Add support for enumerating templates over HTTP with ntlmrelayx

.github/workflows/build_and_test.yml

@@ -48,11 +48,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.9", "3.10","3.11","3.12"]
+        python-version: ["3.9", "3.10","3.11","3.12","3.13"]
         experimental: [false]
         os: [ubuntu-latest]
         include:
-          - python-version: "3.13-dev"
+          - python-version: "3.14-dev"
             experimental: true
             os: ubuntu-latest
     continue-on-error: ${{ matrix.experimental }}

ChangeLog.md

@@ -5,6 +5,68 @@ Project owner's main page is at www.coresecurity.com.
 Complete list of changes can be found at:
 https://github.com/fortra/impacket/commits/master
 
+## Impacket v0.13.1 (May 2026):
+
+1. Library improvements
+
+    * SMB: Improved server and relay behavior with SMB server signing support, optional read-only shares, Kerberos/NTLM authentication controls, graceful SMB relay packet handling, SMBv1 relay fixes, SMB 3.1.1 negotiation fixes, and clearer errors for truncated SMB responses. (Fixes [#2099](https://github.com/fortra/impacket/issues/2099), [#2085](https://github.com/fortra/impacket/issues/2085), [#2111](https://github.com/fortra/impacket/issues/2111), [#2114](https://github.com/fortra/impacket/issues/2114), [#2129](https://github.com/fortra/impacket/issues/2129))
+    * Kerberos: Fixed S4U2Self service ticket parsing, non-ASCII authentication encoding, LSA Kerberos key decryption, GSSAPI BER length parsing, ccache/kirbi conversion edge cases, and PAC preservation/signing helpers used by ticket tooling. ([#2087](https://github.com/fortra/impacket/issues/2087), [#2068](https://github.com/fortra/impacket/issues/2068), [#2088](https://github.com/fortra/impacket/issues/2088), [#2130](https://github.com/fortra/impacket/issues/2130), [#2159](https://github.com/fortra/impacket/issues/2159), [#2164](https://github.com/fortra/impacket/issues/2164))
+    * MSSQL/TDS: Added TDS 8.0 support for Force Strict Encryption targets, EPA channel binding handling, TDS_SSVARIANT parsing, stricter TLS-backed packet handling, workstation/application name support, and more reliable SQL reply error tracking. ([#2074](https://github.com/fortra/impacket/issues/2074), [#2075](https://github.com/fortra/impacket/issues/2075), [#2082](https://github.com/fortra/impacket/issues/2082), [#2098](https://github.com/fortra/impacket/issues/2098), [#2122](https://github.com/fortra/impacket/issues/2122))
+    * DCE/RPC and WMI: Added WMI PutClass/DeleteClass support, Remote Event Log subscription calls, Remote Desktop Services process parsing fixes, SCMR failure action marshaling fixes, and safer TCP transport handling on empty receives. ([#1803](https://github.com/fortra/impacket/issues/1803), [#2061](https://github.com/fortra/impacket/issues/2061), [#2046](https://github.com/fortra/impacket/issues/2046), [#2152](https://github.com/fortra/impacket/issues/2152), [#2155](https://github.com/fortra/impacket/issues/2155))
