1Complete list of changes can be found at:
2https://github.com/CoreSecurity/impacket/commits/master
3
4June 2016: 0.9.15:
51) Library improvements
6   * SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
7   * Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
8   * Packet fragmentation for DCE RPC layer mayor overhaul.
9   * Improved pass-the-key attacks scenarios (by @skelsec)
10   * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
11     build the search filter yourself)
12   * IPv6 improvements for DCERPC/LDAP and Kerberos
13
142) Examples improvements
15   * Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
16     resides in the same server
17   * secretsdump.py
18     a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode
19     b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
20     c. Support for different ReplEpoch (DRSUAPI only)
21     d. pwdLastSet is also included in the output file
22     e. New structures/flags added for 2016 TP5 PAM support
23   * wmiquery.py
24     a. Adding -rpc-auth-level switch (by @gadio)
25   * smbrelayx.py
26     a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
27     b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
28
293) New Examples
30   * GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
31     This is part of the kerberoast attack researched by Tim Medin (@timmedin)
32   * ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
33     (by @dirkjanm)
34
35January 2016: 0.9.14:
361) Library improvements
37   * [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
38   * [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
39   * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
40   * Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
41   * NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
42   * Kerberos support for TDS (MSSQL)
43   * Extended present flags support on RadioTap class
44   * Old DCERPC runtime code removed
45
462) Examples improvements
47   * mssqlclient.py: Added Kerberos authentication support
48   * atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
49   * smbrelayx.py:
50     * If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
51     * Added -c option to execute custom commands in the target (by @byt3bl33d3r)
52   * secretsdump.py:
53       a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method)
54          by default. VSS method is still available by using the -use-vss switch
55       b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and
56          -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
57       c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
58       d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 3.1.1.8.11.5)
59       e. Add support for multiple password encryption keys (PEK) (by @s0crat)
60   * goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
61
623) New examples
63   * raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
64     escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640
65   * netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
66
67May 2015: 0.9.13:
681) Library improvements
69   * Kerberos support for SMB and DCERPC featuring:
70      a. kerberosLogin() added to SMBConnection (all SMB versions).
71      b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will
72         negotiate Kerberos. This also includes DCOM.
73      c. Pass-the-hash, pass-the-ticket and pass-the-key support.
74      d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
75      e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
76      f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
77   * SMB3 encryption support. Pycrypto experimental version that supports
78     AES_CCM is required.
79   * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
80   * SMBSERVER improvements:
81      a. SMB2 (2.002) dialect experimental support.
82      b. Adding capability to export to John The Ripper format files
83   * Library logging overhaul. Now there's a single logger called 'impacket'.
84
852) Examples improvements
86   * Added Kerberos support to all modules (incl. pass-the-ticket/key)
87   * Ported most of the modules to the new dcerpc.v5 runtime.
88   * secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
89   * smbserver.py: support for SMB2 (not enabled by default)
90   * smbrelayx.py: Added support for MS15-027 exploitation.
91
923) New examples
93   * goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
94     psexec session at the target.
95   * karmaSMB.py: SMB Server that answers specific file contents regardless of
96     the SMB share and pathname requested.
97   * wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
98     Consumers/Filters to execute VBS based on a WQL filter or timer specified.
99
100July 2014: 0.9.12:
1011) The following protocols were added based on its standard definition
102   * [MS-DCOM] - Distributed Component Object module Protocol (dcom.py)
103   * [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py)
104   * [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py)
105
1062) New examples
107   a. wmiquery.py: executes WMI queries and get WMI object's descriptions.
108   b. wmiexec.py: agent-less, semi-interactive shell using WMI.
109   c. smbserver.py: quick an easy way to share files using the SMB protocol.
110
111February 2014: 0.9.11:
1121) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available)
113  a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
114  b. Support for RPC_C_AUTHN_NETLOGON (experimental)
115  c. The following interface were developed based on its standard definition:
116    * [MS-LSAD] - Local Security Authority (Domain Policy) Remote Protocol (lsad.py)
117    * [MS-LSAT] - Local Security Authority (Translation Methods) Remote Protocol (lsat.py)
118    * [MS-NRPC] - Netlogon Remote Protocol (nrpc.py)
119    * [MS-RRP] - Windows Remote Registry Protocol (rrp.py)
120    * [MS-SAMR] - Security Account Manager (SAM) Remote Protocol (samr.py)
121    * [MS-SCMR] - Service Control Manager Remote Protocol (scmr.py)
122    * [MS-SRVS] - Server Service Remote Protocol (srvs.py)
123    * [MS-WKST] - Workstation Service Remote Protocol (wkst.py)
124    * [MS-RPCE]-C706 -  Remote Procedure Call Protocol Extensions (epm.py)
125    * [MS-DTYP] - Windows Data Types (dtypes.py)
126    Most of the DCE Calls have helper functions for easier use. Test cases added for
127    all calls (check the test cases directory)
1282) ESE parser (Extensive Storage Engine) (ese.py)
1293) Windows Registry parser (winregistry.py)
1304) TDS protocol now supports SSL, can be used from mssqlclient
1315) Support for EAPOL, EAP and WPS decoders
1326) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
1337) New examples
134  a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server
135  b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)
136  c. ntfs-read.py: mini shell for browsing an NTFS volume
137  d. registry-read.py: Windows offline registry reader
138  e. secretsdump.py: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS)
139
140March 2013: 0.9.10:
1411) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending.
1422) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.
143   It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available
144   methods across all the protocols.
1453) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers.
1464) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
1475) DCERPC Endpoints' new calls
148  a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects.
1496) New examples
150  a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives
151     you an SQL prompt for your pleasure.
152  b. mssqlinstance.py: Lists the MS SQL instances running on a target machine.
153  c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the
154     UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
155     develop new functionality to interact against a target interface.
156  d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
157     technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also
158     supports instantiating a local smbserver to receive the output of the commandos executed for those situations
159     where no share is available on the other end.
160  e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly.
161
162And finally tons of fixes :).
163
164July 2012: 0.9.9:
1651) Added 802.11 packets encoding/decoding
1662) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class.
1673) SMB/DCERPC
168  a. GSS-API/SPNEGO Support.
169  b. SPN support in auth blob.
170  c. NTLM2 and NTLMv2 support.
171  d. Default SMB port now 445. If *SMBSERVER is specified the library will try to resolve the netbios name.
172  e. Pass the hash supported for SMB/DCE-RPC.
173  f. IPv6 support for SMB/NMB/DCERPC.
174  g. DOMAIN support for authentication.
175  h. SMB signing support when server enforces it.
176  i. DCERPC signing/sealing for all NTLM flavours.
177  j. DCERPC transport now accepts an already established SMB connection.
178  k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by
179     forwarding named pipes requests).
180  l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's
181     not functional.
182
1834) DCERPC Endpoints' new calls
184  a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(),
185     NetprNameCanonicalize().
186  b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(),
187     StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
188  c. WKSSVC: NetrWkstaTransportEnum().
189  d. SAMR: OpenAlias(), GetMembersInAlias().
190  e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose().
191
1925) New examples
193  a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list
194     of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is
195     listed and/or listening.
196  b. lookupsid.py: DCE/RPC lookup sid brute forcer example.
197  c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first
198     256 operation numbers in turn and reports the outcome of each call.
199  d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).
200  e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented.
201  f. smbrelayx: Passes credentials to a third party server when doing MiTM.
202  g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but
203     not enforced. Tested under Windows, Linux and MacOS clients.
204  h. smbclient.py: now supports history, new commands also added.
205  i. psexec.py: Execute remote commands on Windows machines
206