New SMB and DCERPC features in Impacket v0.9.6.0
We have spent some time refactoring and adding new features to the Impacket library, particularly related to its SMB and DCERPC support. This is a report of what we’ve done, what new features were implemented, and what other things we think could be done.
We will also show some examples on how to use new and old but not so commonly used features of the library, as well as on how to add new features to it.
Some of the new SMB features are:
Alternative ways of doing Tree Connect, Open File, Transact Named Pipe/Write AndX, “SMB fragmentation” using multiple Write requests, chaining AndX commands and NTLMv1 authentication using only hashes (“Pass the Hash”). New features for DCERPC include: Multi-bind requests, big endian requests and responses, NTLMv1 authentication, DCERPC fragmentation and DCERPC encryption (even for NULL sessions).