+    * Directory and data parsing: Added LDAP CRUD helpers, improved LDAP attribute handling, fixed large-page ESE tag parsing for Windows Server 2025 NTDS.dit files, improved NTFS sparse and INDEX_ROOT reads, fixed DPAPI_BLOB parsing with oversized input, and corrected high-codepoint unicode structure sizing. ([#1764](https://github.com/fortra/impacket/issues/1764), [#1995](https://github.com/fortra/impacket/issues/1995), [#2097](https://github.com/fortra/impacket/issues/2097), [#2106](https://github.com/fortra/impacket/issues/2106), [#2112](https://github.com/fortra/impacket/issues/2112), [#2158](https://github.com/fortra/impacket/issues/2158))
+    * Added a reusable ACL helper module and expanded regression coverage for ACLs, NTFS, TDS, Kerberos, ESE, SCMR, WMI, SMB, and packet parsing. ([#1240](https://github.com/fortra/impacket/issues/1240))
+
+2. Examples improvements
+
+    * [ntlmrelayx.py](examples/ntlmrelayx.py):
+        * Added MSSQL and RDP relay servers, strict MSSQL relay support, TLS-backed TDS frame reassembly, NTLM sign/seal removal paths for CVE-2025-33073-related relay workflows, and `--remove-mic` handling. ([#2083](https://github.com/fortra/impacket/issues/2083), [#2101](https://github.com/fortra/impacket/issues/2101), [#2122](https://github.com/fortra/impacket/issues/2122), [#2133](https://github.com/fortra/impacket/issues/2133))
+        * Improved WinRM relay error handling and NTLMv2 detection, fixed WinRM NTLM relay behavior, made SMB relay negotiation more conservative by avoiding unsupported NEGOEX advertisement, and added multibyte AD CS template name support. ([#2089](https://github.com/fortra/impacket/issues/2089), [#2111](https://github.com/fortra/impacket/issues/2111), [#2127](https://github.com/fortra/impacket/issues/2127), [#2163](https://github.com/fortra/impacket/issues/2163))
+        * Added shadow credentials commands to the interactive LDAP shell and updated KeyCreds handling for the January 2026 Windows changes. ([#1402](https://github.com/fortra/impacket/issues/1402), [#2109](https://github.com/fortra/impacket/issues/2109))
+    * [secretsdump.py](examples/secretsdump.py):
+        * Added SAM history parsing, improved offline machine account and Kerberos key recovery, fixed negative timestamps on Windows, added SAM password timestamp output, and filtered offline NTDS rows by local domain SID. ([#2059](https://github.com/fortra/impacket/issues/2059), [#2069](https://github.com/fortra/impacket/issues/2069), [#2135](https://github.com/fortra/impacket/issues/2135), [#2142](https://github.com/fortra/impacket/issues/2142), [#2178](https://github.com/fortra/impacket/issues/2178))
+    * [regsecrets.py](examples/regsecrets.py):
+        * Added SAM history parsing. ([#2059](https://github.com/fortra/impacket/issues/2059))
+    * [ticketer.py](examples/ticketer.py):
+        * Improved ccache handling and preserved KDC-issued lifetimes for diamond tickets. ([#2159](https://github.com/fortra/impacket/issues/2159), [#2181](https://github.com/fortra/impacket/issues/2181))
+    * [ticketConverter.py](examples/ticketConverter.py):
+        * Improved kirbi/ccache conversion, preserved ticket flags, converted all TGS entries, and added base64 output support. ([#2104](https://github.com/fortra/impacket/issues/2104), [#2159](https://github.com/fortra/impacket/issues/2159))
+    * [describeTicket.py](examples/describeTicket.py):
+        * Fixed credential indexing after skipped decrypts and improved Kerberoast debug output. ([#2117](https://github.com/fortra/impacket/issues/2117))
+    * [raiseChild.py](examples/raiseChild.py):
