github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/ChangeLog (about) 1 Complete list of changes can be found at: 2 https://github.com/SecureAuthCorp/impacket/commits/master 3 4 June 2016: 0.9.15: 5 1) Library improvements 6 * SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle) 7 * Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss) 8 * Packet fragmentation for DCE RPC layer mayor overhaul. 9 * Improved pass-the-key attacks scenarios (by @skelsec) 10 * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to 11 build the search filter yourself) 12 * IPv6 improvements for DCERPC/LDAP and Kerberos 13 14 2) Examples improvements 15 * Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC 16 resides in the same server 17 * secretsdump.py 18 a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode 19 b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only) 20 c. Support for different ReplEpoch (DRSUAPI only) 21 d. pwdLastSet is also included in the output file 22 e. New structures/flags added for 2016 TP5 PAM support 23 * wmiquery.py 24 a. Adding -rpc-auth-level switch (by @gadio) 25 * smbrelayx.py 26 a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky) 27 b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol) 28 29 3) New Examples 30 * GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. 31 This is part of the kerberoast attack researched by Tim Medin (@timmedin) 32 * ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) 33 (by @dirkjanm) 34 35 January 2016: 0.9.14: 36 1) Library improvements 37 * [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations 38 * [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation 39 * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved 40 * Unicode support (optional) for the SMBv1 stack (by @rdubourguais) 41 * NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie) 42 * Kerberos support for TDS (MSSQL) 43 * Extended present flags support on RadioTap class 44 * Old DCERPC runtime code removed 45 46 2) Examples improvements 47 * mssqlclient.py: Added Kerberos authentication support 48 * atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2 49 * smbrelayx.py: 50 * If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default 51 * Added -c option to execute custom commands in the target (by @byt3bl33d3r) 52 * secretsdump.py: 53 a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method) 54 by default. VSS method is still available by using the -use-vss switch 55 b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and 56 -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options 57 c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option 58 d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 3.1.1.8.11.5) 59 e. Add support for multiple password encryption keys (PEK) (by @s0crat) 60 * goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC 61 62 3) New examples 63 * raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege 64 escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640 65 * netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix) 66 67 May 2015: 0.9.13: 68 1) Library improvements 69 * Kerberos support for SMB and DCERPC featuring: 70 a. kerberosLogin() added to SMBConnection (all SMB versions). 71 b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will 72 negotiate Kerberos. This also includes DCOM. 73 c. Pass-the-hash, pass-the-ticket and pass-the-key support. 74 d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc). 75 e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers. 76 f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. 77 * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py) 78 * SMBSERVER improvements: 79 a. SMB2 (2.002) dialect experimental support. 80 b. Adding capability to export to John The Ripper format files 81 * Library logging overhaul. Now there's a single logger called 'impacket'. 82 83 2) Examples improvements 84 * Added Kerberos support to all modules (incl. pass-the-ticket/key) 85 * Ported most of the modules to the new dcerpc.v5 runtime. 86 * secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT 87 * smbserver.py: support for SMB2 (not enabled by default) 88 * smbrelayx.py: Added support for MS15-027 exploitation. 89 90 3) New examples 91 * goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a 92 psexec session at the target. 93 * karmaSMB.py: SMB Server that answers specific file contents regardless of 94 the SMB share and pathname requested. 95 * wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event 96 Consumers/Filters to execute VBS based on a WQL filter or timer specified. 97 98 July 2014: 0.9.12: 99 1) The following protocols were added based on its standard definition 100 * [MS-DCOM] - Distributed Component Object module Protocol (dcom.py) 101 * [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py) 102 * [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py) 103 104 2) New examples 105 a. wmiquery.py: executes WMI queries and get WMI object's descriptions. 106 b. wmiexec.py: agent-less, semi-interactive shell using WMI. 107 c. smbserver.py: quick an easy way to share files using the SMB protocol. 