Impacket Versions Save

Impacket 0.11.0:

Project's main page at https://www.coresecurity.com/core-labs/open-source-tools/impacket

ChangeLog for 0.11.0:

1. Library improvements

   • Added new Kerberos error codes (@ly4k).
   • Added [MS-TSTS] Terminal Services Terminal Server Runtime Interface Protocol implementation (@nopernik).
   • Changed the setting up for new SSL connections (@mpgn, @CT-H00K and @0xdeaddood).
   • Added a callback function to smbserver for incoming authentications (@p0dalirius).
   • Fix crash in winregistry (@laxa)
   • Fixes in IDispatch derived classes in comev implementation (@NtAlexio2)
   • Fix CVE-2020-17049 in ccache.py (@godylockz)
   • Smbserver: Added SMB2_FILE_ALLOCATION_INFO type determination (@JerAxxxxxxx)
   • tds: Fixed python3 incompatibility when receiving over TLS socket (@exploide)
   • crypto: Ensure passwords are utf-8 encoded before deriving Kerberos keys (@jojonas)
   • ese: Fixed python3 incompatibility when reading from db (@alexisbalbachan)
   • ldap queries: Escaped characters are now correctly parsed (@alexisbalbachan)
   • Support SASL authentication in ldap protocol (@NtAlexio2)

2. Examples improvements

   • GetADUsers.py, GetNPUsers.py, GetUserSPNs.py and findDelegation.py:
     • Added dc-host option to connect to specific KDC using its FQDN or NetBIOS name (@rmaksimov and @0xdeaddood).
   • GetNPUsers.py
     • Printing TGT in stdout despite -outputfile parameter (@alexisbalbachan and @Zamanry)
     • Fixed output hash format for AES128/256 (etype 17/18) (@erasmusc)
   • GetUserSPNs.py:
     • Added LDAP paged search (@ThePirateWhoSmellsOfSunflowers and @SAERXCIT).
     • Added a -stealth flag to remove the SPN filter from the LDAP query (@clavoillotte).
     • Improved searchFilter (@ShutdownRepo)
     • Use LDAP paged search (@ThePirateWhoSmellsOfSunflowers)
   • psexec.py:
     • Added support for name customization using a custom binary file (@Dramelac).
   • smbexec.py:
     • Security fixes for privilege escalation vulnerabilities (@bugch3ck).
     • Fixed python3 compatibility issues, added workaround TCP over NetBIOS being disabled (@ljrk0)
   • secretsdump.py:
     • Added a new option to extract only NTDS.DIT data for specific users based on an LDAP filter (@snovvcrash).
     • Security fixes for privilege escalation vulnerabilities (@bugch3ck).
   • mssqlclient.py:
     • Added multiple new commands. Now supports xp_dirtree execution (@Mayfly277, @trietend and @TurtleARM).
   • ntlmrelayx.py:
     • Added ability to trigger SQLShell when running ntlmrelayx in interactive mode (@sploutchy).
     • Added filter option to the socks command in ntlmrelayx CLI (@shoxxdj)
     • Added ability to register DNS records through LDAP.
   • addcomputer.py, rbcd.py:
     • Allow weak TLS ciphers for LDAP connections (@AdrianVollmer)
   • Get-GPPPassword.py:
     • Better handling of various XML files in Group Policy Preferences (@p0dalirius)
   • smbclient.py:
     • Added recursive file listing (@Sq00ky)
   • ticketer.py:
     • Ticket duration is now specified in hours instead of days (@Dramelac)
     • Added extra-pac implementation (@Dramelac)

3. New examples

   • net.py Implementation of windows net.exe builtin tool (@NtAlexio2)
   • changepasswd.py New example that allows password changing or reseting through multiple protocols (@Alef-Burzmali, @snovvcrash, @bransh, @api0cradle and @p0dalirius)
   • DumpNTLMInfo.py New example that dumps remote host information in ntlm authentication model, without credentials. For SMB protocols v1, v2 and v3. (@NtAlexio2)

As always, thanks a lot to all these contributors that make this library better every day (up to now):

@ly4k @nopernik @snovvcrash @ShutdownRepo @kiwids0220 @mpgn @CT-H00K @rmaksimov @arossert @aevy-syn @tirkarthi @p0dalirius @Dramelac @Mayfly277 @S3cur3Th1sSh1t @nobbd @AdrianVollmer @trietend @TurtleARM @ThePirateWhoSmellsOfSunflowers @SAERXCIT @clavoillotte @Marshall-Hallenbeck @sploutchy @almandin @rtpt-alexanderneumann @JerAxxxxxxx @NtAlexio2 @laxa @godylockz @exploide @jojonas @Zamanry @erasmusc @bugch3ck @ljrk0 @Sq00ky @shoxxdj @Alef-Burzmali @bransh @api0cradle @alexisbalbachan @0xdeaddood @sanmopre

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.10.0:

1. Library improvements

   • Dropped support for Python 2.7.
   • Refactored the testing infrastructure (@martingalloar):
     • Added pytest as the testing framework to organize and mark test cases. Tox remain as the automation framework, and Coverage.py for measuring code coverage.
     • Custom bash scripts were replaced with test cases auto-discovery.
     • Local and remote test cases were marked for easy run and configuration.
     • DCE/RPC endpoint test cases were refactored and moved to a new layout.
     • An initial testing guide with the main steps to prepare a testing environment and run them.
     • Fixed a good amount of DCE/RPC endpoint test cases that were failing.
     • Added tests for [MS-PAR], [MS-RPRN], CCache and DPAPI.
   • Added a function to compute the Netlogon Authenticator at client-side in [MS-NRPC] (@0xdeaddood)
   • Added [MS-DSSP] protocol implementation (@simondotsh)
   • Added GetDriverDirectory functions to [MS-PAR] and [MS-RPRN] (@raithedavion)
   • Refactored the Credential Cache:
     • Added new parseFile function to ccache.py (@rmaksimov)
     • Added support for loading CCache Version 3 (@reznok)
     • Modified fromKRBCRED function used to load a Kirbi file (@0xdeaddood)
     • Fixed Ccache to Kirbi conversion (@ShutdownRepo)
   • Fixed default NTLM server challenge in smbserver (@rtpt-jonaslieb)

2. Examples improvements

   • exchanger.py:
     • Fixed a bug when a Global Address List doesn't exist on the server (@mohemiv)
   • mimikatz.py
     • Updated intro to not trigger the AV on windows (@mpgn)
   • ntlmrelayx.py:
     • Implemented RAW Relay Server (@CCob)
     • Added an LDAP attack dumping information about the domain's ADCS enrollment services (@SAERXCIT)
     • Added multi-relay feature to the HTTP Relay Server. Now one incoming HTTP connection could be used against multiple targets (@0xdeaddood)
     • Added an option to disable the multi-relay feature (@zblurx and @0xdeaddood)
     • Added multiple HTTP listeners running at the same time (@SAERXCIT)
     • Support for the ADCS ESC1 and ESC6 attacks (@hugo-syn)
     • Added Shadow Credentials attack (@ShutdownRepo, @Tw1sm, @nodauf and @p0dalirius)
     • Added the ability to define a password for the LDAP attack addComputer (@ShutdownRepo)
     • Added rename_computer and modify add_computer in LDAP interactive shell (@capnkrunchy)
     • Implemented StartTLS (@ThePirateWhoSmellsOfSunflowers)
   • reg.py:
     • Added save function to allow remote saving of registry hives (@ShutdownRepo and @scopedsecurity)
   • secretsdump.py:
     • Added an option to dump credentials using the Kerberos Key List attack (@0xdeaddood)
   • smbpasswd.py:
     • Added an option to force credentials change via injecting new values into SAM (@snovvcrash and @Alef-Burzmali!)

3. New examples

   • machine_role.py: This script retrieves a host's role along with its primary domain details (@simondotsh)
   • keylistattack.py: This example implements the Kerberos Key List attack to dump credentials abusing RODCs and Azure AD Kerberos Servers (@0xdeaddood)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@rmaksimov @simondotsh @CCob @raithedavion @SAERXCIT @Maltemo @dirkjanm @reznok @ShutdownRepo @scopedsecurity @Tw1sm @nodauf @p0dalirius @zblurx @hugo-syn @capnkrunchy @mohemiv @mpgn @rtpt-jonaslieb @snovvcrash @Alef-Burzmali @ThePirateWhoSmellsOfSunflowers @jlvcm

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.24:

1. Library improvements

   • Fixed WMI objects parsing (@franferrax)
   • Added the RpcAddPrinterDriverEx method and related structures to [MS-RPRN]: Print System Remote Protocol (@cube0x0)
   • Initial implementation of [MS-PAR]: Print System Asynchronous Remote Protocol (@cube0x0)
   • Complying MS-RPCH with HTTP/1.1 (@mohemiv)
   • Added return of server time in case of Kerberos error (@ShutdownRepo and @Hackndo)

2. Examples improvements

   • getST.py:
     • Added support for a custom additional ticket for S4U2Proxy (@ShutdownRepo)
   • ntlmrelayx.py:
     • Added Negotiate authentication support to the HTTP server (@LZD-TMoreggia)
     • Added anonymous session handling in the HTTP server (@0xdeaddood)
     • Fixed error in ldapattack.py when trying to escalate with machine account (@Rcarnus)
     • Added the implementation of AD CS attack (@ExAndroidDev)
     • Disabled the anonymous logon in the SMB server (@ly4k)
   • psexec.py:
     • Fixed decoding problems on multi bytes characters (@p0dalirius)
   • reg.py:
     • Implemented ADD and DELETE functionalities (@Gifts)
   • secretsdump.py:
     • Speeding up NTDS parsing (@skelsec)
   • smbclient.py:
     • Added 'mget' command which allows the download of multiple files (@deadjakk)
     • Handling empty search count in FindFileBothDirectoryInfo (@martingalloar)
   • smbpasswd.py:
     • Added the ability to change a user's password providing NTLM hashes (@snovvcrash)
   • smbserver.py:
     • Added NULL SMBv2 client connection handling (@0xdeaddood)
     • Hardened path checks and Added TID checks (@martingalloar)
     • Added SMB2 support to QUERY_INFO Request and Enabled SMB_COM_FLUSH method (@0xdeaddood)
     • Added missing constant and structure for the QUERY_FS Information Level SMB_QUERY_FS_DEVICE_INFO (@martingalloar)
   • wmipersist.py:
     • Fixed VBA script execution and improved error checking (@franferrax)

3. New examples

   • rbcd.py: Example script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer (@ShutdownRepo and @p0dalirius) (based on the previous work of @tothi and @NinjaStyle82)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@deadjakk @franferrax @cube0x0 @w0rmh013 @skelsec @mohemiv @LZD-TMoreggia @exploide @ShutdownRepo @Hackndo @snovvcrash @rmaksimov @Gifts @Rcarnus @ExAndroidDev @ly4k @p0dalirius

Project's main page at https://www.secureauth.com/labs/open-source-tools/impacket/

ChangeLog for 0.9.23:

1. Library improvements

   • Support connect timeout with SMBTransport (@vruello)
   • Speeding up DcSync (@mohemiv)
   • Fixed Python3 issue when serving SOCKS5 requests (@agsolino)
   • Moved docker container to Python 3.8 (@mgallo)
   • Added basic GitHub Actions workflow (@mgallo)
   • Fixed Path Traversal vulnerabilities in smbserver.py - CVE-2021-31800 (@omriinbar AppSec Researcher at CheckMarx)
   • Fixed POST request processing in httprelayserver.py (@Rcarnus)
   • Added cat command to smbclient.py (@mxrch)
   • Added new features to the LDAP Interactive Shell to facilitate AD exploitation (@AdamCrosser)
   • Python 3.9 support (@meeuw and @cclauss)

