First published in SecureAuth.com
Today, I’m pleased to announce the release of the latest version of Impacket, the collection of Python classes for working with network protocols, and much more.
Impacket release 0.10.0 is available now and brings several new features and enhancements including a refreshed NTLMrelayx, the Kerberos Key List attack implementation, a refactored Credential Cache, the sunsetting of Python 2, and new testing infrastructure, among other things. We are super excited and hope you are as well.
Let’s take a look at everything new included in this version.
What’s New in Impacket Release v0.10.0?
Sunsetting Python 2.7 Support
As you can see, one of the major changes in this release is reflected in the semantic versioning, and that has a reason: we are dropping Python 2.7 support.
Python 2 is no longer supported since January 1, 2020, but we extended our full support until Impacket v.0.9.23 (June 2021) and continue to bug fix until Impacket v.0.9.24 release (November 2021), recognizing that many people were still using Python 2. We considered that this extra time was sufficient to transition off and based on the daily download statistics of the last semester we decided that we are now ready to drop support for Python 2.7.
With this release, we’ll be able to eliminate the costs of maintaining backward compatibility, simplify our code, and take full advantage of the features of the current versions of Python 3.
We Love Relaying Credentials
As we enjoy relaying credentials, we’ve updated ntlmrelayx.py to keep improving this great tool. The most relevant change is the addition of the multi-relay capabilities to the HTTP relay server. What does it mean? Well, now an incoming HTTP connection could be used against multiple targets. On top of that, we’re able to identify the gathered credential before relaying it, so we can define named targets in our attacks. This feature was present in the SMB relay server since v.0.9.22, but as the implementation is protocol-dependent, we rolled up our sleeves and replicated it in HTTP.
As I mentioned, the multi-relay capability in SMB was included a couple of releases ago. The feature was widely used by many but also had some issues in particular scenarios, such as when a client has SMB signing required. For that reason, I worked on the @zblurx‘s PR#1273 (based on the work of @hackanddo) and implemented a new option (–no-multi-relay) to disable multi-relaying in those situations. The option allows relaying credentials as we did in older versions. Thanks, @zblurx and @hackanddo for the contribution!
That’s not all. Last year, attacking Active Directory Certificate Services (AD CS) was a hot topic and… continues to be. Will Schroeder and Lee Christensen published a whitepaper and a blog post detailing several attack vectors on Microsoft’s PKI implementation. @hugo-syn opened PR#1231 where he implemented two of those attacks, ESC1 and ESC6. We appreciate this new addition!
There’s still more! @ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius bring us the Shadow Credentials attack in PR#1249. This attack allows an attacker to edit the msDS–KeyCredentialLink attribute of a target user or computer to obtain full control over that object. If you are interested in knowing more about the attack, check out The Hacker Recipes. Thanks, guys for this implementation.
In closing this section, I’d like to mention a couple of more PRs that were included in this refactoring @SAERXCIT opened PR#1241 which allows having multiple listeners at the same time when the HTTP server is running. This is convenient when incoming HTTP connections come to multiple ports. On the other hand, @ShutdownRepo added the ability to define a password for the LDAP attack addComputer (PR#1063) and @ThePirateWhoSmellsOfSunflowers implemented StartTLS (PR#1305) to bypass Channel Binding or network filtering when relaying credentials to LDAP.
The Kerberos Key List Attack
Some time ago, Microsoft released a passwordless authentication functionality that provides seamless single sign-on (SSO) to on-premises resources, using security keys such as the FIDO2 keys. A history of Kerberos authentication, partial TGT tickets and Read-Only Domain Controllers (RODC).
In a nutshell, Microsoft implemented a new concept, the Azure AD Kerberos server (remember RODCs?). This server issues partial TGTs that the user then trades with the on-premises AD for a full one, and Kerberos does the rest. That’s great, but what about the resources that use legacy protocols like NTLM? This is where the Key List Request comes into play.
The Kerberos Key List attack is a new credential gathering vector that abuses the KERB-KEY-LIST-REQ structure used to support SSO capabilities in legacy protocols. In PR#1210, we added keylistattack.py, a new example with the implementation of this attack. On top of that, we included the option use-keylist to secretsdump.py to dump credentials with this new method instead of the default DRSUAPI one.
For more technical details, you can review my last blog post The Kerberos Key List Attack: The return of the Read Only Domain Controllers.
New Testing Infrastructure
@martingalloar did a large refactor to a good part of our testing infrastructure and issued PR#1247. What did this include? The PR added pytest as the testing framework to organize and mark test cases. Tox remains as the automation framework, and Coverage.py for measuring code coverage.
Local and remote test cases were marked for easy run and configuration, and DCE/RPC endpoint test cases were refactored and moved to a new layout. We also added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI. Wow, that was great!
Testing is a tough job and one of our focus areas as maintainers, so any help you can offer is more than welcome. We plan to continue investing in improving our testing automation and coverage, so changes can be rolled out easily and faster. If you want to collaborate with our testing efforts, you can use our testing guide as a starting point.
There is more…
Want more? You can check out a fully detailed list of all new features and enhancements in the release notes here. Enjoy.
Getting Impacket Release v0.10.0
If you want to know more about these examples and library functionality you can find it at the Impacket site or you can also get it by pulling the latest stable release directly from GitHub:
To install execute the following command from the directory where the Impacket’s distribution has been unpacked: python3 -m pip install . . This will install the classes into the default Python modules path; note that you might need special permissions to write there.
As always, thanks a lot to all these contributors that make this library of Impacket Release v0.10.0 better every day (since the last version):
@rmaksimov, @simondotsh, @CCob, @raithedavion, @SAERXCIT, @Maltemo, @dirkjanm, @reznok, @ShutdownRepo, @scopedsecurity, @Tw1sm, @nodauf, @p0dalirius, @zblurx, @hugo-syn, @capnkrunchy, @mohemiv, @mpgn, @rtpt-jonaslieb, @snovvcrash, @alefburzmali, @ThePirateWhoSmellsOfSunflowers, and @Joaolvcm.
Feedback and PRs are very welcome. Contributions from the community are the mainstay of this open-source initiative.
I hope you enjoy this new release. Happy hacking!