Merge remote-tracking branch 'ThePorgs/main' into fork/blackarrowsec/inline-secretsdump

# Conflicts:
#	examples/secretsdump.py
#	impacket/examples/secretsdump.py

Author: ShutdownRepo

.github/workflows/build_and_test.yml

@@ -48,14 +48,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        python-version: ["3.9", "3.10","3.11","3.12"]
         experimental: [false]
         os: [ubuntu-latest]
         include:
-          - python-version: "3.6"
-            experimental: false
-            os: ubuntu-20.04
-          - python-version: "3.11-dev"
+          - python-version: "3.13-dev"
             experimental: true
             os: ubuntu-latest
     continue-on-error: ${{ matrix.experimental }}

ChangeLog.md

@@ -5,6 +5,105 @@ Project owner's main page is at www.coresecurity.com.
 Complete list of changes can be found at:
 https://github.com/fortra/impacket/commits/master
 
+## Impacket v0.12.0 (Sep 2024):
+1. Library improvements
+    * Fixed broken hRSetServiceObjectSecurity method (@rkivys)
+    * Removed dsinternals dependency (@anadrianmanrique)
+    * Fixed srvs.hNetrShareEnum returning erronous shares (@cnotin)
+    * Fixed lmhash computing to support non standard characters in the password (@anadrianmanrique)
+    * Assorted fixes when processing Unicode data (@alexisbalbachan)
+    * Added `[MS-GKDI]` Group Key Distribution Protocol implementation (@zblurx)
+    * Fixed incorrect padding in SMBSessionSetupAndX_Extended_ResponseData (@rtpt-erikgeiser)
+    * Upgraded dependency pyreadline -> pyreadline3 (@anadrianmanrique)
+    * SMB Server:
+    	* Added query information level 0x0109 for smb1 "SMB_QUERY_FILE_STREAM_INFO" (@Adamkadaban)
+    	* Fixed filename encoding in queryPathInformation (@JerAxxxxxxx)
+    	* Fixed NextEntryOffset for large directory listings (@robnanola)
+     	* Fixed server returning an empty folder when cutting and pasting recursive directories (@robnanola)
+    * DHCP: Fixed encoding issues (@ujwalkomarla)
+
+3. Examples improvements
+    * [secretsdump.py](examples/secretsdump.py):
+        * Double DC Sync performance for DCs supporting SID lookups (@tomspencer)
+        * Added ability to skip dumping of SAM or SECURITY hives when performing remote operations (@RazzburyPi)
+        * Added ability to specify users to skip when dumping NTDS (@RazzburyPi)
+    * [ticketer.py](examples/ticketer.py):
+        * Support to create Sapphire tickets (@ShutdownRepo)
+    * [GetUserSPNs.py](examples/GetUserSPNs.py), [getTGT.py](examples/getTGT.py):
+        * Support for Kerberoasting without pre-authentication and ST request through AS-REQ (@ShutdownRepo)
+    * [wmiexec.py](examples/wmiexec.py):
+        * Fix kerberos with remoteHost & add '-target-ip'(@XiaoliChan)
+    * [ntlmrelayx.py](examples/ntlmrelayx.py):
+        * Added the creation of a new machine account through SMB (@BlWasp)
+        * NTLMRelayX Multirelay fixes for target handling, added --keep-relaying flag (@alexisbalbachan)
+        * Logging multirelay status when triggering the example (@gabrielg5)
+        * Write certificates to file rather than outputting b64 to console (@RazzburyPi)
+        * Improved ability to continue relaying to ADCS web enrollment endpoint in order to request multiple certificates for different users (@RazzburyPi)
+        * Fixed compatibility issue with other SMB clients connecting to the SOCKS proxy created by ntlmrelayx (@jfjallid)
+        * Allow configuration of the SOCKS5 address and port (@rtpt-erikgeiser)
+        * Fixed implementation of MSSQLShell (@gabrielg5)
+        * Logging notification of received connections in all relay servers (@gabrielg5)
+        * Add domain and username to interactive Ldap shell message (@minniear)
+        * Enhanced MSSQLShell in NTLMRelayX leveraging TcpShell & output messages (@gabrielg5)
+        * LDAP Attack: Bugfixes when parsing responses (@SAERXCIT)
+    * [getST.py](examples/getST.py):
+        * Added -self, -altservice and -u2u  for S4U2self abuse, S4U2self+u2u, and service substitution (@ShutdownRepo)
+        * Added ability to set the RENEW ticket option to renew a TGT (@shikatano)
+        * Fixed unicode encoding error when using the -impersonate flag (@alexisbalbachan)
+    * [getTGT.py](examples/getTGT.py):
+        * Added principalType as new parameter (@DevSpork)
+    * [reg.py](examples/reg.py):
+        * Start remote registry as unprivileged user in reg.py (@dadevel)
+        * Allow adding Binary values (@dc3l1ne)
+        * Add missing Null byte for REG_SZ values (@PfiatDe)
+        * Support for adding REG_MULTI_SZ values through (@garbrielg5)
