Project's main page at www.coresecurity.com
ChangeLog for 0.9.15:
- Library improvements
- SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
- Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
- Packet fragmentation for DCE RPC layer mayor overhaul.
- Improved pass-the-key attacks scenarios (by @skelsec)
- Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
build the search filter yourself) - IPv6 improvements for DCERPC/LDAP and Kerberos
- Examples improvements
- Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
resides in the same server - secretsdump.py
- Adding support for Win2016 TP4 in LOCAL or -use-vss mode
- Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
- Support for different ReplEpoch (DRSUAPI only)
- pwdLastSet is also included in the output file
- New structures/flags added for 2016 TP5 PAM support
- wmiquery.py
- Adding -rpc-auth-level switch (by @gadio)
- smbrelayx.py
- Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
- Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
- Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
- New Examples
- GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
This is part of the kerberoast attack researched by Tim Medin (@timmedin) - ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
(by @dirkjanm)
- GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.