Our next Impacket release is almost ready to land. Since 0.12, we have been hard at work tackling long-standing feature requests and merging valuable patches from the community. Thanks to these efforts, this release is full of enhancements and improvements that we are excited for users to see. Here's a look at the highlights from the forthcoming release.
New Attack Paths and Relay Tricks
Relay operators get a stack of new toys. ntlmrelayx.py now serves SCCM Management Points and Distribution Points directly (#1832), letting you enroll rogue clients to dump secret policies or sift through packages for loot.
The RPC listener and EPM bootstrapper (#1974) make printerbug-to-ADCS pivots a one-liner, while a brand-new WinRMS relay target (#1987) allows any inbound NTLM authentication (SMBv1, LDAP, HTTP, or a captured Net-NTLM hash) to be forwarded. Once a valid login is negotiated, the attack module announces a local TCP port for the interactive shell.
To round things out, the SOCKS proxy plugin can now forward LDAP and LDAPS traffic transparently (#1825), so you can point full-featured tooling at captured sessions instead of rewriting every LDAP attack by hand.
Ntlmrelayx logging has been enhanced (#2012, #2032) to provide more information from coerced victims. Additionally, every attack log is now linked with the specific relayed connection leveraged to perform it.
Channel Binding Updates
Domains and databases continue to clamp down on unsigned binds, so we have adjusted by matching their pace. SASL signing and channel binding support was added, across LDAP/Kerberos auth flows (#1919), (#1844).
On the SQL side, the entire TDS handshake was reworked so mssqlclient.py can satisfy encryption and CBT requirements without leaning on PyOpenSSL (#1986).
MSSQL Workflow Upgrades
Version banners now surface richer server details and are script-friendly (#2001), uploads no longer choke on non-English locales (#2002), and mssqlshell.py grew a download helper while fixing linked-server uploads (#1915). You can feed commands straight into mssqlclient.py from the CLI (#1770) and push files without dropping to the interactive prompt (#1381).
SMB Improvements
Some refactoring of the SMB stack (#1894) fixes long-standing STATUS_SHARING_VIOLATION frustrations so you can copy live files, including event logs and browser data, whenever the target's handle permits.
We kept the hardening streak going with precise SMB2 metadata and signing fixes (#1835, #1834, #1831, #1826), making Impacket's server behave like Windows expects.
Examples Enhancements
New flags were added to `secretsdump.py`: -use-remoteSSWMI and -use-remoteSSWMI-NTDS which will download NTDS.dit via Shadow Snapshots apart from SAM, SYSTEM and SECURITY (#2021). Then, offline, all of them will be parsed and domain credentials will be also dumped.
`registry-read.py` now also supports the "reg export" hive format (.reg) (#1840).
We also took the opportunity to standardize how examples initialize logging, parse identities, and handle LDAP logins. The new shared utilities layer (#1928) introduces -ts/-debug flags everywhere and consolidates boilerplate in examples/utils.py. Follow-up fixes in findDelegation.py, GetUserSPNs.py, and friends lock down auth parsing bugs (#1935) and clean up target-domain handling across LDAP-aware scripts (#1937).
New Examples
The new badsuccessor.py example (#2010) operationalizes Akamai's BadSuccessor research so you can inventory, create, prune, and weaponize dMSA objects from one script. Ticket requests and remote code execution flow naturally once the vulnerable OU is identified.
`attrib.py` (#1894) uses the `query` or `set` action to manipulate every flag Microsoft documents in [MS-FSCC], along with the current timestamp metadata.
The companion utility `filetime.py` (#1894) brings full timestamp control. It exposes two actions: `stat` for inspection and `touch` for modification.
regsecrets.py (#1898): It's a mini-version of the original secrectsdump example. The script enables the Remote Registry service (restoring state when it is finished) and then pulls registry hives through the [MS-RPP] API.
CheckLDAPStatus.py (#1977) enumerates domain controllers, quizzes each one over LDAP/LDAPS, and reports whether signing and channel binding are enforced.
`samedit.py` (#1761) modifies a local Windows account’s password by editing an offline copy of the SAM hive (and using the SYSTEM hive or a bootkey to handle encryption). The user can provide either a plain text password or an NTLM hash.
The full changelog, as always, will ship with the release tag—keep an eye on ChangeLog.md for the exhaustive list.
Grab the new bits as soon as the release hits GitHub, try the updated examples in your lab, and let us know how they perform against the latest Windows builds. Happy hacking!