+    * [smbclient.py](examples/smbclient.py):
+    	* Added ability to provide an output file that the smbclient mini shell will write commands and output to (@RazzburyPi)
+     	* Fixed path parse issue when running `tree` command (@trietend)
+    * [smbserver.py](examples/smbserver.py):
+        * Added parameter "-outputfile" to set smbserver log file(gabrielg5) 
+    * [DumpNTLMInfo.py](examples/DumpNTLMInfo.py):
+    	* Allow execution on non-default ports (@jeffmcjunkin)
+     	* Fixed KeyError exception when running with a Windows 2003 target (@XiaoliChan)
+    * [findDelegation.py](examples/findDelegation.py):
+    	* Added new column to show if SPN exists (@p0dalirius)
+    * [mssqlclient.py](examples/mssqlclient.py):
+     	* Added `-target-ip` parameter to allow Kerberos authentication without much change in the DNS configuration of the local machine (@Palkovsky)
+    * [mssqlshell.py](examples/mssqlshell.py):
+    	* Switching back to original DB after running `enum_impersonate` command (@exploide)
+        * Fixed logging in printReplies showing error messages (@gabrielg5)
+    * [registry-read.py](examples/registry-read.py):
+     	* Fixed scenario where value name contains backlash (@DidierA)
+    * [net.py](examples/net.py):
+     	* Fixed User "Account Active" property value (@marcobarlottini)
+        * Fixed log messages printing variables in the wrong order (@Cyb3rC3lt) 
+    * [rbcd.py](examples/rbcd.py):
+        * Handled SID not found in LDAP error (@ShutdownRepo)
+    * [GetUserSPNs.py](examples/GetUserSPNs.py):
+    	* Updated the help information for -outputfile to be consistent with -save (@scarvell)
+    * [ntfs-read.py](examples/ntfs-read.py):
+        * Minor refactor in ntfs-read.py to make it more human-readable (@NtAlexio2)
+    * [ldap_shell.py](examples/ldap_shell.py):
+        * Added support for dirsync and whoami commands (@nurfed1)
+    * [lookupsid.py](examples/lookupsid.py):
+        * Now supports kerberos auth (@A1vinSmith)
+    * [samrdump.py](examples/samrdump.py):
+        * Will fetch AdminComment using MSRPC (@joeldeleep)
+    * [tstool.py](examples/tstool.py):
+        * Added support for kerberos auth, resolves SIDs (@nopernik) 
+  
+4. New examples
+    * [describeTicket.py](examples/describeTicket.py): Ticket describer and decrypter. (@ShutdownRepo)
+    * [GetADComputers.py](examples/GetADComputers.py): Query's DC via LDAP and returns the COMPUTER objects and the useful attributes such as full dns name, operating system name and version. (@F-Masood)
+    * [GetLAPSPassword.py](examples/GetLAPSPassword.py): Extract LAPS passwords from LDAP (@zblurx and @dru1d-foofus)
+    * [dacledit.py](examples/dacledit.py): This script can be used to read, write, remove, backup, restore ACEs (Access Control Entries) in an object DACL (Discretionary Access Control List). (@ShutdownRepo) (@BlWasp_) (@Wlayzz)
+    * [owneredit.py](examples/owneredit.py): Added this script to abuse WriteOwner (ADS_RIGHT_WRITE_OWNER) access rights. This allows to take ownership of another object, and then edit that object's DACL (@ShutdownRepo) (@BlWasp_)
+
+As always, thanks a lot to all these contributors that make this library better every day (up to now):
+
+@tomspencer @anadrianmanrique @ShutdownRepo @dadevel @gjhami @NtAlexio2 @F-Masood @BlWasp @gabrielg5 @XiaoliChan @omry99 @Wlayzz @themaks @alexisbalbachan @RazzburyPi @jeffmcjunkin @p0dalirius @dc3l1ne @jfjallid @Palkovsky @rtpt-erikgeiser @trietend @zblurx @dru1d-foofus @PfiatDe @DidierA @marcobarlottini @PeterGabaldon @m8r1us @5yn @tzuralon @Adamkadaban @scarvell @JerAxxxxxxx @ujwalkomarla @robnanola @SAERXCIT @nurfed1 @A1vinSmith @joeldeleep @nopernik
+
+	  
 ## Impacket v0.11.0 (Aug 2023):
 1. Library improvements 
     * Added new Kerberos error codes (@ly4k).
@@ -623,7 +722,7 @@ As always, thanks a lot to all these contributors that make this library better
       UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
       develop new functionality to interact against a target interface.
     * `smbexec.py`: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
-      technique described at https://www.optiv.com/blog/owning-computers-without-shell-access. It also
+      technique described at https://web.archive.org/web/20190515131124/https://www.optiv.com/blog/owning-computers-without-shell-access. It also
       supports instantiating a local smbserver to receive the output of the commandos executed for those situations
       where no share is available on the other end.
     * `smbrelayx.py`: It now also listens on port 80 and forwards/reflects the credentials accordingly.

