Project's main page at www.coresecurity.com
ChangeLog for 0.9.17:
-
Library improvements
- New [MS-PAC] Implementation.
- LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
- ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)
- Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)
- SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
- Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son
- Major improvements to the NetBIOS layer. More use of structure.py in there.
- MQTT Protocol Implementation and example.
- Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
- Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).
-
Examples improvements
- GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
- services.py: added port 139 support and related options (by @real-datagram).
- samrdump.py: -csv switch to output format in CSV added.
- ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
- secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
- mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
- lsalookupsid.py: added no-pass and domain-users options (by @ropnop).
-
New Examples
- ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
- GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
- getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
- getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
- mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
- sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
- dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
- getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
- getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.
As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @FR0STBYT3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.