Here at SecureAuth, we’re excited to announce the release of the latest version of Impacket, our collection of Python classes for working with network protocols, and much more.
Impacket release 0.9.24 is available today and includes a lot of new features and enhancements, such as an attack implementation against the Active Directory Certificate Services, an example for abusing the Kerberos Resource-Based Constrained Delegation, or the initial implementation of the [MS-PAR] protocol used by the well-known PrintNigthmare exploit. What an exciting release!
Let’s take a look at everything new included in this version.
What’s New in Impacket Release v0.9.24?
A nightmare on Active Directory
The Windows Print Spooler service is back again! You’ve probably heard of this service being involved in several security issues during the last years. Do you remember the Printer Bug or the CVE-2010-2729 used by the famous Stuxnet worm?
This time, the Print Spooler service made headlines again when a new vulnerability, known as PrintNigthmare, was “disclosed accidentally”. Yes, you read that right, it was an accident. The history is quite interesting. As part of the June 2021 security updates, Microsoft released a patch for a Print Spooler vulnerability known as CVE-2021-1675. The issue was initially classified as a local privilege escalation vulnerability. Days later, Microsoft updated the patch and changed the classification from a privilege escalation to remote code execution. Seeing that, security researchers Zhipeng Huo, Piotr Madej, and Yunhai Zhang, who had been working with MS in another Print Spooler vulnerability, thought the patch was referring to this new vulnerability and published their work including a PoC in GitHub. Unfortunately, it wasn’t the same bug, and although they removed all the posts, PrintNigthmare was already among us.
Back to the vulnerability itself, PrintNightmare or CVE-2021-34527 is a vulnerability in the Windows Print Spooler service (spoolsv.exe) which allows a low privilege authenticated user to remotely execute code as SYSTEM on any server or workstation with the service enabled. This sounds bad, doesn’t it? Yes, it’s a nightmare since this service is enabled by default on any machine.
What is the main flaw? The service fails to restrict access to the RpcAddPrinterDriverEx() function, which is used to install a printer driver on a system. So, an attacker can take advantage of the fact that any authenticated user can call this function and specify a driver file that could be located on a remote server. What is the result? The service will execute the code of an arbitrary DLL with SYSTEM privileges.
@cube0x0 used Impacket for the implementation of PrintNightmare and opened the pull request (PR) #1109 that added the RpcAddPrinterDriverEx method and related structures to the [MS-RPRN] Print System Remote protocol. Later, @cube0x0 was able to exploit the [MS-PAR] Print System Asynchronous Remote protocol too, using the RpcAsyncAddPrinterDriver() call and opened the PR #1114 with the Initial implementation of this protocol. Thanks a lot for these contributions!
If you want to learn more about the PrintNightmare implementation in Impacket, read this fantastic article by @cube0x0.
Abusing Active Directory Certificate Services with Impacket
Another of the hot topics of the last few months was Microsoft’s Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS). Will Schroeder and Lee Christensen published a whitepaper and a blog post of their amazing research on the AD CS that detailed several aspects of its security and possible attacks such as credential theft, machine persistence, domain escalation, and persistence (highly recommended reading).
From the point of view of Impacket, one of the most interesting attacks is the “NTLM relay scenario to AD CS web enrollment endpoints [ESC8]”. AD CS supports various HTTP-based enrollment methods via additional server roles that expose vulnerable web interfaces to NTLM relay attacks.
So, an attacker could impersonate a user/machine relaying its credentials, access those vulnerable interfaces, and request a client authentication certificate using the User or Machine templates. Once the attacker gets the certificate, they could request a user/machine TGT and impersonate the victim on the network.
Following that premise, @ExAndroidDev implemented the attack in ntlmrelayx.py and issued PR #1101. Thanks for this new addition!
If you are interested in knowing more details about this attack implementation, please check out @ExAndroidDev‘s blog post here.
Hardening the SMB Server
Impacket isn’t just about implementing new features, it’s also about fixing and hardening modules and examples already implemented. This time was the turn of the SMB server.
Together with @MartinGalloAr issued PR #1147 that introduced several changes to the server including bug fixes, reinforcement path checks to avoid path traversal vulnerabilities, and test refactoring. For a detailed list, please check the PR description.
It’s All about Delegation
Kerberos delegation is a capability that allows services to access other services on behalf of domain users. Particularly, Resource-Based Constrained Delegation (RBCD) allows a set of services to impersonate users on a service. This is different from the other types of delegation, which are configured on the accounts that access the resource. Instead of that, RBCD is configured by populating the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the target resource. Therefore, this attribute must be filled with the SID of the object that is allowed to delegate to it.
So, let’s move on to the fun part. Let’s suppose that an account has the capability to edit the msDS-AllowedToActOnBehalfOfOtherIdentity security descriptor of another resource. If this account is compromised, it could be used to populate that attribute and configure RBCD in that resource. That is what is known as RBCD attack (Access Control Entry abuse). After abusing it, an attacker could obtain a Service Ticket with getST.py (delegation operation) to authenticate on a target service on behalf of a user.
@ShutdownRepo and @p0dalirius added a new example to abuse Kerberos Resource-Based Constrained Delegation in PR #1108. This implementation was based on the previous work of @an0n_r0 and @NinjaStyle82. Thank you, guys!
That’s not all folks! Going further, @ShutdownRepo added support for a custom additional ticket for S4U2Proxy in getST.py (PR #1183). The idea (based on this blogpost of Elad Shamir) is to use RBCD to bypass the Kerberos Only restriction configured in the Kerberos delegation and get a forwardable Service Ticket for arbitrary users. Thanks again, @ShutdownRepo for this great addition!
Want more? You can check out a fully detailed list of all new features and enhancements in the release notes here. Enjoy it!
Getting Impacket Release v0.9.24
If you want to know more about these examples and library functionality you can find it at the Impacket site or you can also get it grabbing the latest stable release directly from GitHub:
To install execute the following command from the directory where the Impacket’s distribution has been unpacked: python3 -m pip install . (for Python 3.x) or python2 -m pip install . (for Python 2.x). This will install the classes into the default Python modules path; note that you might need special permissions to write there.
As always, thanks a lot to all these contributors that make this library of Impacket Release v0.9.24 better every day (since the last version):
@deadjakk, @franferrax, @cube0x0, @w0rmh013, @skelsec, @mohemiv, @LZD-TMoreggia, @exploide, @ShutdownRepo, @Hackndo, @snovvcrash, @rmaksimov, @Gifts, @Rcarnus, @ExAndroidDev, @ly4k, and @p0dalirius
Feedback and PRs are very welcome. Contributions from the community are the mainstay of this open-source initiative!
If you have any doubts, questions, or suggestions, don’t hesitate to contact me at @0xdeaddood or drop us a few lines at email@example.com.
We hope you enjoy this new release. Happy hacking!