108 109 February 2014: 0.9.11: 110 1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available) 111 a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental) 112 b. Support for RPC_C_AUTHN_NETLOGON (experimental) 113 c. The following interface were developed based on its standard definition: 114 * [MS-LSAD] - Local Security Authority (Domain Policy) Remote Protocol (lsad.py) 115 * [MS-LSAT] - Local Security Authority (Translation Methods) Remote Protocol (lsat.py) 116 * [MS-NRPC] - Netlogon Remote Protocol (nrpc.py) 117 * [MS-RRP] - Windows Remote Registry Protocol (rrp.py) 118 * [MS-SAMR] - Security Account Manager (SAM) Remote Protocol (samr.py) 119 * [MS-SCMR] - Service Control Manager Remote Protocol (scmr.py) 120 * [MS-SRVS] - Server Service Remote Protocol (srvs.py) 121 * [MS-WKST] - Workstation Service Remote Protocol (wkst.py) 122 * [MS-RPCE]-C706 - Remote Procedure Call Protocol Extensions (epm.py) 123 * [MS-DTYP] - Windows Data Types (dtypes.py) 124 Most of the DCE Calls have helper functions for easier use. Test cases added for 125 all calls (check the test cases directory) 126 2) ESE parser (Extensive Storage Engine) (ese.py) 127 3) Windows Registry parser (winregistry.py) 128 4) TDS protocol now supports SSL, can be used from mssqlclient 129 5) Support for EAPOL, EAP and WPS decoders 130 6) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi 131 7) New examples 132 a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server 133 b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit) 134 c. ntfs-read.py: mini shell for browsing an NTFS volume 135 d. registry-read.py: Windows offline registry reader 136 e. secretsdump.py: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS) 137 138 March 2013: 0.9.10: 139 1) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending. 140 2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent. 141 It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available 142 methods across all the protocols. 143 3) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers. 144 4) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server. 145 5) DCERPC Endpoints' new calls 146 a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects. 147 6) New examples 148 a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives 149 you an SQL prompt for your pleasure. 150 b. mssqlinstance.py: Lists the MS SQL instances running on a target machine. 151 c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the 152 UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to 153 develop new functionality to interact against a target interface. 154 d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the 155 technique described at https://www.optiv.com/blog/owning-computers-without-shell-access. It also 156 supports instantiating a local smbserver to receive the output of the commandos executed for those situations 157 where no share is available on the other end. 158 e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly. 159 160 And finally tons of fixes :). 161 162 July 2012: 0.9.9: 163 1) Added 802.11 packets encoding/decoding 164 2) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class. 165 3) SMB/DCERPC 166 a. GSS-API/SPNEGO Support. 167 b. SPN support in auth blob. 168 c. NTLM2 and NTLMv2 support. 169 d. Default SMB port now 445. If *SMBSERVER is specified the library will try to resolve the netbios name. 170 e. Pass the hash supported for SMB/DCE-RPC. 171 f. IPv6 support for SMB/NMB/DCERPC. 172 g. DOMAIN support for authentication. 173 h. SMB signing support when server enforces it. 174 i. DCERPC signing/sealing for all NTLM flavours. 175 j. DCERPC transport now accepts an already established SMB connection. 176 k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by 177 forwarding named pipes requests). 178 l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's 179 not functional. 180 181 4) DCERPC Endpoints' new calls 182 a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(), 183 NetprNameCanonicalize(). 184 b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(), 185 StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW(). 186 c. WKSSVC: NetrWkstaTransportEnum(). 187 d. SAMR: OpenAlias(), GetMembersInAlias(). 188 e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose(). 189 190 5) New examples 191 a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list 192 of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is 193 listed and/or listening. 194 b. lookupsid.py: DCE/RPC lookup sid brute forcer example. 195 c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 196 256 operation numbers in turn and reports the outcome of each call. 197 d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST). 198 e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented. 199 f. smbrelayx: Passes credentials to a third party server when doing MiTM. 200 g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but 201 not enforced. Tested under Windows, Linux and MacOS clients. 202 h. smbclient.py: now supports history, new commands also added. 203 i. psexec.py: Execute remote commands on Windows machines