The Impacket toolkit, a cornerstone in penetration testing, has undergone a significant upgrade within the Kali Linux repository. Managed by Fortra’s cybersecurity team, this latest release builds upon version 0.12, introducing advanced relay capabilities, fortified protocols, and new scripting tools. These enhancements aim to streamline red team operations in contemporary Windows environments, facilitating more efficient navigation through complex Active Directory structures and relay attacks.
Enhanced Relay Capabilities
A pivotal advancement in this release is the augmentation of `ntlmrelayx.py`, transforming it into a versatile relay operator. Security professionals can now directly serve System Center Configuration Manager (SCCM) Management Points and Distribution Points. This functionality allows for the enrollment of unauthorized clients to extract confidential policies or scrutinize packages for sensitive information.
Additionally, the introduction of a new Remote Procedure Call (RPC) listener and Endpoint Mapper (EPM) bootstrapper simplifies transitions from printer vulnerabilities to Active Directory Certificate Services (ADCS) exploitation. This innovation condenses multi-step attacks into single-command executions, enhancing operational efficiency.
Further innovations include a Windows Remote Management (WinRM) relay target that forwards inbound NTLM authentications from sources like SMBv1, LDAP, HTTP, or captured hashes to spawn interactive shells via local TCP ports.
Protocol Hardening and Workflow Enhancements
To counteract evolving defensive measures, Impacket has strengthened channel binding and signing across LDAP, Kerberos, and SQL protocols. Enhancements to Simple Authentication and Security Layer (SASL) ensure compatibility with domains enforcing unsigned binds. Moreover, a reengineered Tabular Data Stream (TDS) handshake in `mssqlclient.py` now natively manages encryption and Channel Binding Tokens (CBT), eliminating the need for external dependencies like PyOpenSSL.
Microsoft SQL Server (MSSQL) workflows have also been refined, offering richer version banners for scripting, corrected uploads on non-English systems, and new command-line interface (CLI) command feeding for `mssqlclient.py`. Server Message Block (SMB) refactoring addresses sharing violations for live file copies, including event logs, and refines signing to emulate native Windows behavior.
Introduction of New Scripting Tools
The release introduces new examples such as `badsuccessor.py`, based on Akamai research, enabling inventory and exploitation of vulnerable Organizational Units (OUs). Other additions include `attrib.py` and `filetime.py` for file metadata control, `regsecrets.py` for remote hive extraction, `CheckLDAPStatus.py` for auditing signing enforcement, and `samedit.py` for offline Security Account Manager (SAM) editing.
Standardized logging and authentication parsing across examples reduce boilerplate code, with `secretsdump.py` gaining remote Windows Management Instrumentation (WMI) options for NTDS.dit dumps. As Impacket becomes available in the Kali Linux repositories, testers are encouraged to experiment in lab environments against recent Windows builds.