README.md

@@ -4,7 +4,7 @@ Impacket
 [![Latest Version](https://img.shields.io/pypi/v/impacket.svg)](https://pypi.python.org/pypi/impacket/)
 [![Build and test Impacket](https://github.com/fortra/impacket/actions/workflows/build_and_test.yml/badge.svg)](https://github.com/fortra/impacket/actions/workflows/build_and_test.yml)
 
-FORTRA. Copyright (C) 2023 Fortra. All rights reserved.
+Copyright Fortra, LLC and its affiliated companies. All rights reserved.
 
 Impacket was originally created by [SecureAuth](https://www.secureauth.com/labs/open-source-tools/impacket), and now maintained by Fortra's Core Security.
 
@@ -50,17 +50,17 @@ Getting Impacket
 
 ### Latest version
 
-* Impacket v0.11.0
+* Impacket v0.12.0
 
   [![Python versions](https://img.shields.io/pypi/pyversions/impacket.svg)](https://pypi.python.org/pypi/impacket/)
 
 [Current and past releases](https://github.com/fortra/impacket/releases)
 
 ### Development version
 
-* Impacket v0.12.0-dev (**[master branch](https://github.com/fortra/impacket/tree/master)**)
+* Impacket v0.13.0-dev (**[master branch](https://github.com/fortra/impacket/tree/master)**)
 
-  [![Python versions](https://img.shields.io/badge/python-3.6%20|%203.7%20|%203.8%20|%203.9%20|%203.10-blue.svg)](https://github.com/fortra/impacket/tree/master)
+  [![Python versions](https://img.shields.io/badge/python-3.8%20|%203.9%20|%203.10%20|%203.11%20|%203.12-blue.svg)](https://github.com/fortra/impacket/tree/master)
 
 
 Setup

examples/DumpNTLMInfo.py

@@ -1,7 +1,9 @@
 #!/usr/bin/env python
 # Impacket - Collection of Python classes for working with network protocols.
 #
-# Copyright (C) 2023 Fortra. All rights reserved.
+# Copyright Fortra, LLC and its affiliated companies 
+#
+# All rights reserved.
 #
 # This software is provided under a slightly modified version
 # of the Apache Software License. See the accompanying LICENSE file
@@ -479,16 +481,17 @@ def _get_my_name(self):
 
 
 class DumpNtlm:
-    def __init__(self, ip, hostname, port) -> None:
+    def __init__(self, ip, hostname, port, protocol) -> None:
         self.target     = ip
         self.hostname   = hostname
         self._sess_port = int(port)
+        self._protocol  = protocol
         self._timeout   = 60
 
     def DisplayInfo(self):
-        if self._sess_port in [139, 445]:
+        if self._protocol == 'SMB':
             self.DisplaySmbInfo()
-        elif  self._sess_port in [135]:
+        elif self._protocol == 'RPC':
             self.DisplayRpcInfo()
 