2. Examples improvements

   • addcomputer.py:
     • Enable the machine account created via SAMR (@0xdeaddood)
   • getST.py:
     • Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (@jakekarnes42)
     • Compute NTHash and AESKey for the Bronze Bit attack automatically (@snovvcrash)
   • ntlmrelayx.py:
     • Fixed target parsing error (@0xdeaddood)
   • wmipersist.py:
     • Fixed filterBinding error (@franferrax)
     • Added PowerShell option for semi-interactive shells in dcomexec.py, smbexec.py and wmiexec.py (@snovvcrash)
     • Added new parameter to select COMVERSION in dcomexec.py, wmiexec.py, wmipersist.py and wmiquery.py (@zexusx26)

3. New examples

   • Get-GPPPassword.py: This example extracts and decrypts Group Policy Preferences passwords using streams for treating files instead of mounting shares. Additionally, it can parse GPP XML files offline (@ShutdownRepo and @p0dalirius)
   • smbpasswd.py: This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (@snovvcrash)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@mpgn @vruello @mohemiv @jagotu @jakekarnes42 @snovvcrash @zexusx26 @omriinbar @Rcarnus @nuschpl @mxrch @ShutdownRepo @p0dalirius @AdamCrosser @franferrax @meeuw and @cclauss

Project's main page at https://www.secureauth.com/labs/impacket/

ChangeLog for 0.9.22:

1. Library improvements

   • Added implementation of RPC over HTTP v2 protocol (by @mohemiv).
   • Added MS-NSPI, MS-OXNSPI and MS-OXABREF protocol implementations (by @mohemiv).
   • Improved the multi-page results in LDAP queries (by @ThePirateWhoSmellsOfSunflowers).
   • NDR parser optimization (by @mohemiv).
   • Improved serialization of WMI method parameters (by @tshmul).
   • Introduce the MS-NLMP 2.2.2.10 VERSION structure in NTLMAuthNegotiate messages (by @franferrax).
   • Added some NETLOGON structs for NetrServerPasswordSet2 (by @dirkjanm).
   • Python 3.8 support.

2. Examples improvements

   • atexec.py: Fixed after MS patches related to RPC attacks (by @mohemiv).
   • dpapi.py: Added -no-pass, pass-the-hash and AES Key support for backup subcommand.
   • GetNPUsers.py: Added ability to enumerate targets with Kerberos KRB5CC (by @rmaksimov).
   • GetUserSPNs.py: Added new features for kerberoasting (by @mohemiv).
   • ntlmrelayx.py:
     • Added ability to relay on new Windows versions that have SMB guest access disabled by default.
     • Added option to specify the NTLM Server Challenge used when receiving a connection.
     • Added relaying to RPC support (by @mohemiv).
     • Implemented WCFRelayServer (by @cnotin).
     • Added Zerologon DCSync Relay Client (by @dirkjanm).
     • Fixed issue in ldapattack.py when relaying and creating computer in CN=Computers (by @Hackndo).
   • rpcdump.py: Added RPC over HTTP v2 support (by @mohemiv).
   • secretsdump.py:
     • Added ability to specifically delete a shadow based on its ID (by @phefley).
     • Dump plaintext machine account password when dumping the local registry secrets(by @dirkjanm).

3. New examples

   • exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2 (by @mohemiv).
   • rpcmap.py: Scan for listening DCE/RPC interfaces (by @mohemiv).

