Impacket 0.13.1 is almost ready to land. This release keeps the momentum from 0.13 going with new relay surfaces, stronger support for modern Windows and SQL Server environments, and a set of practical improvements across the examples scripts.
Impacket 0.13.1 is a focused maintenance release. We decided not to wait for the full 0.14 cycle because several fixes and improvements around Kerberos, SMB, MSSQL, and relay workflows, among others, are now integrated in the main branch. Shipping them as a .1 release gets those improvements into users’ hands sooner, while keeping larger feature work and broader changes on the regular 0.14 path.
As usual, the full changelog will ship with the release. This blog provides a useful summary of the highlights.
Relay Updates
ntlmrelayx.py receives some of the most visible updates in this release. New MSSQL and RDP relay servers were added (#2083, #2101), expanding the set of inbound authentication paths that can be captured and relayed.
MSSQL relay also picked up support for stricter server configurations, including TDS 8.0 / Force Strict Encryption handling #2122. This is particularly relevant as more environments enforce encrypted SQL Server connections by default.
Relay workflows related to NTLM message manipulation were also updated with sign/seal removal paths for CVE-2025-33073 scenarios, along with --remove-mic handling improvements (#2133).
WinRM relay behavior was tightened up as well, with better error handling, NTLMv2 detection, and fixes for NTLM relay reliability #2089, #2163).
These updates leave the Server/Client ntlmrelayx table as follows:
| Protocol | Server | Client | Notes for Impacket v0.13.1 |
| SMB | Yes | Yes | Improved SMB relay behavior, including safer negotiation and SMBv1 relay fixes. |
| HTTP | Yes | Yes | |
| HTTPS | No | Yes | |
| LDAP | No | Yes | Improved Shadow Credentials workflows through the interactive LDAP shell. |
| LDAPS | No | Yes | |
| MSSQL 🆕 | Yes | Yes | Added MSSQL relay server. TDS 8.0 / Force Strict Encryption handling and channel binding related improvements. |
| RDP 🆕 | Yes | No | Added RDP relay server. |
| WinRM | Yes | No | Improved WinRM relay error handling and NTLMv2 detection. |
| WinRMS | Yes | Yes | Improved WinRM relay error handling and NTLMv2 detection. |
| RPC | Yes | Yes | |
| WCF | Yes | No | |
| RAW | Yes | No | |
| DCSYNC | No | Yes | |
| IMAP | No | Yes | |
| IMAPS | No | Yes | |
| SMTP | No | Yes |
MSSQL and TDS Improvements
The MSSQL stack continues to evolve. The TDS implementation now supports TDS 8.0 strict encryption, channel binding behavior, TDS_SSVARIANT parsing, workstation and application name fields, and more reliable SQL reply error tracking (#2074, #2075, #2082, #2098, #2122).
mssqlclient.py gained options to set workstation and application names, while the shared MSSQL shell added enable_rpc and disable_rpc helpers for linked-server workflows (#2074, #2134).
A new checkMSSQLStatus.py example was also added to test whether Channel Binding Token enforcement is required on a target SQL Server (#2098).
Secrets and DPAPI
secretsdump.py gained several practical improvements. SAM password history parsing was added (also supported by regsecrets.py (#2059). Improvements were made to offline machine account and Kerberos key recovery, SAM password timestamp output was added, and offline NTDS rows are now filtered by the local domain SID (#2059, #2135, #2142, #2178).
This release also introduces dpapidump.py, a new example that automates remote extraction of SYSTEM DPAPI credentials and SCCM client secrets (#1917).
The ESE parser now handles large-page tag-state parsing for Windows Server 2025 NTDS.dit files (#2158), and NTFS reads were improved for sparse files and INDEX_ROOT listings (#2106).
Kerberos and Ticket Tooling
Several ticket-handling edge cases were fixed across the Kerberos stack. This includes S4U2Self service ticket parsing, non-ASCII Kerberos authentication encoding, LSA Kerberos key decryption, GSSAPI BER length parsing, and kirbi/ccache conversion fixes (#2087, #2068, #2088, #2130, #2159).
ticketer.py now preserves KDC-issued lifetimes for diamond tickets (#2181), and ticketConverter.py gained base64 output support while improving ticket flag and multi-entry conversion behavior (#2104, #2159).
Also, for our kerberos implementation, methods to perform full CRUD were added in #2097. We will continue improving our kerberos interface/implementation, towards 0.14.
SMB Improvements
The SMB stack received both operator-facing and library-level updates. smbserver.py now includes SMB server signing support, read-only share handling, and kerberos authentication support (#1975).
smbclient.py gained ACL management support, recursive rget, and richer share listings that include type and comments, and full smb 3.11 support (#1240, #2110, #2156, #2085).
More Windows Protocol Coverage
DCE/RPC and WMI coverage continues to expand. WMI now supports PutClass and DeleteClass (#1803), Remote Event Log subscription calls were added (#2152), and Remote Desktop Services process parsing was fixed (#2155).
New and Updated Examples
Along with dpapidump.py and checkMSSQLStatus.py, several existing examples received focused updates:
GetUserSPNs.py now includes an option to avoid forcing RC4-HMAC when requesting a TGT (#2141).
tstool.py adds Remote Desktop Shadowing support (#2064).
badsuccessor.py fixes ACE filtering and ObjectType GUID parsing that could cause false negatives when searching OUs (#2170).
exchanger.py adds Basic Authentication support (#2077).
reg.py now creates persistent registry keys by default (#2113).
The full changelog, as always, will ship with the release tag. Grab the new bits when the release lands, test the updated examples in your lab, and let us know how they behave against current Windows and SQL Server builds.
