Merge pull request #1 from SecureAuthCorp/master

update with original

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,35 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+### Configuration  
+impacket version:  
+Python version:  
+Target OS:  
+
+### Debug Output With Command String  
+i.e.  
+smbexec -debug domain/user:password@127.0.0.1  
+```
+smbexec -debug domain/user:[email protected]
+[+] StringBinding ncacn_np:127.0.0.1[\pipe\svcctl]
+[+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
+[!] Launching semi-interactive shell - Careful what you execute
+C:\Windows\system32>net group
+[+] Executing %COMSPEC% /Q /c echo net group ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
+Traceback (most recent call last):
+  File "/usr/lib64/python3.7/cmd.py", line 214, in onecmd
+    func = getattr(self, 'do_' + cmd)
+AttributeError: 'RemoteShell' object has no attribute 'do_net'
+```
+
+### PCAP  
+If applicable, add a packet capture to help explain your problem.
+
+### Additional context  
+Space for additional context, investigative results, suspected issue.

.gitignore

@@ -8,6 +8,9 @@ __pycache__/
 # Distribution / packaging
 .Python
 env/
+venv/
+.env/
+.venv/
 build/
 develop-eggs/
 dist/
@@ -23,6 +26,9 @@ var/
 .installed.cfg
 *.egg
 
+Pipfile
+Pipfile.lock
+
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
@@ -43,6 +49,9 @@ nosetests.xml
 coverage.xml
 *,cover
 
+# bak files
+*.bak
+
 # Translations
 *.mo
 *.pot
@@ -55,3 +64,9 @@ docs/_build/
 
 # PyBuilder
 target/
+
+# macOS
+.DS_Store
+
+# PyCharm
+.idea

.travis.yml

@@ -0,0 +1,23 @@
+group: travis_latest
+language: python
+cache: pip
+
+matrix:
+  include:
+    - python: 2.7
+      env: NO_REMOTE=true, TOXENV=py27
+    - python: 3.6
+      env: NO_REMOTE=true, TOXENV=py36
+    - python: 3.7
+      env: NO_REMOTE=true, TOXENV=py37
+      dist: xenial  # required for Python >= 3.7
+
+install: pip install flake8 tox -r requirements.txt
+
+before_script:
+  # stop the build if there are Python syntax errors or undefined names
+  - flake8 . --count --select=E9,F72,F82 --show-source --statistics
+  # exit-zero treats all errors as warnings.  The GitHub editor is 127 chars wide
+  - flake8 . --count --ignore=E1,E2,E3,E501,W291,W293 --exit-zero --max-complexity=65 --max-line-length=127 --statistics
+
+script: tox

ChangeLog

@@ -1,8 +1,39 @@
 Complete list of changes can be found at:
-https://github.com/CoreSecurity/impacket/commits/master
+https://github.com/SecureAuthCorp/impacket/commits/master
+
+June 2016: 0.9.15:
+1) Library improvements
+   * SMB3.create: define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
+   * Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
+   * Packet fragmentation for DCE RPC layer mayor overhaul.
+   * Improved pass-the-key attacks scenarios (by @skelsec)
+   * Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
+     build the search filter yourself)
+   * IPv6 improvements for DCERPC/LDAP and Kerberos
+
+2) Examples improvements
+   * Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
+     resides in the same server
+   * secretsdump.py
+     a. Adding support for Win2016 TP4 in LOCAL or -use-vss mode
+     b. Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
+     c. Support for different ReplEpoch (DRSUAPI only)
+     d. pwdLastSet is also included in the output file
+     e. New structures/flags added for 2016 TP5 PAM support
+   * wmiquery.py
+     a. Adding -rpc-auth-level switch (by @gadio)
+   * smbrelayx.py
+     a. Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
+     b. Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
+
+3) New Examples
+   * GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
+     This is part of the kerberoast attack researched by Tim Medin (@timmedin)
+   * ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
+     (by @dirkjanm)
 
 January 2016: 0.9.14:
-1) Library improvements:
+1) Library improvements
    * [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
    * [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
    * Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
@@ -12,7 +43,7 @@ January 2016: 0.9.14:
    * Extended present flags support on RadioTap class
    * Old DCERPC runtime code removed
 
-2) Examples improvements:
+2) Examples improvements
    * mssqlclient.py: Added Kerberos authentication support
    * atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
    * smbrelayx.py:
@@ -28,13 +59,13 @@ January 2016: 0.9.14:
        e. Add support for multiple password encryption keys (PEK) (by @s0crat)
    * goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
 
-3) New examples:
+3) New examples
    * raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
      escalation as detailed by Sean Metcalf at https://adsecurity.org/?p=1640
    * netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)
 
 May 2015: 0.9.13:
-1) Library improvements:
+1) Library improvements
    * Kerberos support for SMB and DCERPC featuring:
       a. kerberosLogin() added to SMBConnection (all SMB versions).
       b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will 
@@ -43,22 +74,20 @@ May 2015: 0.9.13:
       d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
       e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
       f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
-   * SMB3 encryption support. Pycrypto experimental version that supports
-     AES_CCM is required.
    * [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)
    * SMBSERVER improvements:
       a. SMB2 (2.002) dialect experimental support. 
       b. Adding capability to export to John The Ripper format files
    * Library logging overhaul. Now there's a single logger called 'impacket'.
 
