Pass the hash support for backup key retrieval (by @imaibou).
     • Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
   • raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
   • Added flags to bypass badly made detection use cases (by @MaxNad):
     • smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.
     • psexec.py: Possibility to use another service name with the -service-name flag.
   • ntlmrelayx.py:
     • Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).
     • Support for dumping LAPS passwords (by @praetorian-adam-crosser).
     • Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
     • Support for multiple relays through one SMB connection (by @0xdeaddood).
     • Added support for dumping gMSA passwords (by @cube0x0).
   • ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)

3. New Examples

   • addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
   • ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @zer1t0).
   • findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@jagotu, @zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.

impacket 0.9.20

Project's main page at www.secureauth.com

ChangeLog for 0.9.20:

1. Library improvements

   • Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
   • Test coverage improvements by @infinnovation-dev
   • Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)
   • Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)

2. Examples improvements

   • ntlmrelayx.py:
     1. CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)
     2. Added POC code for CVE-2019-1040 (by @dirkjanm)
     3. Added NTLM relays leveraging Webdav authentications (by @salu90)

3. New Examples

   • kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)

As always, thanks a lot to all these contributors that make this library better every day (since last version):
@infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.

impacket 0.9.19

Project's main page at www.secureauth.com

ChangeLog for 0.9.19:

1. Library improvements

   • [MS-EVEN] Interface implementation (Initial - by @MrAnde7son )

2. Examples improvements

   • ntlmrelayx.py:

     1. Socks local admin check (by @imaibou)
     2. Add Resource Based Delegation features (by @dirkjanm)

   • smbclient.py: Added ability to create/remove mount points to exploit James Forshaw's Abusing Mount Points over the SMB Protocol technique. (by @Qwokka)

   • GetST.py: Added resource-based constrained delegation support to S4U (@eladshamir )

   • GetNPUsers.py: Added hashcat/john format and users file input (by @zer1t0 )

As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @zer1t0

impacket 0.9.18

Project's main page at www.secureauth.com

ChangeLog for 0.9.18:

1. Library improvements

   • Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)
   • Using cryptographically secure pseudo-random generators
   • Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)
   • Test cases adjustments, travis and flake support (@cclauss)
   • Python3 test cases fixes (@eldipa)
   • Adding DPAPI / Vaults related structures and functions to decrypt secrets.
   • [MS-RPRN] Interface implementation (Initial)

2. Examples improvements

   • ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
   • secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.
   • GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)

3. New Examples

   • dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son

As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa