Add support for enumerating templates over HTTP with ntlmrelayx#110
Open
ShutdownRepo wants to merge 72 commits into
Open
Add support for enumerating templates over HTTP with ntlmrelayx#110ShutdownRepo wants to merge 72 commits into
ShutdownRepo wants to merge 72 commits into
Conversation
- Added `--enum-templates` for ADCS options
* feat: Added MSSQL Relay Server to NTLMRelayx * The PRELOGIN response was reified, instead than returning a hardcoded hex message. Several not needed imports were removed. The server name in the LOGIN request was changed to match the target. * Updated ntlmrelayx.py to the current version, only lines related to MSSQLRelayServer added * Added response to the client for NTLM authentication (imitate logon failure for unknown reasons) * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Changed the constant in NTLM authentication as requested, and added import struct * Update impacket/examples/ntlmrelayx/servers/mssqlrelayserver.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Added login failed response for MSSQL server authentication --------- Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
* Add Basic Auth support in exchanger * Update examples/exchanger.py Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com> --------- Co-authored-by: Thomas Caesar <thomas.caesar@sva.de> Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
…#2059) * Added SAM history parsing to secretsdump.py and secretsdump.py * Update impacket/examples/regsecrets.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/secretsdump.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/secretsdump.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/examples/regsecrets.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update help message for -history argument Clarified help message for -history argument to specify NTDS and SAM hashes. * Clarify -history argument help text Updated help text for the -history argument to clarify that it dumps NTDS and SAM hashes. --------- Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
* Fix parsing STs from S4U2Self * Fix indentation
It's needed to run `setup.py` itself, but that's not what `install_requires` is for, and the rest of the package no longer uses it (since fortra#2036). I deliberately left the entry in `requirements.txt` in place, since that's used by CI.
…ortra#1764) * dpapi: fix DPAPI_BLOB size This strips rawData when the bytes array given for initialization is longer than the actual DPAPI Blob, and fixes toSign extraction which was bogus in this case. * Add warning in Structure if unpacked structure length does not match provided data * Update impacket/dpapi.py Avoid changing status of the object * Removed warning in Structure added in previous commit. * Reverted unneeded change --------- Co-authored-by: DidierA <1620015+didiera@users.noreply.github.com> Co-authored-by: gabrielg5 <gabriel.gonzalez@fortra.com>
* Add RDP Server * fixing a typo * Remove of an unnecessary log * Fix RDP relay cookie and duplicate connection issues * change log type * refactor: restructure RDP server * Remove second authentication blocking * Revert accidental removal of debug print
…on (fortra#1975) * smbserver.py: add signing support by using computer account with NetLogon * Move kerberos key calculation into impacket.krb5.crypto for portability * smbserver.py: Support Kerberos * smbserver.py: NetLogon only works with sealing * smbserver.py: Adjust fixme * smbserver.py: Fix raw NTLM authentication * smbserver.py: Fix signed computer account authentication in NetLogon * smbserver.py: Add readonly, and options to disable NTLM or Kerberos smbserver.py: More debugging logs * fix missing fileName for logging * fix smbv1 typo * smbserver.py: Add user to logging, simplify log output * fix broken log * fix smbv1 logging * smbserver.py: Adjust cli option descriptions * generate_kerberos_keys: change debug message * smbserver.py: Username logging also for kerberos * smbserver.py: change defaults for signing * smbserver.py: Fallback to no signing if ticket decryption fals or client does not support signing * smbserver.py: provoding computer credentials ONLY authenticates the specified user, netLogon and kerberos are in this case not used * smbserver.py: return STATUS_LOGON_FAILURE if the Kerberos ticket cannot be decrypted * smbserver.py: Return correct error message * smbserver.py: Change -dcip to -dc-ip * smbserver.py: correct -computeraccountdomain argument description * smbrelayserver.py: Disable KerberosSupport in smbserver * smbserver.py: Use getter methods for NTLM/Kerberos support
* Add CRUD methods to ldap * Remove unpacking list * Fix modify function
) If an SMB packet is incoming and wants to negotiate and smb2support is enabled, before this would throw an exception while trying to parse the SMB packet as an SMB2 packet: ``` Traceback (most recent call last): File "/Users/roman/.local/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/smbserver.py", line 4191, in handle resp = self.__SMB.processRequest(self.__connId, p.get_trailer()) File "/Users/roman/.local/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/smbserver.py", line 4865, in processRequest respPacket['CreditRequestResponse'] = packet['CreditRequestResponse'] ~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^ File "/Users/roman/.local/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/structure.py", line 186, in __getitem__ return self.fields[key] ~~~~~~~~~~~^^^^^ KeyError: 'CreditRequestResponse' ``` By sending the SMB2 packet response directly instead of the command, this should now work properly.
