1Complete list of changes can be found at: 2https://github.com/CoreSecurity/impacket/commits/master 3 4June 2016: 0.9.15: 51) Library improvements 6 * SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle) 7 * Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss) 8 * Packet fragmentation for DCE RPC layer mayor overhaul. 9 * Improved pass-the-key attacks scenarios (by @skelsec) 10 * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to 11 build the search filter yourself) 12 * IPv6 improvements for DCERPC/LDAP and Kerberos 13 142) Examples improvements 15 * Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC 16 resides in the same server 17 * secretsdump.py 18 a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode 19 b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only) 20 c. Support for different ReplEpoch (DRSUAPI only) 21 d. pwdLastSet is also included in the output file 22 e. New structures/flags added for 2016 TP5 PAM support 23 * wmiquery.py 24 a. Adding -rpc-auth-level switch (by @gadio) 25 * smbrelayx.py 26 a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky) 27 b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol) 28 293) New Examples 30 * GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. 31 This is part of the kerberoast attack researched by Tim Medin (@timmedin) 32 * ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) 33 (by @dirkjanm) 34 35January 2016: 0.9.14: 361) Library improvements 37 * [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations 38 * [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation 39 * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved 40 * Unicode support (optional) for the SMBv1 stack (by @rdubourguais) 41 * NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie) 42 * Kerberos support for TDS (MSSQL) 43 * Extended present flags support on RadioTap class 44 * Old DCERPC runtime code removed 45 462) Examples improvements 47 * mssqlclient.py: Added Kerberos authentication support 48 * atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2 49 * smbrelayx.py: 50 * If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default 51 * Added -c option to execute custom commands in the target (by @byt3bl33d3r) 52 * secretsdump.py: 53 a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method) 54 by default. VSS method is still available by using the -use-vss switch 55 b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and 56 -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options 57 c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option 58 d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 3.1.1.8.11.5) 59 e. Add support for multiple password encryption keys (PEK) (by @s0crat) 60 * goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC 61 623) New examples 63 * raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege 64 escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640 65 * netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix) 66 67May 2015: 0.9.13: 681) Library improvements 69 * Kerberos support for SMB and DCERPC featuring: 70 a. kerberosLogin() added to SMBConnection (all SMB versions). 71 b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will 72 negotiate Kerberos. This also includes DCOM. 73 c. Pass-the-hash, pass-the-ticket and pass-the-key support. 74 d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc). 75 e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers. 76 f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. 77 * SMB3 encryption support. Pycrypto experimental version that supports 78 AES_CCM is required. 79 * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py) 80 * SMBSERVER improvements: 81 a. SMB2 (2.002) dialect experimental support. 82 b. Adding capability to export to John The Ripper format files 83 * Library logging overhaul. Now there's a single logger called 'impacket'. 84 852) Examples improvements 86 * Added Kerberos support to all modules (incl. pass-the-ticket/key) 87 * Ported most of the modules to the new dcerpc.v5 runtime. 88 * secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT 89 * smbserver.py: support for SMB2 (not enabled by default) 90 * smbrelayx.py: Added support for MS15-027 exploitation. 91 923) New examples 93 * goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a 94 psexec session at the target. 95 * karmaSMB.py: SMB Server that answers specific file contents regardless of 96 the SMB share and pathname requested. 97 * wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event 98 Consumers/Filters to execute VBS based on a WQL filter or timer specified. 99 100July 2014: 0.9.12: 1011) The following protocols were added based on its standard definition 102 * [MS-DCOM] - Distributed Component Object module Protocol (dcom.py) 103 * [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py) 104 * [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py) 105 1062) New examples 107 a. wmiquery.py: executes WMI queries and get WMI object's descriptions. 108 b. wmiexec.py: agent-less, semi-interactive shell using WMI. 109 c. smbserver.py: quick an easy way to share files using the SMB protocol. 