Merge branch 'fortra:master' into gmsamembership

Author: int3x

.github/workflows/build_and_test.yml

@@ -48,11 +48,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.8", "3.9", "3.10","3.11"]
+        python-version: ["3.9", "3.10","3.11","3.12"]
         experimental: [false]
         os: [ubuntu-latest]
         include:
-          - python-version: "3.12-dev"
+          - python-version: "3.13-dev"
             experimental: true
             os: ubuntu-latest
     continue-on-error: ${{ matrix.experimental }}

examples/GetLAPSPassword.py

@@ -78,6 +78,7 @@ def __init__(self, username, password, domain, cmdLineOptions):
         self.__kdcHost = cmdLineOptions.dc_host
         self.__targetComputer = cmdLineOptions.computer
         self.__outputFile = cmdLineOptions.outputfile
+        self.__ldaps_flag = cmdLineOptions.ldaps_flag
         self.__KDSCache = {}
 
         if cmdLineOptions.hashes is not None:
@@ -162,7 +163,7 @@ def getUnixTime(t):
 
     def run(self):
         # Connect to LDAP
-        ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)
+        ldapConnection = ldap_login(self.__target, self.baseDN, self.__kdcIP, self.__kdcHost, self.__doKerberos, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__ldaps_flag)
         # updating "self.__target" as it may have changed in the ldap_login processing
         self.__target = ldapConnection._dstHost
 
@@ -271,6 +272,10 @@ def run(self):
     group.add_argument('-dc-host', action='store', metavar='hostname', help='Hostname of the domain controller to use. '
                                                                               'If ommited, the domain part (FQDN) '
                                                                               'specified in the account parameter will be used')
+    
+    group.add_argument('-ldaps', dest='ldaps_flag', action="store_true", help='Enable LDAPS (LDAP over SSL). '
+                                                                                'Required when querying a Windows Server 2025'
+                                                                                'domain controller with LDAPS enforced.')
 
     if len(sys.argv)==1:
         parser.print_help()

examples/GetNPUsers.py

@@ -16,7 +16,7 @@
 #   you can send it for cracking.
 #
 #   Original credit for this technique goes to @harmj0y:
-#   https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+#   https://blog.harmj0y.net/activedirectory/roasting-as-reps/
 #   Related work by Geoff Janjua:
 #   https://www.exumbraops.com/layerone2016/party
 #

examples/dacledit.py

@@ -703,6 +703,7 @@ def parse_args():
     auth_con.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
     auth_con.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
     auth_con.add_argument('-dc-ip', action='store', metavar="ip address", help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')
+    auth_con.add_argument('-dc-host', action='store', metavar="hostname", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')
 
     principal_parser = parser.add_argument_group("principal", description="Object, controlled by the attacker, to reference in the ACE to create or to filter when printing a DACL")
     principal_parser.add_argument("-principal", dest="principal_sAMAccountName", metavar="NAME", type=str, required=False, help="sAMAccountName")
@@ -745,7 +746,7 @@ def main():
     domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)
 
     try:
-        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.aesKey, args.use_ldaps)
+        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)
         dacledit = DACLedit(ldap_server, ldap_session, args)
         if args.action == 'read':
             dacledit.read()

examples/ntlmrelayx.py

@@ -34,6 +34,7 @@
 # Authors:
 #   Alberto Solino (@agsolino)
 #   Dirk-jan Mollema / Fox-IT (https://www.fox-it.com)
+#  Sylvain Heiniger / Compass Security (https://www.compass-security.com)
 #
 
 import argparse
@@ -52,7 +53,7 @@
 
 from impacket import version
 from impacket.examples import logger
-from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer
+from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer, RPCRelayServer
 from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig, parse_listening_ports
 from impacket.examples.ntlmrelayx.utils.targetsutils import TargetsProcessor, TargetsFileWatcher
 from impacket.examples.ntlmrelayx.servers.socksserver import SOCKS
@@ -194,14 +195,15 @@ def start_servers(options, threads):
         c.setOutputFile(options.output_file)
         c.setdumpHashes(options.dump_hashes)
         c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.dump_adcs, options.sid, options.add_dns_record)
-        c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port)
+        c.setRPCOptions(options.rpc_mode, options.rpc_use_smb, options.auth_smb, options.hashes_smb, options.rpc_smb_port, options.icpr_ca_name)
         c.setMSSQLOptions(options.query)
         c.setInteractive(options.interactive)
         c.setIMAPOptions(options.keyword, options.mailbox, options.all, options.imap_max)
         c.setIPv6(options.ipv6)
         c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
         c.setSMB2Support(options.smb2support)
         c.setSMBChallenge(options.ntlmchallenge)
+        c.setSMBRPCAttack(options.rpc_attack)
         c.setInterfaceIp(options.interface_ip)
         c.setExploitOptions(options.remove_mic, options.remove_target)
         c.setWebDAVOptions(options.serve_image)
@@ -242,6 +244,8 @@ def start_servers(options, threads):
             c.setListeningPort(options.wcf_port)
         elif server is RAWRelayServer:
             c.setListeningPort(options.raw_port)
+        elif server is RPCRelayServer:
+            c.setListeningPort(options.rpc_port)
 
         s = server(c)
         s.start()
@@ -293,11 +297,13 @@ def stop_servers(threads):
     serversoptions.add_argument('--no-http-server', action='store_true', help='Disables the HTTP server')
     serversoptions.add_argument('--no-wcf-server', action='store_true', help='Disables the WCF server')
     serversoptions.add_argument('--no-raw-server', action='store_true', help='Disables the RAW server')
+    serversoptions.add_argument('--no-rpc-server', action='store_true', help='Disables the RPC server')
 
     parser.add_argument('--smb-port', type=int, help='Port to listen on smb server', default=445)
     parser.add_argument('--http-port', help='Port(s) to listen on HTTP server. Can specify multiple ports by separating them with `,`, and ranges with `-`. Ex: `80,8000-8010`', default="80")
     parser.add_argument('--wcf-port', type=int, help='Port to listen on wcf server', default=9389)  # ADWS
     parser.add_argument('--raw-port', type=int, help='Port to listen on raw server', default=6666)
+    parser.add_argument('--rpc-port', type=int, help='Port to listen on rpc server', default=135)
 
     parser.add_argument('--no-multirelay', action="store_true", required=False, help='If set, disable multi-host relay (SMB and HTTP servers)')
     parser.add_argument('--keep-relaying', action="store_true", required=False, help='If set, keeps relaying to a target even after a successful connection on it')
@@ -338,15 +344,17 @@ def stop_servers(threads):
     smboptions.add_argument('-e', action='store', required=False, metavar = 'FILE', help='File to execute on the target system. '
                                      'If not specified, hashes will be dumped (secretsdump.py must be in the same directory)')
     smboptions.add_argument('--enum-local-admins', action='store_true', required=False, help='If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)')
+    smboptions.add_argument('--rpc-attack', action='store', choices=[None, "TSCH", "ICPR"], required=False, default=None, help='Select the attack to perform over RPC over named pipes.')
 
     #RPC arguments
     rpcoptions = parser.add_argument_group("RPC client options")
-    rpcoptions.add_argument('-rpc-mode', choices=["TSCH"], default="TSCH", help='Protocol to attack, only TSCH supported')
+    rpcoptions.add_argument('-rpc-mode', choices=["TSCH", "ICPR"], default="TSCH", help='Protocol to attack')
     rpcoptions.add_argument('-rpc-use-smb', action='store_true', required=False, help='Relay DCE/RPC to SMB pipes')
     rpcoptions.add_argument('-auth-smb', action='store', required=False, default='', metavar='[domain/]username[:password]',
         help='Use this credential to authenticate to SMB (low-privilege account)')
     rpcoptions.add_argument('-hashes-smb', action='store', required=False, metavar="LMHASH:NTHASH")
     rpcoptions.add_argument('-rpc-smb-port', type=int, choices=[139, 445], default=445, help='Destination port to connect to SMB')
+    rpcoptions.add_argument('-icpr-ca-name', action='store', default="", help='Name of the CA for ICPR attack')
 
     #MSSQL arguments
     mssqloptions = parser.add_argument_group("MSSQL client options")
@@ -502,6 +510,9 @@ def stop_servers(threads):
     if not options.no_raw_server:
         RELAY_SERVERS.append(RAWRelayServer)
 
+    if not options.no_rpc_server:
+        RELAY_SERVERS.append(RPCRelayServer)
+
     if targetSystem is not None and options.w:
         watchthread = TargetsFileWatcher(targetSystem)
         watchthread.start()

examples/owneredit.py

@@ -10,7 +10,7 @@
 # for more information.
 #
 # Description:
-#   Python script for handling the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target computer
+#   Python script for reading and modifying the Owner attribute (OwnerSid) of an Active Directory object.
 #
 # Authors:
 #   Charlie BROMBERG (@_nwodtuhs)
@@ -241,6 +241,7 @@ def parse_args():
     auth_con.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
     auth_con.add_argument('-dc-ip', action='store', metavar="ip address",
                           help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')
+    auth_con.add_argument('-dc-host', action='store', metavar="hostname", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')
 