* feat: added --base64 option to ticketConverter * Cleanup manually to avoid issues with Windows delete permissions
* Added smbcacls * Changed example script * improve ACL manage * improve acl manage * improved acl * Closing all handles * fixed directory and handle is open bug in acl.py * Changed help a little bit * Ignore from empty ACL * fix indentation * removee example to different PR --------- Co-authored-by: john57 <your_email_address@example.com>
* add wmi ObjectFlags to improve human-readability
* Fix handling of empty buffer in CLASS_AND_METHODS_PART to prevent errors
* implement PutClass and DeleteClass functions in wmi
* bugfix: replace CIM_CLASS with CIM_INSTANCE
* unittest: add test cases for PutClass and DeleteClass
* improved wmi testcases
* Fix PutClass
- Preserve existing class properties (ndTable, valueTable, name ref)
when updating a class via PutClass
- Use correct propIndex (existingCount + i) for DeclarationOrder
and ndTable bit offsets on newly added properties
* uncommented failing case
---------
Co-authored-by: Kali <adrian.manrique@gmail.com>
* Fix WinRM NTLM Relay Issue * Removed negotiate seal changes --------- Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
* Fixed files not being listed when in INDEX_ROOT * Added support for sparse files * Fix double VNC shift, causing incorrect reads. handle walk() returning None null checks in do_cat error handling in getINode general refactor * added tests for ntfs-read --------- Co-authored-by: Kali <adrian.manrique@gmail.com>
…cket-reg (fortra#2113) * Added flag functionality to specify that a created registry key should be volatile, and changed the default behavior to instead create non-volatile keys * Reverted to default behavior and clarified description - Reverted default behavior back to volatile keys - Changed --volatile flag to --persistent - Moved flag verification to subkey creation section - Added printed warning that key is volatile if --permanent is not set (only in subkey creation) - Clarified flag description.
* smbrelayserver.py: Dont advertise support for NEGOEX * ntlmrelayx: Remove more unsupported NEGOEX
…tra#2130) get_length() handles two BER definite-length forms: - Short form (< 128): length is a single byte - Long form (>= 128): length spans multiple bytes The long form correctly advances past the length bytes by returning data[1+bytes_count:], but the short form returned data without advancing past the length byte. This caused a misalignment in the parsed mechanism token data, shifting all subsequent field offsets and producing garbage when unwrapping GSS tokens with inner lengths below 128 bytes. Fix: return data[1:] in the short form path, matching the long form behavior of advancing past the length encoding.
…election, RC4/AES helpers, and wrap/MIC paths (fortra#2138)
…ne (fortra#2136) * Fixed fragment_by_list() crash when child protocol is None * removed the inline * Added a regression test for IP.fragment_by_list() with Data payload --------- Co-authored-by: herbenderbler <herbenderbler@users.noreply.github.com>
…dump.py (fortra#2135) When running secretsdump.py in offline mode (with -sam/-security/-system flags), the $MACHINE.ACC secret was dumped as raw hex instead of showing the machine account NTLM hash and Kerberos keys. This was because the machine name, domain, and Kerberos salt were only retrieved via remoteOps (available in online mode). Add __getMachineKerberosSaltOffline() to derive the Kerberos salt from the SECURITY hive by reading Policy\PolDnDDN (domain FQDN) and Policy\PolAcDmN (machine NetBIOS name), which are stored as LSA_UNICODE_STRING structures. Use the same salt to resolve the machine name and domain for the NTLM hash printout. This brings offline mode output to parity with online mode. Co-authored-by: Croumi <Croumi>
…LinuxSLL/IP (fortra#2092, fortra#2093, fortra#2094) (fortra#2137) * Added fixes and tests for fortra#2092, fortra#2093, and fortra#2094 * do not use interal __iter__ interface for av_pairs tests --------- Co-authored-by: Kali <adrian.manrique@gmail.com>
…rtra#2046) (fortra#2160) * Fix SCMR failure actions marshaling and add regression test * Update tests/dcerpc/test_scmr.py Applied Code review suggestions to the test Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Applied code review suggestion * Update impacket/dcerpc/v5/scmr.py set lpsaActions to NULL by default Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update tests/dcerpc/test_scmr.py Added regression test Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
…n Windows (fortra#2164) * raiseChild: fix PAC buffer preservation and add AES support for modern Windows Two bugs fixed: 1. makeGolden() hardcoded exactly 4 PAC buffers, discarding all others. Windows Server 2022 with CVE-2021-42287 patches requires PAC_REQUESTOR (type 18) to be present. Stripping it causes KDC_ERR_TGT_REVOKED. Fix: preserve all original PAC buffers, only update modified ones. 2. getKerberosTGT() called with aesKey=None hardcoded, ignoring -aesKey. Fix: pass aesKey, try AES first then fall back to RC4. Additional improvements: - Auto-retry golden ticket with AES if RC4 is rejected by KDC - Fix signature zeroing to use actual length instead of hardcoded 12/16 - Updated help text with AES key usage examples Tested against Windows Server 2022 Build 20348. Backward compatible. * krb5: share PAC rebuild and signing helpers * krb5: share AES ticket key selection helpers * Fix password fallback suppression and TGT re-acquisition on golden ticket retry * raiseChild: fix credential retry flow * raiseChild: pass normalized AES key to target exec login --------- Co-authored-by: plur1bu5 <plur1bu5@users.noreply.github.com> Co-authored-by: Gabi Gonzalez <gabriel.gonzalez@fortra.com> Co-authored-by: Your Name <you@example.com>
* fix(smbrelayserver): guard missing SMBClient and handle NTLM negotiate failures * fix(winrmrelayclient): handle connection errors and detect NTLMv2 to abort futile relay * fix(winrmrelayclient): update logging message * Enhancing a bit the NTLMv2 detection - and clean up logging * Clean up log * Fixing wrong var name --------- Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
fortra#1049) Co-authored-by: r3seh <r3seh>
* Add rget command for recursive file download * rget no longer swallows listing or download failures. It now restores self.pwd with try/finally and lets real exceptions propagate, so partial recursive downloads don’t fail silently. The local path calculation now uses ntpath.relpath() from the starting remote directory instead of raw string replacement, which preserves nested paths like subdir/dir_backup/... correctly. --------- Co-authored-by: TheFlamingCrab <96930137+TheFlamingCrab@users.noreply.github.com> Co-authored-by: Kali <adrian.manrique@gmail.com>
* Fix describe ticket * fix describeTicket credential indexing after skipped decrypts Use enumerate() when iterating ccache credentials so output keeps the correct credential index even when a ticket is skipped due to missing or invalid decryption material. Also update the Kerberoast debug message to report the ticket encrypted part etype, matching the value now used for the extraction decision. --------- Co-authored-by: Kali <adrian.manrique@gmail.com>
* Modify ticketer and ccache logic * ticketer now update existing ccache if KRB5CCNAME is specified * ticketConverter now convert all TGS within the Kirbi or provided Ccache * Fix a bug during the conversion from ccache to kirbi that does not correctly preserve ticket flags * Update kirbi test cases. Improve Kirbi to Ccache conversion.