+        * Preserved PAC buffers, added AES support for modern Windows environments, and improved ticket retry behavior. ([#2164](https://github.com/fortra/impacket/issues/2164))
+    * [smbclient.py](examples/smbclient.py):
+        * Added ACL management support, recursive `rget`, and richer share listing output with type and comments. ([#1240](https://github.com/fortra/impacket/issues/1240), [#2110](https://github.com/fortra/impacket/issues/2110), [#2156](https://github.com/fortra/impacket/issues/2156))
+    * [mssqlclient.py](examples/mssqlclient.py):
+        * Added workstation/application name options, linked-server RPC enable/disable commands, custom CBT support, and better MSSQL shell behavior. ([#2074](https://github.com/fortra/impacket/issues/2074), [#2098](https://github.com/fortra/impacket/issues/2098), [#2134](https://github.com/fortra/impacket/issues/2134))
+    * [ntfs-read.py](examples/ntfs-read.py):
+        * Improved INDEX_ROOT file listing, sparse file support, error handling, and read correctness. ([#2106](https://github.com/fortra/impacket/issues/2106))
+    * [tstool.py](examples/tstool.py):
+        * Added Remote Desktop Shadowing support. ([#2064](https://github.com/fortra/impacket/issues/2064))
+    * [badsuccessor.py](examples/badsuccessor.py):
+        * Fixed ACE filtering and ObjectType GUID parsing that could cause false negatives when searching OUs. ([#2170](https://github.com/fortra/impacket/issues/2170))
+    * [GetUserSPNs.py](examples/GetUserSPNs.py):
+        * Added an option to avoid forcing RC4-HMAC when requesting a TGT. ([#2141](https://github.com/fortra/impacket/issues/2141))
+    * [owneredit.py](examples/owneredit.py):
+        * Improved distinguished name lookup behavior. ([#2162](https://github.com/fortra/impacket/issues/2162))
+    * [exchanger.py](examples/exchanger.py):
+        * Added Basic Authentication support. ([#2077](https://github.com/fortra/impacket/issues/2077))
+    * [reg.py](examples/reg.py):
+        * Added support for persistent registry key creation. ([#2113](https://github.com/fortra/impacket/issues/2113))
+
+3. New examples
+
+    * [dpapidump.py](examples/dpapidump.py) dumps DPAPI-related secrets. ([#1917](https://github.com/fortra/impacket/issues/1917))
+    * [checkMSSQLStatus.py](examples/checkMSSQLStatus.py) checks MSSQL status and CBT behavior. ([#2098](https://github.com/fortra/impacket/issues/2098))
+
+4. Project & packaging
+
+    * Removed the run-time dependency on setuptools. ([#2102](https://github.com/fortra/impacket/issues/2102))
+    * Removed remaining Python 2 compatibility code from WMI and ESE modules. ([#1804](https://github.com/fortra/impacket/issues/1804))
+
+As always, thanks a lot to all these contributors that make this library better every day:
+
+@0xpaperman, @7own, @aconite33, @aelmosalamy, @alexisbalbachan, @anadrianmanrique, @AndreySolod, @azoxlpf, @bash-c, @blankshiro, @chand-ashok, @cjwatson, @Coontzy1, @Croumi, @CSpanias, @ctjf, @Dfte, @DidierA, @epotseluevskaya, @fulc2um, @gabrielg5, @gaffner, @herbenderbler, @i-am-not-an-ai, @john57, @laxaa, @laxa, @masterDeus, @Mayyhem, @n3rada, @NeffIsBack, @omry99, @plur1bu5, @Q2Flc2FySec, @Romern, @r3seh, @rtpt-romankarwacik, @sbuck1, @ThatTotallyRealMyth, @TheFlamingCrab, @tomik92, @Tw1sm.
+
 ## Impacket v0.13.0 (Oct 2025): 
 
