Project's main page at www.coresecurity.com

ChangeLog for 0.9.15:

1. Library improvements

• SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
• Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
• Packet fragmentation for DCE RPC layer mayor overhaul.
• Improved pass-the-key attacks scenarios (by @skelsec)
• Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to build the search filter yourself)
• IPv6 improvements for DCERPC/LDAP and Kerberos

1. Examples improvements
   • Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC resides in the same server
   • secretsdump.py
     • Adding support for Win2016 TP4 in LOCAL or -use-vss mode
     • Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
     • Support for different ReplEpoch (DRSUAPI only)
     • pwdLastSet is also included in the output file
     • New structures/flags added for 2016 TP5 PAM support
   • wmiquery.py
     • Adding -rpc-auth-level switch (by @gadio)
   • smbrelayx.py
     • Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
     • Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
2. New Examples
   • GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account. This is part of the kerberoast attack researched by Tim Medin (@timmedin)
   • ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc) (by @dirkjanm)