-2) Examples improvements:
+2) Examples improvements
    * Added Kerberos support to all modules (incl. pass-the-ticket/key)
    * Ported most of the modules to the new dcerpc.v5 runtime.
    * secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
    * smbserver.py: support for SMB2 (not enabled by default)
    * smbrelayx.py: Added support for MS15-027 exploitation.
 
-3) New examples:
+3) New examples
    * goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a 
      psexec session at the target.
    * karmaSMB.py: SMB Server that answers specific file contents regardless of
@@ -67,18 +96,18 @@ May 2015: 0.9.13:
      Consumers/Filters to execute VBS based on a WQL filter or timer specified.
 
 July 2014: 0.9.12:
-1) The following protocols were added based on its standard definition:
+1) The following protocols were added based on its standard definition
    * [MS-DCOM] - Distributed Component Object module Protocol (dcom.py)
    * [MS-OAUT] - OLE Automation Protocol (dcom/oaut.py)
    * [MS-WMI]/[MS-WMIO] : Windows Management Instrumentation Remote Protocol (dcom/wmi.py)
 
-2) New examples:
+2) New examples
    a. wmiquery.py: executes WMI queries and get WMI object's descriptions.
    b. wmiexec.py: agent-less, semi-interactive shell using WMI.
    c. smbserver.py: quick an easy way to share files using the SMB protocol.
 
 February 2014: 0.9.11:
-1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):
+1) New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available)
   a. Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
   b. Support for RPC_C_AUTHN_NETLOGON (experimental)
   c. The following interface were developed based on its standard definition:
@@ -99,7 +128,7 @@ February 2014: 0.9.11:
 4) TDS protocol now supports SSL, can be used from mssqlclient
 5) Support for EAPOL, EAP and WPS decoders
 6) VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
-7) New examples:
+7) New examples
   a. rdp_check.py: tests whether an account (pwd or hashes) is valid against an RDP server
   b. esentutl.py: ESE example to show how to interact with ESE databases (e.g. NTDS.dit)
   c. ntfs-read.py: mini shell for browsing an NTFS volume
@@ -108,24 +137,32 @@ February 2014: 0.9.11:
 
 March 2013: 0.9.10:
 1) SMB version 2 and 3 protocol support ([MS-SMB2]). Signing supported, encryption for SMB3 still pending.
-2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.  It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available methods across all the protocols.
+2) Added a SMBConnection layer on top of each SMB specific protocol. Much simpler and SMB version independent.
+   It will pick the best SMB Version when connecting against the target. Check smbconnection.py for a list of available
+   methods across all the protocols.
 3) Partial TDS implementation ([MS-TDS] & [MC-SQLR]) so we could talk with MSSQL Servers.
 4) Unicode support for the smbserver. Newer OSX won't connect to a non unicode SMB Server.
-5) DCERPC Endpoints' new calls:
+5) DCERPC Endpoints' new calls
   a. EPM: lookup(): It can work as a general portmapper, or just to find specific interfaces/objects.
-6) New examples:
-  a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives you an SQL prompt for your pleasure.
+6) New examples
+  a. mssqlclient.py: A MS SQL client, allowing to do MS SQL or Windows Authentication (accepts hashes) and then gives
+     you an SQL prompt for your pleasure.
   b. mssqlinstance.py: Lists the MS SQL instances running on a target machine.
-  c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to develop new functionality to interact against a target interface.
-  d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the technique described at http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access. It also supports instantiating a local smbserver to receive the output of the commandos executed for those situations where no share is available on the other end. 
+  c. rpcdump.py: Output changed. Hopefully more useful. Parsed all the Windows Protocol Specification looking for the
+     UUIDs used and that information is included as well. This could be helpful when reading a portmap output and to
+     develop new functionality to interact against a target interface.
+  d. smbexec.py: Another alternative to psexec. Less capabilities but might work on tight AV environments. Based on the
+     technique described at https://www.optiv.com/blog/owning-computers-without-shell-access. It also
+     supports instantiating a local smbserver to receive the output of the commandos executed for those situations
+     where no share is available on the other end.
   e. smbrelayx.py: It now also listens on port 80 and forwards/reflects the credentials accordingly.
 
 And finally tons of fixes :).
 