110 111February 2014: 0.9.11: 1121) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available) 113 a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental) 114 b. Support for RPC_C_AUTHN_NETLOGON (experimental) 115 c. The following interface were developed based on its standard definition: 116 * [MS-LSAD] - Local Security Authority (Domain Policy) Remote Protocol (lsad.py) 117 * [MS-LSAT] - Local Security Authority (Translation Methods) Remote Protocol (lsat.py) 118 * [MS-NRPC] - Netlogon Remote Protocol (nrpc.py) 119 * [MS-RRP] - Windows Remote Registry Protocol (rrp.py) 120 * [MS-SAMR] - Security Account Manager (SAM) Remote Protocol (samr.py) 121 * [MS-SCMR] - Service Control Manager Remote Protocol (scmr.py) 122 * [MS-SRVS] - Server Service Remote Protocol (srvs.py) 123 * [MS-WKST] - Workstation Service Remote Protocol (wkst.py) 124 * [MS-RPCE]-C706 - Remote Procedure Call Protocol Extensions (epm.py) 125 * [MS-DTYP] - Windows Data Types (dtypes.py) 126 Most of the DCE Calls have helper functions for easier use. Test cases added for 127 all calls (check the test cases directory) 1282) ESE parser (Extensive Storage Engine) (ese.py) 1293) Windows Registry parser (winregistry.py) 1304) TDS protocol now supports SSL, can be used from mssqlclient 1315) Support for EAPOL, EAP and WPS decoders 1326) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi 1337) New examples 134 a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server 135 b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit) 136 c. ntfs-read.py: mini shell for browsing an NTFS volume 137 d. registry-read.py: Windows offline registry reader 138 e. secretsdump.py: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS) 139 140March 2013: 0.9.10: 1411) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending. 1422) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent. 143 It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available 144 methods across all the protocols. 1453) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers. 1464) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server. 1475) DCERPC Endpoints' new calls 148 a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects. 1496) New examples 150 a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives 151 you an SQL prompt for your pleasure. 152 b. mssqlinstance.py: Lists the MS SQL instances running on a target machine. 153 c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the 154 UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to 155 develop new functionality to interact against a target interface. 156 d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the 157 technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also 158 supports instantiating a local smbserver to receive the output of the commandos executed for those situations 159 where no share is available on the other end. 160 e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly. 161 162And finally tons of fixes :). 163 164July 2012: 0.9.9: 1651) Added 802.11 packets encoding/decoding 1662) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class. 1673) SMB/DCERPC 168 a. GSS-API/SPNEGO Support. 169 b. SPN support in auth blob. 170 c. NTLM2 and NTLMv2 support. 171 d. Default SMB port now 445. If *SMBSERVER is specified the library will try to resolve the netbios name. 172 e. Pass the hash supported for SMB/DCE-RPC. 173 f. IPv6 support for SMB/NMB/DCERPC. 174 g. DOMAIN support for authentication. 175 h. SMB signing support when server enforces it. 176 i. DCERPC signing/sealing for all NTLM flavours. 177 j. DCERPC transport now accepts an already established SMB connection. 178 k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by 179 forwarding named pipes requests). 180 l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's 181 not functional. 182 1834) DCERPC Endpoints' new calls 184 a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(), 185 NetprNameCanonicalize(). 186 b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(), 187 StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW(). 188 c. WKSSVC: NetrWkstaTransportEnum(). 189 d. SAMR: OpenAlias(), GetMembersInAlias(). 190 e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose(). 191 1925) New examples 193 a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list 194 of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is 195 listed and/or listening. 196 b. lookupsid.py: DCE/RPC lookup sid brute forcer example. 197 c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 198 256 operation numbers in turn and reports the outcome of each call. 199 d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST). 200 e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented. 201 f. smbrelayx: Passes credentials to a third party server when doing MiTM. 202 g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but 203 not enforced. Tested under Windows, Linux and MacOS clients. 204 h. smbclient.py: now supports history, new commands also added. 205 i. psexec.py: Execute remote commands on Windows machines 206