 1. Library improvements 

README.md

@@ -1,4 +1,4 @@
-<img width="2043" height="571" alt="Impacket_light" src="https://github.com/user-attachments/assets/14aed700-0c6e-4865-ac53-686b91874f50" />
+<img alt="Impacket_light" src="https://github.com/user-attachments/assets/14aed700-0c6e-4865-ac53-686b91874f50" />
 
 Impacket
 ========
@@ -52,7 +52,7 @@ Getting Impacket
 
 ### Latest version
 
-* Impacket v0.13.0
+* Impacket v0.13.1
 
   [![Python versions](https://img.shields.io/pypi/pyversions/impacket.svg)](https://pypi.python.org/pypi/impacket/)
 

examples/GetUserSPNs.py

@@ -81,6 +81,7 @@ def __init__(self, username, password, user_domain, target_domain, cmdLineOption
         self.__nthash = ''
         self.__no_preauth = cmdLineOptions.no_preauth
         self.__outputFileName = cmdLineOptions.outputfile
+        self.__noRC4 = cmdLineOptions.no_rc4
         self.__usersFile = cmdLineOptions.usersfile
         self.__aesKey = cmdLineOptions.aesKey
         self.__doKerberos = cmdLineOptions.k
@@ -132,7 +133,7 @@ def getTGT(self):
         # password to ntlm hashes (that will force to use RC4 for the TGT). If that doesn't work, we use the
         # cleartext password.
         # If no clear text password is provided, we just go with the defaults.
-        if self.__password != '' and (self.__lmhash == '' and self.__nthash == ''):
+        if self.__password != '' and (self.__lmhash == '' and self.__nthash == '') and not self.__noRC4:
             try:
                 tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(userName, '', self.__domain,
                                                                         compute_lmhash(self.__password),
@@ -473,6 +474,7 @@ def request_multiple_TGSs(self, usernames):
                                                                           '<username>.ccache. Auto selects -request')
     parser.add_argument('-outputfile', action='store',
                         help='Output filename to write ciphers in JtR/hashcat format. Auto selects -request')
+    parser.add_argument('-no-rc4', action='store_true', default=False, help='Does not force RC4-HMAC for the TGT')
     parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output.')
     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
 

examples/badsuccessor.py

@@ -32,7 +32,7 @@
 from impacket.examples import logger
 from impacket.examples.utils import parse_identity, parse_target, init_ldap_session
 from impacket.ldap import ldaptypes
-
+import uuid #needed for proper GUID conversion
 
 class BADSUCCESSOR:
     def __init__(self, username, password, domain, lmhash, nthash, cmdLineOptions):
@@ -281,20 +281,26 @@ def search_ous(self, ldapConnection):
                     dacl = sd['Dacl']
                     if dacl and hasattr(dacl, 'aces') and dacl.aces:
                         for ace in dacl.aces:
-                            # Only process ALLOW ACEs
-                            if ace['AceType'] != ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE:
+                            #Fix 1, Ensure we parse and process standard ACE and Object Specific ACE
+                            allowed_types = [
+                                ldaptypes.ACCESS_ALLOWED_ACE.ACE_TYPE,
+                                ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE
+                            ]
+                            if ace['AceType'] not in allowed_types:
                                 continue
 
                             # Check if ACE has relevant rights
                             mask = int(ace['Ace']['Mask']['Mask'])
                             has_relevant_right = any(mask & right_value for right_value in relevant_rights.values())
                             if not has_relevant_right:
                                 continue
+                            #Fix two: The guid conversion was wrong and one actually reads the bytes correctly and converts them to real GUIDs for processing later
+                            ace_data = ace['Ace']
+                            object_type = ace_data['ObjectType'] if ace['AceType'] == ldaptypes.ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE else None
 
-                            # Check object type (must match relevant object types)
-                            object_type = getattr(ace['Ace'], 'ObjectType', None)
                             if object_type:
-                                object_guid = str(object_type).lower()
+                                object_guid = str(uuid.UUID(bytes_le=object_type)).lower()
+                                logging.debug(object_guid)
                                 if object_guid not in relevant_object_types:
                                     continue
 