     def DisplayRpcInfo(self):
@@ -628,34 +631,42 @@ def __convert_size(self, size_bytes):
 if __name__ == '__main__':
 
     print(version.BANNER)
-    logger.init()
 
     parser = argparse.ArgumentParser(add_help = True, description = "Do ntlm authentication and parse information.")
     parser.add_argument('target', action='store', help='<targetName or address>')
     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
+    parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
     parser.add_argument('-target-ip', action='store', metavar="ip address",
                        help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
                             'This is useful when target is the NetBIOS name and you cannot resolve it')
-    parser.add_argument('-port', choices=['135', '139', '445'], nargs='?', default='445', metavar="destination port",
-                       help='Destination port to connect to SMB/RPC Server')
+    parser.add_argument('-port', type=int, default=445, metavar="destination port",
+                    help='Destination port to connect to SMB/RPC Server')
+    parser.add_argument('-protocol', choices=['SMB', 'RPC'], nargs='?', metavar="protocol",
+                        help='Protocol to use (SMB or RPC). Default is SMB, port 135 uses RPC normally.')
 
     if len(sys.argv) == 1:
         parser.print_help()
         sys.exit(1)
 
     options = parser.parse_args()
-
-    if options.debug is True:
-        logging.getLogger().setLevel(logging.DEBUG)
-        logging.debug(version.getInstallationPath())
-    else:
-        logging.getLogger().setLevel(logging.INFO)
+    logger.init(options.ts, options.debug)
+
+    if options.port == 135:
+        if not options.protocol:
+            options.protocol = 'RPC'
+            logging.info("Port 135 specified; using RPC protocol by default. Use `-protocol SMB` to force SMB protocol.")
+        elif options.protocol == 'SMB':
+            logging.info("Port 135 specified with SMB protocol. Are you sure you don't want `-protocol RPC`?")
+    elif not options.protocol:
+        options.protocol = 'SMB'
+        logging.info("Defaulting to SMB protocol.")
 
     try:
         if options.target_ip is not None:
-            dumper = DumpNtlm(options.target_ip, options.target, int(options.port))
+            dumper = DumpNtlm(options.target_ip, options.target, int(options.port), options.protocol)
         else:
-            dumper = DumpNtlm(options.target, options.target, int(options.port))
+            dumper = DumpNtlm(options.target, options.target, int(options.port), options.protocol)
+        logging.info("Using target: %s, IP: %s, Port: %d, Protocol: %s" % (options.target, options.target_ip or options.target, options.port, options.protocol) )
         dumper.DisplayInfo()
     except Exception as e:
         if logging.getLogger().level == logging.DEBUG:

examples/Get-GPPPassword.py

@@ -1,7 +1,9 @@
 #!/usr/bin/env python3
 # Impacket - Collection of Python classes for working with network protocols.
 #
-# Copyright (C) 2023 Fortra. All rights reserved.
+# Copyright Fortra, LLC and its affiliated companies 
+#
+# All rights reserved.
 #
 # This software is provided under a slightly modified version
 # of the Apache Software License. See the accompanying LICENSE file
@@ -255,19 +257,6 @@ def parse_target(args):
 
     return domain, username, password, address, lmhash, nthash
 
-
-def init_logger(args):
-    # Init the example's logger theme and debug level
-    logger.init(args.ts)
-    if args.debug is True:
-        logging.getLogger().setLevel(logging.DEBUG)
-        # Print the Library's installation path
-        logging.debug(version.getInstallationPath())
-    else:
-        logging.getLogger().setLevel(logging.INFO)
-        logging.getLogger("impacket.smbserver").setLevel(logging.ERROR)
-
-
 def init_smb_session(args, domain, username, password, address, lmhash, nthash):
     smbClient = SMBConnection(address, args.target_ip, sess_port=int(args.port))
     dialect = smbClient.getDialect()
@@ -293,7 +282,7 @@ def init_smb_session(args, domain, username, password, address, lmhash, nthash):
 if __name__ == '__main__':
     print(version.BANNER)
     args = parse_args()
-    init_logger(args)
+    logger.init(args.ts, args.debug)
 
     if args.target.upper() == "LOCAL":
         if args.xmlfile is not None: