What’s New in Impacket 0.12?
Impacket 0.12 is now available! A lot of work has been done since version 0.11, and this new release includes improvements to libraries and examples, new examples, and more.
Encoding Updates
Some encoding issues were still present after transitioning from python 2 to python 3, primarily caused by transitions between bytes and str object types.
Version 0.12 features encoding updates in several examples and libraries when receiving non ascii text parameters.
Improved Examples
Further enhancements were made to certain examples. Some highlights are featured below:
getST:
In pull request #1202 we integrated Kerberoasting w/o preauth. Also, in #1585, the ability to renew TGTs was implemented.
secretsdump:
Performance improvements have been made in DCSync attack targeting windows 2022 by issuing less RPC requests. More details are available in the pull request, #1578 .
Additionally, it’s now possible to dump SAM/SECURITY/SYSTEM hives without RCE by creating shadow snapshots through WMI implemented in #1719.
reg.py:
Some fixes and enhancements have been made to the registry management feature.
Registry keys can now contain backslashes (\). Prior to this update, this scenario was being ineffectively handled in Impacket and registry related examples. More details on how this was rectified are available in pull request #1767.
Support for two missing value types has been also added in the reg.py example. Registry keys of following types can now be added:
- REG_BINARY: Binary data in any form
- REG_MULTI_SZ: A sequence of null-terminated strings, terminated by an empty string (\0).
Lastly, if the initial check fails, the RemoteRegistry service will now attempt to be start by writing to the winreg named pipe over SMB. Thanks @dadevel for your implementation (#1638) of this feature.
ntlmrealyx:
Several improvements were integrated in this release to ntlmrelayx. We want to particularly highlight what was achieved in pull request #1741.
While multirelay mode was added a while ago we noticed that its target selection behavior was inconsistent with its single-relay counterpart (due to bugs in the target selection process). Additionally, its single shot nature (relays the first captured connection to every target and then it's done if successful) was not really useful in some real-life scenarios.
We envisioned a use case in which a user would like to run the relay over long periods of time and then analyze which connections were captured for each target. This is why we added the -keep-relaying flag: Each incoming connection will be relayed to every target. The module will keep relaying any new incoming connection forever.
Finally, support has been added for ticketer, specifically in the creation of Sapphire tickets. More details are available in pull request. #1605.
A more detailed list of changes and fixes can be found in Changelog.md.
New Examples
In addition to improvements on existing examples, new ones have also been created, including:
describeTicket:
Previously explained in its own blog, this new example dumps information from tickets in ccache format, which comes in handy at the time of debugging kerberos interactions.
GetADComputer.py:
Complementary to GetADusers, this example retrieves computer objects information. This data can be used in various ways, including performing network recognition. More details can be found in the pull request, #1673.
GetLAPSpassword.py:
This example leverages MS-GKDI rpc protocol, in order to extract LAPSv2 passwords.
In pull requests #1323 and #1291 dacledit/owneredit were added. These enable abuse of active directory ACLs/ACEs.
The Impacket Roadmap
Looking ahead to the 0.13 release and beyond, the plan is to continue with the PR/issues catch-up process. We also hope to focus on items like:
- Splitting the packaging into examples/lib #1810
- Continue with unicode fixes/Ipv6 support #1811
- Windows 2025 support #1812
Once again, as with every release, we want to thank the community for continuing to collaborate with new PRs/issues/documentation.