Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
Grab the latest stable release, unpack it and run python3 -m pip install . (python2 -m pip install . for Python 2.x) from the directory where you placed it. Isn't that easy?
Installing
In order to install the source execute the following command from the directory where the Impacket's distribution has been unpacked: python3 -m pip install . (python2 -m pip install . for Python 2.x). This will install the classes into the default Python modules path; note that you might need special permissions to write there.
Testing
If you want to run the library test cases you need to do mainly three things:
Install and configure a Windows 2012 R2 Domain Controller.
Be sure the RemoteRegistry service is enabled and running.
Configure the dcetest.cfg file with the necessary information
Install tox (python3 -m pip install tox)
Once that's done, you can run tox and wait for the results. If all goes well, all test cases should pass. You will also have a coverage HTML report located at impacket/tests/htlmcov/index.html
Docker Support
Build Impacket's image:
docker build -t "impacket:latest" .
Using Impacket's image:
docker run -it --rm "impacket:latest"
Licensing
This software is provided under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information.
SMBv1 and NetBIOS support based on Pysmb by Michael Teo.
Disclaimer
The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.
The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.
If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.
Contact Us
Whether you want to report a bug, send a patch, or give some suggestions on this package, drop us a few lines at [email protected].
Hi all, after generating a golden ticket, I go to try and use the wmiexec.py example with the -k and -no-pass options, but I am getting a strange exception:
ConstraintsIntersection(ConstraintsIntersection(), ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13))) failed at: ValueConstraintError('ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13)) failed at: ValueConstraintError('all of (SingleValueConstraint(11), SingleValueConstraint(13)) failed for "15"',)',) at Integer
Did I generate my ticket incorrectly or something?
Hey, i want to relay authenthication from the client to the server(attacker) but the client not relay the aunthentication. When i allow the SMB share on the client \192.168.43.231. It show the message :
Ok. now i want to test if the client can send the authentication. So if i able to capture it, yes, in that case i can deliver my metasploit_payload.exe to the target machine. But i can't capture the authentication. It show the message below:
Sorry this only a question, because i don't now how to fix it. I read many blog but i'm still can't find a solution.
I'm having an issue with secretsdump.py on a ntds.dit file coming from a Windows Server 2016. When I run secretsdump.py on it:
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
It returns the following:
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
[*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[-] Error while calling getNextRow(), trying the next one
Previously, I was on the v.0.9.16-dev branch, and I had an utf16 codec error.
Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
[*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[-] 'utf16' codec can't decode bytes in position 0-1: illegal encoding
[*] Cleaning up...
Is it possible that Impacket isn't updated to support the extraction of ntds.dit files from a Windows Server 2016 yet? I can provide all the logs, and debugging data needed (minus the actual ntds.dit and SYSTEM files, obviously).
Session setup response.
{{{
Frame 208: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits)
Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be)
Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12
Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 219, Ack: 269, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 0
NT Status: STATUS_INVALID_PARAMETER (0xc000000d)
Command: Session Setup (1)
Credits granted: 0
Flags: 0x00000001, Response
Chain Offset: 0x00000000
Message ID: 0
Process Id: 0x00000000
Tree Id: 0x00000000
Session Id: 0x0000000000000000
Signature: 00000000000000000000000000000000
[Response to: 207]
[Time from request: 0.002369000 seconds]
Session Setup Response (0x01)
StructureSize: 0x0009
Session Flags: 0x0000
Security Blob: : NO DATA
Offset: 0x00000000
Length: 0
}}}
Scenario : 1
NetApp server with SMB2 dialect, login fails.
`{
c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=514)
c.login("user1", "password1", "domain1")
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 264, in login
raise SessionError(e.get_error_code())
SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`
I connect to our private CIFS server successfully when i provide valid dialect.
`{
Scenario: 2
Local server:
If i dont provide preferredDialect then it fails in negotiation step itself.
`{
c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=None)
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init
self.negotiateSession(preferredDialect)
File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession
session=self._nmbSession, preferredDialect=514)
File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init
self.negotiateSession(preferredDialect)
File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 458, in negotiateSession
ans = self.recvSMB(packetID)
File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 381, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 854, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 932, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 921, in non_polling_read
raise NetBIOSError, ('Error while reading from remote', ERRCLASS_OS, None)
NetBIOSError: Error while reading from remote`
NetApp cifs server with no preferredDialect STATUS_INVALID_PARAMETER.
So it actually reads from the socket but gets unexpected status in negotiation phase.
`{
c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=None)
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init
self.negotiateSession(preferredDialect)
File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession
session=self._nmbSession, preferredDialect=514)
File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init
self.negotiateSession(preferredDialect)
File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 459, in negotiateSession
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python2.7/site-packages/impacket/smb3structs.py", line 430, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`
Settings on NetApp server
{{{
netapp-server> options cifs.smb2
cifs.smb2.enable on
cifs.smb2.signing.max_threads 0
cifs.smb2.signing.multiprocessing disabled
cifs.smb2.signing.required off
cifs.smb2_1.branch_cache.enable off
cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)
netapp-server> options cifs.signing
cifs.signing.enable off
}}}
I have compared pcap from mac/windows while connecting to cifs server using libsmb.py
haven't found any field that is wrong or unexpected.