examples/checkMSSQLStatus.py

@@ -0,0 +1,155 @@
+#!/usr/bin/env python3
+# coding: utf-8
+"""
+mssql_cbt_check.py
+Check whether Channel Binding Token (CBT) is enforced on a MSSQL server.
+
+Usage:
+    mssql_cbt_check.py [domain/]username[:password]@target [-port PORT] [-debug]
+
+Writen by @Defte_
+"""
+from __future__ import print_function
+
+import sys
+import logging
+import argparse
+from getpass import getpass
+
+from impacket import version
+from impacket.examples import logger
+from impacket.examples.utils import parse_target
+from impacket.tds import MSSQL, TDS_ENCRYPT_REQ, TDS_ENCRYPT_OFF
+
+
+class MSQLCBTCheck:
+    def __init__(self, options, username, password, domain, target):
+        self.username = username
+        self.password = password
+        self.domain = domain
+        self.target = target
+        self.port = int(options.port)
+        self.options = options
+
+    def _new_conn(self):
+        conn = MSSQL(self.target, self.port, "")
+        conn.connect()
+        return conn
+
+    def _login(self, conn, cbt):
+        opts = self.options
+        if opts.k:
+            return conn.kerberosLogin(
+                None,
+                self.username,
+                self.password,
+                self.domain,
+                opts.hashes,
+                opts.aesKey,
+                opts.dc_ip,
+                None,
+                None,
+                useCache=True,
+                cbt_fake_value=cbt,
+            )
+        else:
+            return conn.login(
+                None,
+                self.username,
+                self.password,
+                self.domain,
+                opts.hashes,
+                useWindowsAuth=True,
+                cbt_fake_value=cbt,
+            )
+
+    def run(self):
+        print(f"[*] Checking Channel Binding status on: {self.target}:{self.port}")
+
+        try:
+            conn = self._new_conn()
+            prelogin_resp = conn.preLogin()
+            enc = prelogin_resp["Encryption"]
+            if not enc == TDS_ENCRYPT_REQ and not enc == TDS_ENCRYPT_OFF:
+                print("[!] Encryption not activated nor required. Channel Binding off.")
+                conn.disconnect()
+                return
+        except Exception as e:
+            logging.debug(f"preLogin failed: {e}")
+            print("[-] Prelogin failed, cannot check MSSQL status.")
+            return
+
+        print("\n[*] First try: TDS computes the real Channel Binding Token (cbt=None)")
+        try:
+            conn = self._new_conn()
+            first_ok = self._login(conn, cbt=None)
+            conn.disconnect()
+        except Exception as e:
+            logging.debug(f"First try exception: {e}")
+            first_ok = False
+        print(f" Result: {'Success' if first_ok else 'Failure'}")
+
+        print("\n[*] Second try: invalid Channel Binding Token (cbt='')")
+        try:
+            conn = self._new_conn()
+            second_ok = self._login(conn, cbt=b'')
+            conn.disconnect()
+        except Exception as e:
+            logging.debug(f"Second try exception: {e}")
+            second_ok = False
+        print(f" Result: {'Success' if second_ok else 'Failure'}")
+
+        if first_ok and second_ok:
+            print("\n[+] The two authentications succeded. Channel Binding not required (CBT not enforced).")
+        elif first_ok and not second_ok:
+            print("\n[!] First authentication succeded, second failed. Channel Binding required (CBT enforced).")
+        elif not first_ok and not second_ok:
+            print("\n[!] The two authentications failed, invalid credentials.")
+
+if __name__ == '__main__':
+    print(version.BANNER)
+
+    parser = argparse.ArgumentParser(add_help=True)
+    parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
+    parser.add_argument('-port', default=1433, help='Port MSSQL (default: 1433)')
+    parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
+    parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output', dest='timestamp')
+
+    group = parser.add_argument_group('authentication')
+    group.add_argument('-hashes', metavar='LMHASH:NTHASH', help='NTLM hashes')
+    group.add_argument('-no-pass', action='store_true', help="Don't ask for password (useful with -k)")
+    group.add_argument('-k', action='store_true', help='Use Kerberos authentication (ccache via KRB5CCNAME)')
+    group.add_argument('-aesKey', metavar='hex key', help='AES key for Kerberos (128 or 256 bits)')
+
+    group = parser.add_argument_group('connection')
+    group.add_argument('-dc-ip', metavar='ip address', help='IP of the domain controller')
+    group.add_argument('-target-ip', metavar='ip address', help='IP of the target (overrides target name resolution)')
+
+    if len(sys.argv) == 1:
+        parser.print_help()
+        sys.exit(1)
+
+    options = parser.parse_args()
+    logger.init(options.timestamp, options.debug)
+
+    domain, username, password, target = parse_target(options.target)
+
+    if domain is None:
+        domain = ''
+
+    if options.target_ip:
+        target = options.target_ip
+
+    if options.aesKey:
+        options.k = True
+
+    if password == '' and username != '' and not options.hashes and not options.no_pass and not options.aesKey:
+        password = getpass("Password: ")
+
+    try:
+        MSQLCBTCheck(options, username, password, domain, target).run()
+    except Exception as e:
+        if logging.getLogger().level == logging.DEBUG:
+            import traceback
+            traceback.print_exc()
+        logging.error(str(e))