     new_owner_parser = parser.add_argument_group("owner", description="Object, controlled by the attacker, to set as owner of the target object")
     new_owner_parser.add_argument("-new-owner", dest="new_owner_sAMAccountName", metavar="NAME", type=str, required=False, help="sAMAccountName")
@@ -277,7 +278,7 @@ def main():
     domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)
 
     try:
-        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.aesKey, args.use_ldaps)
+        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)
         owneredit = OwnerEdit(ldap_server, ldap_session, args)
         if args.action == 'read':
             owneredit.read()

examples/rbcd.py

@@ -293,6 +293,7 @@ def parse_args():
                        help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If '
                             'omitted it will use the domain part (FQDN) specified in '
                             'the identity parameter')
+    group.add_argument('-dc-host', action='store', metavar="hostname", help='Hostname of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, -dc-ip will be used')
 
     if len(sys.argv) == 1:
         parser.print_help()
@@ -313,7 +314,7 @@ def main():
     domain, username, password, lmhash, nthash, args.k = parse_identity(args.identity, args.hashes, args.no_pass, args.aesKey, args.k)
 
     try:
-        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.aesKey, args.use_ldaps)
+        ldap_server, ldap_session = init_ldap_session(domain, username, password, lmhash, nthash, args.k, args.dc_ip, args.dc_host, args.aesKey, args.use_ldaps)
         rbcd = RBCD(ldap_server, ldap_session, args.delegate_to)
         if args.action == 'read':
             rbcd.read()

examples/smbexec.py

@@ -56,7 +56,7 @@
 from impacket.dcerpc.v5 import transport, scmr
 from impacket.krb5.keytab import Keytab
 
-OUTPUT_FILENAME = '__output'
+OUTPUT_FILENAME = '__output_' + ''.join([random.choice(string.ascii_letters) for i in range(8)])
 SMBSERVER_DIR   = '__tmp'
 DUMMY_SHARE     = 'TMP'
 CODEC = sys.stdout.encoding

examples/smbserver.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # Impacket - Collection of Python classes for working with network protocols.
 #
-# Copyright Fortra, LLC and its affiliated companies 
+# Copyright Fortra, LLC and its affiliated companies
 #
 # All rights reserved.
 #
@@ -30,7 +30,7 @@
     print(version.BANNER)
 
     parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a "
-                                     "share specified as an argument. You need to be root in order to bind to port 445. "
+                                     "share specified as an argument. Usually, you need to be root in order to bind to port 445. "
                                      "For optional authentication, it is possible to specify username and password or the NTLM hash. "
                                      "Example: smbserver.py -comment 'My share' TMP /tmp")
 
@@ -98,4 +98,8 @@
     server.setSMBChallenge('')
 
     # Rock and roll
-    server.start()
+    try:
+        server.start()
+    except KeyboardInterrupt:
+        print("\nInterrupted, exiting...")
+        sys.exit(130)

impacket/dcerpc/v5/dcomrt.py

@@ -71,6 +71,34 @@
 IID_IUnknown                  = uuidtup_to_bin(('00000000-0000-0000-C000-000000000046','0.0'))
 IID_IClassFactory             = uuidtup_to_bin(('00000001-0000-0000-C000-000000000046','0.0'))
 
+# Protocol Identifiers, from [c706] Annex I
+TOWERID_OSI_TP4 = 0x05
+TOWERID_OSI_CLNS = 0x06
+TOWERID_DOD_TCP = 0x0007
+TOWERID_DOD_UDP = 0x08
+TOWERID_DOD_IP = 0x09
+TOWERID_RPC_connectionless = 0x0a
+TOWERID_RPC_connectionoriented = 0x0b
+TOWERID_DNA_Session_Control = 0x02
+TOWERID_DNA_Session_Control_V3 = 0x03
+TOWERID_DNA_NSP_Transport = 0x04
+TOWERID_DNA_Routing = 0x06
+TOWERID_Named_Pipes = 0x10
+TOWERID_NetBIOS_11 = 0x11
+TOWERID_NetBEUI = 0x12
+TOWERID_Netware_SPX = 0x13
+TOWERID_Netware_IPX = 0x14
+TOWERID_Appletalk_Stream = 0x16
+TOWERID_Appletalk_Datagram = 0x17
+TOWERID_Appletalk = 0x18
+TOWERID_NetBIOS_19 = 0x19
+TOWERID_VINES_SPP = 0x1A
+TOWERID_VINES_IPC = 0x1B
+TOWERID_StreetTalk = 0x1C
+TOWERID_Unix_Domain_socket = 0x20
+TOWERID_null = 0x21
+TOWERID_NetBIOS_22 = 0x22
+
 class DCERPCSessionError(DCERPCException):
     def __init__(self, error_string=None, error_code=None, packet=None):
         DCERPCException.__init__(self, error_string, error_code, packet)