* Adding dpapidump to impacket * Apply suggestions from code review Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update examples/dpapidump.py * Update examples/dpapidump.py * Update examples/dpapidump.py * Update examples/dpapidump.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> --------- Co-authored-by: laxa <laxa@ddracepro.net> Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
… (issue fortra#1924) (fortra#2158) * Fix issue fortra#1924 large-page tag count parsing * Applied code review changes, added unit test * improved code added testcase * Fix USER_PROPERTIES parsing per MS-SAMR spec --------- Co-authored-by: Kali <adrian.manrique@gmail.com>
…ortra#2155) * Fixed TS_ALL_PROCESSES_INFO parsing for RpcWinStationGetAllProcesses * Removed ldap3 dependency, fixed mismatched data type for rawsid, added missing test * Removed unused imports, renamed imagenamesize -> imagename to match docs. Added missing test
…ortra#2058) (fortra#2181) * preserve request-based ticket lifetime and add regression test * tests: expand coverage for request-based ticket lifetime preservation * Updated tests to comply with the code review * Update examples/ticketer.py * update description of the -duration parameter --------- Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
…Successor.py search_ous() that causes False negatives (fortra#2170) * Added processing to object specific ACEs in search_ous() * Fixed GUID parser for ObjectType handling for object-specific ACEs * Apply suggestion from @alexisbalbachan Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com> --------- Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
… a TGT (fortra#2141) * Added a switch not to force RC4-HMAC when requesting a TGT as newer servers (e.g., 2025) won't issue service tickets when provided with RC4-HMAC TGT. * Update examples/GetUserSPNs.py Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com> --------- Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
* Fix fortra#2099: handle truncated SMB responses (SessionError + debug log) - structure: asciiz without NUL raises clear ValueError with field name - smb: catch ValueError at session/negotiate parse sites; log at debug, raise SessionError - smbconnection: docstring notes invalid/truncated server response - ci: fix flake8 F824 (goldenPac, ldapattack) - tests: regression for asciiz NUL and session setup parsing; align with TESTING.md - docs: ChangeLog * Fix fortra#2099 struct.error mapping.
…#2178) * Filter offline NTDS rows by local domain SID * Use remoteops.getDomainSid when isRemote == True * Skip offline NTDS rows with unavailable PEK indexes * Allow snapshot enumeration over SMB 3.1.1 --------- Co-authored-by: gabrielg5 <gabriel.gonzalez@fortra.com>
Removed the 'Contributors' section from the ChangeLog.
Removed width and height attributes from image.
do cleanup on finally block even in test fails
Use DCOMConnection in test_RemoteGetClassObject instead of a raw DCE/RPC connection from self.connect(). RemoteGetClassObject returns an interface whose RemRelease path expects the DCOMConnection PORTMAPS cache to be initialized for the target; the raw connection path leaves that cache empty and can raise KeyError keyed by the target address. Wrap the interface use in a try/finally so the DCOM connection is always disconnected after the test.
* added python 3.14 * fixed typo
* Add client_interface_name parameter to MSSQL class Decouple CltIntName from AppName in TDS LOGIN packet. Previously, CltIntName was hardcoded to the same value as AppName, which made connections easily identifiable in sys.dm_exec_sessions. A real .NET client sends different values for these fields: - AppName (program_name): the application name - CltIntName (client_interface_name): the driver/library name Added --client-interface-name parameter to the mssqlclient example. * Update impacket/tds.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> * Update impacket/tds.py Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com> --------- Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Original PR on fortra/impacket: fortra#1879
Adds the ability to enumerate ADCS templates using only HTTP with a relayed user. Useful in the event that LDAP signing is enforced and LDAP channel binding is set up properly, but ESC8 is still present. Previously, you would have needed another way to enumerate certificate names (or attempt to blindly hit
ClientorMachinetemplates with your fingers crossed).Note that the HTTP endpoint doesn't give back verbose details like
EnrolleeSuppliesSubject, etc. so its still only a way to get accessible/enabled certificate templates only.--enum-templatesfor ADCS optionsDefault behavior
With debug