I have also checked NTLMSSP flags and tried variations to see if there is any unsupported flag. but luck.
I can connect to same cifs servers from windows 7 using smb2.
Any help would be appreciated, where to look or if am i missing any setting on server side.
I'm facing the issue when using relay for LDAPs traffic.
Whole exception with -debug flug:
[-] Exception in HTTP request handler: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))]) [+] Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 72, in handle_one_request SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 193, in do_GET if not self.do_ntlm_negotiate(token, proxy=proxy): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 261, in do_ntlm_negotiate if not self.client.initConnection(): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 144, in initConnection self.session.open(False) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/sync.py", line 56, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/base.py", line 147, in open raise LDAPSocketOpenError('unable to open socket', exception_history) LDAPSocketOpenError: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))])
System:
Python 2.7.15+
up to date Kali
up to date impacket
ldap3 tested both 2.5.1 and 2.5.2
Same problem was slightly touched in #514, where @dirkjanm mentioned:
(..) it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked
I have access to ~12 AD systems (2012 R2 and 2016), targeting any of them results into this error.
Connections using ldp.exe works well (along with many production calls to some of ADs):
LDAP signing not enabled:
Behavior is that LDAPs service RST connection just after TLS hello is received:
So this is not caused by ntlmrelayx not trusting LDAPs sertificate - it's about LDAPs refusing this TLS hello packet.
What steps will reproduce the problem?
1. Download the 0.9.9.9.9 version
2. run setup.py install
3. run samrdump.py <ip>
What is the expected output? What do you see instead?
The normal smb enumeration info are expected, but it returns:
Traceback (most recent call last):
File "/usr/local/bin/samrdump.py", line 24, in <module>
from impacket import uuid, version
ImportError: cannot import name version
What version of the product are you using? On what operating system?
The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3
Please provide any additional information below.
Original issue reported on code.google.com by [email protected] on 18 Jan 2013 at 1:57
I'm playing with no-pac exploitation recently, the last step is doing a s4u2self request, and we don't need to do s4u2proxy request.
But I found that impacket's getST.py has no support for this, and it doesn't support service modification of the returned TGS ticket.
Even there is a feature called AnySPN in impacket, but it won't work in this special situation
here is the result of smbclient.py before my modification to getST.py
after I made some changes to getST.py, I'm able to get a service ticket with the SPN I specified in the command line
getST.py my.domain/WIN-ER6H1V81DV9 -no-pass -k -dc-ip 192.168.25.177 -impersonate Administrator -alt-service CIFS/WIN-ER6H1V81DV9.my.domain -s4u2self -spn WIN-ER6H1V81DV9 -debug
smbclient.py works just fine
I'm a little bit confused of what are the options for a reflection attack (NTLM auth back to the victim which is different from a general relay attack) on an up-to-date W10 host.
Let me explain what i have understand :
SMB NTLM auth reflect back to SMB is patched since 2008 (MS08-068)
NTLM auth reflect back to SMB (like HTTP => SMB) is patched since 2016. This was the goal of Hot Potato by @breenmachine
DCOM DCE (via BITS) to RPC endpoint (TCP port 135) is still working (RottenPotato by @breenmachine or lonelypotato by @decoder-it)
Ok, but demo of these attacks is always done on the victim's host (loopback @IP). Well, my questions are:
Is it possible to manage these reflection attack (or another) over the local network on an fully update W10 host?
Does Impacket implement these attacks ?
I know that @asolino and @dirkjanm discussed about it in an 2 years old issue (https://github.com/CoreSecurity/impacket/issues/188#issue-170611239) but conclusion was quite unclear for me.
See #1448. I'm not sure how tightly integrated you'd want this to be in impacket, so I opted for a simple compatibility shim. This can of course be changed to a full replacement of the existing ESE implementation.
This should bring a considerable performance improvement to secretsdump. My sample AD with only 3 users already sees an improvement (1s vs 2s), but in the past we've seen domains with over 100k users take less than a minute, whereas the original secretsdump would take >24 hours.
During a client engagement I noticed that, when relaying a valid domain admin account to a domain controller (which has signing disabled) and attempting to dump credentials using secretsdump (default action when -c parameter is not specified), it fails for NTDS dit.
To fix this, I had to run socks and then run secretsdump using --use-vss. Any chance custom parameters can be included in ntlmrelayx when secretsdump is ran?
In Python3.10, the default TLS cipher settings have been set to a more secure level. See: https://bugs.python.org/issue43998
The change makes sense for general users, but Impacket is regularly used to access old Windows computers that present certs signed using MD5 or don't support anything higher than TLSv1.0. Impacket users arguably care more about exploiting weaknesses than requiring super secure TLS settings, so this patch lowers the cipher settings to the lowest value. This is in line with the current behavior of not validating certificates at all.