 July 2012: 0.9.9:
 1) Added 802.11 packets encoding/decoding
 2) Addition of support for IP6, ICMP6 and NDP packets. Addition of IP6_Address helper class.
-3) SMB/DCERPC:
+3) SMB/DCERPC
   a. GSS-API/SPNEGO Support.
   b. SPN support in auth blob.
   c. NTLM2 and NTLMv2 support.
@@ -136,23 +173,31 @@ July 2012: 0.9.9:
   h. SMB signing support when server enforces it.
   i. DCERPC signing/sealing for all NTLM flavours.
   j. DCERPC transport now accepts an already established SMB connection.
-  k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by forwarding named pipes requests).
-  l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's not functional.
+  k. Basic SMBServer implementation in Python. It allows third-party DCE-RPC servers to handle DCERPC Request (by
+     forwarding named pipes requests).
+  l. Minimalistic SRVSVC dcerpc server to be used by SMBServer in order to avoidg Windows 7 nasty bug when that pipe's
+     not functional.
 
-4) DCERPC Endpoints' new calls:
-  a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(), NetprNameCanonicalize().
-  b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(), StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
+4) DCERPC Endpoints' new calls
+  a. SRVSVC: NetrShareEnum(Level1), NetrShareGetInfo(Level2), NetrServerGetInfo(Level2), NetrRemoteTOD(),
+     NetprNameCanonicalize().
+  b. SVCCTL: CloseServiceHandle(), OpenSCManagerW(), CreateServiceW(), StartServiceW(), OpenServiceW(), OpenServiceA(),
+     StopService(), DeleteService(), EnumServicesStatusW(), QueryServiceStatus(), QueryServiceConfigW().
   c. WKSSVC: NetrWkstaTransportEnum().
   d. SAMR: OpenAlias(), GetMembersInAlias().
   e. LSARPC: LsarOpenPolicy2(), LsarLookupSids(), LsarClose().
 
-5) New examples:
-  a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is listed and/or listening.
+5) New examples
+  a. ifmap.py: First, this binds to the MGMT interface and gets a list of interface IDs. It adds to this a large list
+     of interface UUIDs seen in the wild. It then tries to bind to each interface and reports whether the interface is
+     listed and/or listening.
   b. lookupsid.py: DCE/RPC lookup sid brute forcer example.
-  c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.
+  c. opdump.py: This binds to the given hostname:port and DCERPC interface. Then, it tries to call each of the first
+     256 operation numbers in turn and reports the outcome of each call.
   d. services.py: SVCCTL services common functions for manipulating services (START/STOP/DELETE/STATUS/CONFIG/LIST).
   e. test_wkssvc: DCE/RPC WKSSVC examples, playing with the functions Implemented.
   f. smbrelayx: Passes credentials to a third party server when doing MiTM.
-  g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but not enforced. Tested under Windows, Linux and MacOS clients.
+  g. smbserver: Multiprocess/threading smbserver supporting common file server functions. Authentication all done but
+     not enforced. Tested under Windows, Linux and MacOS clients.
   h. smbclient.py: now supports history, new commands also added.
   i. psexec.py: Execute remote commands on Windows machines

LICENSE

@@ -4,15 +4,15 @@ Licencing
 We provide this software under a slightly modified version of the
 Apache Software License. The only changes to the document were the
 replacement of "Apache" with "Impacket" and "Apache Software Foundation"
-with "CORE Security Technologies". Feel free to compare the resulting
+with "SecureAuth Corporation". Feel free to compare the resulting
 document to the official Apache license.
 
 The `Apache Software License' is an Open Source Initiative Approved
 License.
 
 
 The Apache Software License, Version 1.1
-Modifications by CORE Security Technologies (see above)
+Modifications by SecureAuth Corporation (see above)
 
 Copyright (c) 2000 The Apache Software Foundation.  All rights
 reserved.
@@ -32,18 +32,18 @@ are met:
 3. The end-user documentation included with the redistribution,
    if any, must include the following acknowledgment:
       "This product includes software developed by
-       CORE Security Technologies (http://www.coresecurity.com/)."
+       SecureAuth Corporation (https://www.secureauth.com/)."
    Alternately, this acknowledgment may appear in the software itself,
    if and wherever such third-party acknowledgments normally appear.
 
-4. The names "Impacket" and "CORE Security Technologies" must
+4. The names "Impacket", "SecureAuth Corporation" must
    not be used to endorse or promote products derived from this
    software without prior written permission. For written
-   permission, please contact oss@coresecurity.com.
+   permission, please contact oss@secureauth.com.
 
 5. Products derived from this software may not be called "Impacket",
    nor may "Impacket" appear in their name, without prior written
-   permission of CORE Security Technologies.
+   permission of SecureAuth Corporation.
 
 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -61,7 +61,7 @@ SUCH DAMAGE.
 
 
 Smb.py and nmb.py are based on Pysmb by Michael Teo
-(http://miketeo.net/projects/pysmb/), and are distributed under the
+(https://miketeo.net/projects/pysmb/), and are distributed under the
 following license:
 
 This software is provided 'as-is', without any express or implied

MANIFEST.in

@@ -1,4 +1,7 @@
 include MANIFEST.in
 include LICENSE
 include ChangeLog
-recursive-include examples *.txt *.py
+include requirements.txt
+include tox.ini
+recursive-include examples tests *.txt *.py
+recursive-include tests *