As always, thanks a lot to all these contributors that make this library better every day (since last version): @mohemiv @mpgn @Romounet @ThePirateWhoSmellsOfSunflowers @rmaksimov @fuzzKitty @tshmul @spinenkoia @AaronRobson @ABCIFOGeowi40 @cclauss @cnotin @5alt @franferrax @Dliv3 @dirkjanm @Mr-Gag @vbersier @phefley @Hackndo

Project's main page at www.secureauth.com

ChangeLog for 0.9.21:

1. Library improvements

   • New methods into CCache class to import/export kirbi (KRB-CRED) formatted tickets (by @Zer1t0).
   • Add FSCTL_SRV_ENUMERATE_SNAPSHOTS functionality to SMBConnection (by @rxwx).
   • Changes in NetBIOS classes in nmb.py (select() by poll() read from socket) (by @cnotin).
   • Timestamped logging added.
   • Interactive shell to perform LDAP operations (by @mlefebvre).
   • Added two DCE/RPC calls in tsch.py (by @mohemiv).
   • Single-source the version number and standardize on symantic + pre-release + local versioning (by @jsherwood0).
   • Added implementation for keytab files (by @kcirtapw).
   • Added SMB 3.1.1 support for Client SMB Connections.

2. Examples improvements

   • smbclient.py: List the VSS snapshots for a specified path (by @rxwx).
   • GetUserSPNs.py: Added delegation information associated with accounts (by @G0ldenGunSec).
   • dpapi.py:
     • Added more functions to decrypt masterkeys based on SID + hashes/key. Also support supplying hashes instead of the password for decryption(by @dirkjanm).
     • Pass the hash support for backup key retrieval (by @imaibou).
     • Added feature to decrypt a user's masterkey using the MS-BKRP (by @imaibou).
   • raiseChild.py: Added a new flag to specify the RID of a user to dump credentials (by @0xdeaddood).
   • Added flags to bypass badly made detection use cases (by @MaxNad):
     • smbexec.py: Possibility to rename the PSExec uploaded binary name with the -remote-binary-name flag.
     • psexec.py: Possibility to use another service name with the -service-name flag.
   • ntlmrelayx.py:
     • Added a flag to use a SID as the escalate user for delegation attacks(by @0xe7).
     • Support for dumping LAPS passwords (by @praetorian-adam-crosser).
     • Added LDAP interactive mode that allow an attacker to manually perform basic operations like creating a new user, adding a user to a group , dump the AD, etc. (by @mlefebvre).
     • Support for multiple relays through one SMB connection (by @0xdeaddood).
     • Added support for dumping gMSA passwords (by @cube0x0).
   • ticketer.py: Added an option to use the SPNs keys from a keytab for a silver ticket.(by @kcirtapw)

3. New Examples

   • addcomputer.py: Allows add a computer to a domain using LDAP or SAMR (SMB) (by @jagotu)
   • ticketConverter.py: This script converts kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa (by @Zer1t0).
   • findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment (by @G0ldenGunSec).

As always, thanks a lot to all these contributors that make this library better every day (since last version):

@jagotu, @Zer1t0 ,@rxwx, @mpgn, @danhph, @awsmhacks, @slasyz, @cnotin, @exploide, @G0ldenGunSec, @dirkjanm, @0xdeaddood, @MaxNad, @imaibou, @BarakSilverfort, @0xe7, @mlefebvre, @rmaksimov, @praetorian-adam-crosser, @jsherwood0, @mohemiv, @justin-p, @cube0x0, @spinenkoia, @kcirtapw, @MrAnde7son, @fridgehead, @MarioVilas.