Note that this will not help if the TLS handshake fails due to certificate issues until this bug is fixed in ldap3: https://github.com/cannatag/ldap3/pull/1067
[+] Impacket Library Installation Path: /opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket
[+] Target system is SERVERIP and isFQDN is False
[+] StringBinding: SERVERNAME[24158]
[+] StringBinding: SERVERIP[24158]
[+] StringBinding chosen: ncacn_ip_tcp:SERVERIP[24158]
WQL> SELECT Name FROM MSCluster_Node
Traceback (most recent call last):
File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
func = getattr(self, 'do_' + cmd)
AttributeError: 'WMIQUERY' object has no attribute 'do_SELECT'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/python-virtualenv/impacket/bin/wmiquery.py", line 84, in printReply
pEnum = iEnum.Next(0xffffffff,1)[0]
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2951, in Next
oxid=self.get_oxid(), target=self.get_target()), self.__iWbemServices))
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2328, in init
self.encodingUnit = ENCODING_UNIT(objRef['pObjectData'])
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init
self.fromString(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString
self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack
return dataClassOrCode(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 895, in init
self.fromString(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString
self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack
return dataClassOrCode(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 795, in init
Structure.init(self, data, alignment)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init
self.fromString(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString
self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack
return dataClassOrCode(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init
self.fromString(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString
self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack
return dataClassOrCode(data)
File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 765, in init
raise Exception("self['InstPropQualSetFlag'] == 2")
Exception: ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'")
[-] ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'")
Additional context
It seem, when you try to get the Names of the nodes from MSCluster_Node class it breaks. It is only for the "Name" property.
Thise where repalce to sanitize the output AD/USER:[email protected], SERVERIP, SERVERNAME, NODESERVERNAME, NODESERVER01. There was alot of "\x00" in the output that I removed to reduce it.
opened by Mysteoa 0
Releases(impacket_0_10_0)
impacket_0_10_0(May 4, 2022)
Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/
ChangeLog for 0.10.0:
Library improvements
Dropped support for Python 2.7.
Refactored the testing infrastructure (@martingalloar):
Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.
Custom bash scripts were replaced with test cases auto-discovery.
Local and remote test cases were marked for easy run and configuration.
DCE/RPC endpoint test cases were refactored and moved to a new layout.
An initial testing guide with the main steps to prepare a testing environment and run them.
Fixed a good amount of DCE/RPC endpoint test cases that were failing.
Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.
Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)
Fixed VBA script execution and improved error checking (@franferrax)
New examples
rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)
Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)
New examples
Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
Added ability to specifically delete a shadow based on its ID (by @phefley).
Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).
New examples
exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo
Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
Pass the hash support for backup key retrieval (by @imaibou).
Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
Added flags to bypass badly made detection use cases (by @MaxNad):
smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.
psexec.py: Possibility to use another service name with the -service-name flag.
Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).
Support for dumping LAPS passwords (by @praetorian-adam-crosser).
Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
Support for multiple relays through one SMB connection (by @0xdeaddood).
Added support for dumping gMSA passwords (by @cube0x0).
ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)
New Examples
addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).
findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).
As always, thanks a lot to all these contributors that make this library better every day (since last version):
Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.
GetST.py: Added resource-based constrained delegation support to S4U (@eladshamir )
GetNPUsers.py: Added hashcat/john format and users file input (by @Zer1t0 )
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0
ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.
GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)
New Examples
dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa
Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).
Examples improvements
GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
services.py: added port 139 support and related options (by @real-datagram).
samrdump.py: -csv switch to output format in CSV added.
ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
lsalookupsid.py: added no-pass and domain-users options (by @ropnop).
New Examples
ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.
Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
New Examples
GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
This is part of the kerberoast attack researched by Tim Medin (@timmedin)
Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method)
by default. VSS method is still available by using the -use-vss switch
Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
Add support for multiple password encryption keys (PEK) (by @s0crat)
goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
New examples:
raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz
netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
a. kerberosLogin() added to SMBConnection (all SMB versions).
b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM.
c. Pass-the-hash, pass-the-ticket and pass-the-key support.
d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
SMB3 encryption support. Pycrypto experimental version that supports
AES_CCM is required.
[MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
SMBSERVER improvements:
a. SMB2 (2.002) dialect experimental support.
b. Adding capability to export to John The Ripper format files
Library logging overhaul. Now there's a single logger called 'impacket'.
Examples improvements:
Added Kerberos support to all modules (incl. pass-the-ticket/key)
Ported most of the modules to the new dcerpc.v5 runtime.
secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
smbserver.py: support for SMB2 (not enabled by default)
smbrelayx.py: Added support for MS15-027 exploitation.
New examples:
goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
psexec session at the target.
karmaSMB.py: SMB Server that answers specific file contents regardless of
the SMB share and pathname requested.
wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
Consumers/Filters to execute VBS based on a WQL filter or timer specified.
netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers