mirror of
https://github.com/hak5darren/bashbunny-payloads.git
synced 2025-10-29 16:58:12 +00:00
206 lines
12 KiB
Plaintext
206 lines
12 KiB
Plaintext
Complete list of changes can be found at:
|
|
https://github.com/CoreSecurity/impacket/commits/master
|
|
|
|
June 2016: 0.9.15:
|
|
1) Library improvements
|
|
* SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
|
|
* Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
|
|
* Packet fragmentation for DCE RPC layer mayor overhaul.
|
|
* Improved pass-the-key attacks scenarios (by @skelsec)
|
|
* Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
|
|
build the search filter yourself)
|
|
* IPv6 improvements for DCERPC/LDAP and Kerberos
|
|
|
|
2) Examples improvements
|
|
* Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
|
|
resides in the same server
|
|
* secretsdump.py
|
|
a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode
|
|
b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
|
|
c. Support for different ReplEpoch (DRSUAPI only)
|
|
d. pwdLastSet is also included in the output file
|
|
e. New structures/flags added for 2016 TP5 PAM support
|
|
* wmiquery.py
|
|
a. Adding -rpc-auth-level switch (by @gadio)
|
|
* smbrelayx.py
|
|
a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
|
|
b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
|
|
|
|
3) New Examples
|
|
* GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
|
|
This is part of the kerberoast attack researched by Tim Medin (@timmedin)
|
|
* ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
|
|
(by @dirkjanm)
|
|
|
|
January 2016: 0.9.14:
|
|
1) Library improvements
|
|
* [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
|
|
* [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
|
|
* Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
|
|
* Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
|
|
* NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
|
|
* Kerberos support for TDS (MSSQL)
|
|
* Extended present flags support on RadioTap class
|
|
* Old DCERPC runtime code removed
|
|
|
|
2) Examples improvements
|
|
* mssqlclient.py: Added Kerberos authentication support
|
|
* atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
|
|
* smbrelayx.py:
|
|
* If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
|
|
* Added -c option to execute custom commands in the target (by @byt3bl33d3r)
|
|
* secretsdump.py:
|
|
a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method)
|
|
by default. VSS method is still available by using the -use-vss switch
|
|
b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and
|
|
-just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
|
|
c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
|
|
d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 3.1.1.8.11.5)
|
|
e. Add support for multiple password encryption keys (PEK) (by @s0crat)
|
|
* goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
|
|
|
|
3) New examples
|
|
* raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
|
|
escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640
|
|
* netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
|
|
|
|
May 2015: 0.9.13:
|
|
1) Library improvements
|
|
* Kerberos support for SMB and DCERPC featuring:
|
|
a. kerberosLogin() added to SMBConnection (all SMB versions).
|
|
b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will
|
|
negotiate Kerberos. This also includes DCOM.
|
|
c. Pass-the-hash, pass-the-ticket and pass-the-key support.
|
|
d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
|
|
e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
|
|
f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
|
|
* SMB3 encryption support. Pycrypto experimental version that supports
|
|
AES_CCM is required.
|
|
* [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
|
|
* SMBSERVER improvements:
|
|
a. SMB2 (2.002) dialect experimental support.
|
|
b. Adding capability to export to John The Ripper format files
|
|
* Library logging overhaul. Now there's a single logger called 'impacket'.
|
|
|
|
2) Examples improvements
|
|
* Added Kerberos support to all modules (incl. pass-the-ticket/key)
|
|
* Ported most of the modules to the new dcerpc.v5 runtime.
|
|
* secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
|
|
* smbserver.py: support for SMB2 (not enabled by default)
|
|
* smbrelayx.py: Added support for MS15-027 exploitation.
|
|
|
|
3) New examples
|
|
* goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
|
|
psexec session at the target.
|
|
* karmaSMB.py: SMB Server that answers specific file contents regardless of
|
|
the SMB share and pathname requested.
|
|
* wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
|
|
Consumers/Filters to execute VBS based on a WQL filter or timer specified.
|
|
|
|
July 2014: 0.9.12:
|
|
1) The following protocols were added based on its standard definition
|
|
* [MS-DCOM] - Distributed Component Object module Protocol (dcom.py)
|
|
* [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py)
|
|
* [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py)
|
|
|
|
2) New examples
|
|
a. wmiquery.py: executes WMI queries and get WMI object's descriptions.
|
|
b. wmiexec.py: agent-less, semi-interactive shell using WMI.
|
|
c. smbserver.py: quick an easy way to share files using the SMB protocol.
|
|
|
|
February 2014: 0.9.11:
|
|
1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available)
|
|
a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
|
|
b. Support for RPC_C_AUTHN_NETLOGON (experimental)
|
|
c. The following interface were developed based on its standard definition:
|
|
* [MS-LSAD] - Local Security Authority (Domain Policy) Remote Protocol (lsad.py)
|
|
* [MS-LSAT] - Local Security Authority (Translation Methods) Remote Protocol (lsat.py)
|
|
* [MS-NRPC] - Netlogon Remote Protocol (nrpc.py)
|
|
* [MS-RRP] - Windows Remote Registry Protocol (rrp.py)
|
|
* [MS-SAMR] - Security Account Manager (SAM) Remote Protocol (samr.py)
|
|
* [MS-SCMR] - Service Control Manager Remote Protocol (scmr.py)
|
|
* [MS-SRVS] - Server Service Remote Protocol (srvs.py)
|
|
* [MS-WKST] - Workstation Service Remote Protocol (wkst.py)
|
|
* [MS-RPCE]-C706 - Remote Procedure Call Protocol Extensions (epm.py)
|
|
* [MS-DTYP] - Windows Data Types (dtypes.py)
|
|
Most of the DCE Calls have helper functions for easier use. Test cases added for
|
|
all calls (check the test cases directory)
|
|
2) ESE parser (Extensive Storage Engine) (ese.py)
|
|
3) Windows Registry parser (winregistry.py)
|
|
4) TDS protocol now supports SSL, can be used from mssqlclient
|
|
5) Support for EAPOL, EAP and WPS decoders
|
|
6) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
|
|
7) New examples
|
|
a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server
|
|
b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)
|
|
c. ntfs-read.py: mini shell for browsing an NTFS volume
|
|
d. registry-read.py: Windows offline registry reader
|
|
e. secretsdump.py: agent-less remote windows secrets dump (SAM, LSA, CDC, NTDS)
|
|
|
|
March 2013: 0.9.10:
|
|
1) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending.
|
|
2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.
|
|
It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available
|
|
methods across all the protocols.
|
|
3) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers.
|
|
4) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
|
|
5) DCERPC Endpoints' new calls
|
|
a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects.
|
|
6) New examples
|
|
a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives
|
|
you an SQL prompt for your pleasure.
|
|
b. mssqlinstance.py: Lists the MS SQL instances running on a target machine.
|
|
c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the
|
|
UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
|
|
develop new functionality to interact against a target interface.
|
|
d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
|
|
technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also
|
|
supports instantiating a local smbserver to receive the output of the commandos executed for those situations
|
|
where no share is available on the other end.
|
|
e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly.
|
|
|
|
And finally tons of fixes :).
|
|
|
|
July 2012: 0.9.9:
|
|
1) Added 802.11 packets encoding/decoding
|
|
2) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class.
|
|
3) SMB/DCERPC
|
|
a. GSS-API/SPNEGO Support.
|
|
b. SPN support in auth blob.
|
|
c. NTLM2 and NTLMv2 support.
|
|
d. Default SMB port now 445. If *SMBSERVER is specified the library will try to resolve the netbios name.
|
|
e. Pass the hash supported for SMB/DCE-RPC.
|
|
f. IPv6 support for SMB/NMB/DCERPC.
|
|
g. DOMAIN support for authentication.
|
|
h. SMB signing support when server enforces it.
|
|
i. DCERPC signing/sealing for all NTLM flavours.
|
|
j. DCERPC transport now accepts an already established SMB connection.
|
|
k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by
|
|
forwarding named pipes requests).
|
|
l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's
|
|
not functional.
|
|
|
|
4) DCERPC Endpoints' new calls
|
|
a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(),
|
|
NetprNameCanonicalize().
|
|
b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(),
|
|
StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
|
|
c. WKSSVC: NetrWkstaTransportEnum().
|
|
d. SAMR: OpenAlias(), GetMembersInAlias().
|
|
e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose().
|
|
|
|
5) New examples
|
|
a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list
|
|
of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is
|
|
listed and/or listening.
|
|
b. lookupsid.py: DCE/RPC lookup sid brute forcer example.
|
|
c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first
|
|
256 operation numbers in turn and reports the outcome of each call.
|
|
d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).
|
|
e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented.
|
|
f. smbrelayx: Passes credentials to a third party server when doing MiTM.
|
|
g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but
|
|
not enforced. Tested under Windows, Linux and MacOS clients.
|
|
h. smbclient.py: now supports history, new commands also added.
|
|
i. psexec.py: Execute remote commands on Windows machines
|