The popular Impacket toolkit, a staple in penetration testing and now integrated into the Kali Linux repository, is set for a major upgrade.
Maintained by Fortra’s cybersecurity team, the forthcoming release, building on version 0.12, addresses long-standing community requests with enhanced relay capabilities, protocol hardening, and new scripting tools.
This update promises to streamline red team operations against modern Windows environments, making it easier to navigate complex Active Directory setups and relay attacks.
At the core of the release are powerful additions to ntlmrelayx.py, turning it into a versatile relay operator. Security researchers can now directly serve SCCM Management Points and Distribution Points, enabling the enrollment of rogue clients to extract secret policies or scour packages for sensitive data.
A new RPC listener and EPM bootstrapper simplify pivots from printer bugs to ADCS exploitation, condensing multi-step attacks into single commands.
Further innovations include a WinRM relay target that forwards inbound NTLM authentications from sources like SMBv1, LDAP, HTTP, or captured hashes to spawn interactive shells via local TCP ports.
The SOCKS proxy plugin extends support to LDAP and LDAPS traffic, allowing seamless integration with existing tools without custom rewrites. Logging improvements tie attacks to specific relayed connections, providing granular insights into coerced victims.
Protocol Hardening and Workflow Boosts
To counter evolving defenses, Impacket bolsters channel binding and signing across LDAP, Kerberos, and SQL protocols. SASL enhancements ensure compatibility with domains enforcing unsigned binds, while a reworked TDS handshake in mssqlclient.py handles encryption and CBT natively, ditching external dependencies like PyOpenSSL.
MSSQL workflows see practical upgrades: richer version banners for scripting, fixed uploads on non-English systems, and new CLI command feeding for mssqlclient.py. SMB refactoring resolves sharing violations for live file copies, including event logs, and refines signing to mimic native Windows behavior.
The release introduces fresh examples like badsuccessor.py for dMSA object manipulation based on Akamai research, enabling inventory and exploitation of vulnerable OUs.
Other additions include attrib.py and filetime.py for file metadata control, regsecrets.py for remote hive extraction, CheckLDAPStatus.py for auditing signing enforcement, and samedit.py for offline SAM editing.
Standardized logging and auth parsing across examples reduce boilerplate, with secretsdump.py gaining remote WMI options for NTDS.dit dumps. As Impacket lands in Kali repos, testers are urged to experiment in labs against recent Windows builds.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