Project's main page at www.secureauth.com

ChangeLog for 0.9.20:

1. Library improvements

   • Python 3.6 support! This is the first release supporting Python 3.x so please issue tickets whenever you find something not working as expected. Libraries and examples should be fully functional.
   • Test coverage improvements by @infinnovation-dev
   • Anonymous SMB 2.x Connections are not encrypted anymore (by @cnotin)
   • Support for multiple PEKs when decrypting Windows 2016 DIT files (by @mikeryan)

2. Examples improvements

   • ntlmrelayx.py:
     1. CVE-2019-1019: Bypass SMB singing for unpatched (by @msimakov)
     2. Added POC code for CVE-2019-1040 (by @dirkjanm)
     3. Added NTLM relays leveraging Webdav authentications (by @salu90)

3. New Examples

   • kintercept.py: A tool for intercepting krb5 connections and for testing KDC handling S4U2Self with unkeyed checksum (by @iboukris)

As always, thanks a lot to all these contributors that make this library better every day (since last version): @infinnovation-dev, @cnotin, @mikeryan, @SR4ven, @cclauss, @skorov, @msimakov, @dirkjanm, @franferrax, @iboukris, @n1ngod, @c0d3z3r0, @MrAnde7son.

Project's main page at www.secureauth.com

ChangeLog for 0.9.19:

1. Library improvements

   • [MS-EVEN] Interface implementation (Initial - by @MrAnde7son )

2. Examples improvements

   • ntlmrelayx.py:

     1. Socks local admin check (by @imaibou)
     2. Add Resource Based Delegation features (by @dirkjanm)

   • smbclient.py: Added ability to create/remove mount points to exploit James Forshaw's Abusing Mount Points over the SMB Protocol technique. (by @Qwokka)

   • GetST.py: Added resource-based constrained delegation support to S4U (@eladshamir )

   • GetNPUsers.py: Added hashcat/john format and users file input (by @Zer1t0 )

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @ibo, @franferrax, @Qwokka, @CaledoniaProject , @eladshamir, @Zer1t0, @martingalloar, @muizzk, @Petraea, @SR4ven, @Fist0urs, @Zer1t0

Project's main page at www.secureauth.com

ChangeLog for 0.9.18:

1. Library improvements

   • Replace unmaintained PyCrypto for pycryptodome (@dirkjanm)
   • Using cryptographically secure pseudo-random generators
   • Kerberos "no pre-auth and RC4" handling in GetKerberosTGT (by @qlemaire)
   • Test cases adjustments, travis and flake support (@cclauss)
   • Python3 test cases fixes (@eldipa)
   • Adding DPAPI / Vaults related structures and functions to decrypt secrets.
   • [MS-RPRN] Interface implementation (Initial)

2. Examples improvements

   • ntlmrelayx.py: Optimize ACL enumeration and improve error handling in ntlmrelayx LDAP attack (by @dirkjanm)
   • secretsdump.py: Added dumping of machine account Kerberos keys (@dirkjanm). DPAPI_SYSTEM LSA Secret is now parsed and key contents are shown.
   • GetUserSPNs.py: Bugfixes and cross-domain support (@dirkjanm)

3. New Examples

   • dpapi.py: Allows decrypting vaults, credentials and masterkeys protected by DPAPI. Domain backup key support added by @MrAnde7son

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @MrAnde7son, @franferrax, @MrRobot86, @qlemaire, @cauan, @eldipa

Project's main page at www.coresecurity.com

ChangeLog for 0.9.17:

1. Library improvements

   • New [MS-PAC] Implementation.
   • LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
   • ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)
   • Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)
   • SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
   • Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son
   • Major improvements to the NetBIOS layer. More use of structure.py in there.
   • MQTT Protocol Implementation and example.
   • Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
   • Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).

2. Examples improvements

   • GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
   • services.py: added port 139 support and related options (by @real-datagram).
   • samrdump.py: -csv switch to output format in CSV added.
   • ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
   • secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
   • mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
   • lsalookupsid.py: added no-pass and domain-users options (by @ropnop).

3. New Examples

   • ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
   • GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
   • getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
   • getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
   • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
   • sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
   • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
   • getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
   • getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.

As always, thanks a lot to all these contributors that make this library better every day (since last version): @dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @Fr0stbyt3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.