v0.5.3

• Fixed inconsistent go.mod/go.sum and failing tests

v0.5.2

• Improved CCache handling: SPN matching is now case-insensitive, specifying a non-existing CCache does not silently fail anymore, debug output now contains CCache contents

v0.5.1

• Added adauth.DecodePFX to make sure that the correct certificate is loaded from the PFX. Before, the first certificate was loaded, now the first that matches the private key is loaded.
• The pkinit example now uses the correct certificate from the PFX.

v0.5.0

• dcerpcauth: Added option to disable the SPNEGO authentication layer and use raw NTLM/Kerberos
• othername: This package was removed in favor of x509ext
• x509ext: This package contains Windows-specific x509 certificate extensions. It includes the code from othername (with slightly updated names) as well as a new encoder/decoder for NTDS_CA_SECURITY_EXT extension which holds SIDs
• adauth: Fix context being ignored for some DNS queries

Warning: This release contains breaking changes as the othername package was removed in favor of the new x509ext package. The new package contains all types and functions from othername, however, the names differ slightly.

v0.4.1

• dcerpc: Fix CCache authentication
• CCache: Allow using service tickets with alternate protocol
• Improve Kerberos compatibility with older domains

v0.4.0

• ldapauth: Simple binds without password are now possible (unauthenticated bind). However, an empty password has to be specified with -p '' to signal the intent for an unauthenticated bind.
• ldapauth: NTLM authentication for plain LDAP server was fixed.
• adauth: Updated Credentials.UPN() behavior: For credentials without a domain, .UPN() will now only return the username. For empty credentials, it will now return an empty string. This behavior should help with using adauth with non-Microsoft targets such as OpenLDAP.
• adauth: Client certificates can now have arbitrary private key types. Previously, RSA keys were required because some AD features only support RSA keys. For PKINIT, the key type now needs to be checked by the user like this:

rsaKey, ok := creds.ClientCertKey.(*rsa.PrivateKey)
!ok {
    return fmt.Errorf("cannot use %T because PKINIT requires an RSA key", creds.ClientCertKey)
}

v0.3.0

• Fixed issues with AES-key-based Kerberos authentication for accounts whose password was changed
• Fixed Kerberos dialer not being used for smbauth
• Use specified domain for LDAP NTLM authentication instead of the target-supplied domain to improve compatibility with the LDAP SOCKS server of Impacket's ntlmrelayx.py example
• Removed credentials.Keytab() since it is not reliable due to potential KVNO mismatches and it is not used in adauth anymore

v0.2.2

• ldapauth: Fix incompatibility with newer versions of https://github.dev/go-ldap/ldap
• ldapauth: Fix issues with ntlmrelayx.py's LDAP SOCKS5 server

v0.2.1

• Overhauled dialer handling
• Added SOCKS5 dialer helpers
• Added SOCKS5 options to all examples

v0.2.0

• Added smbauth (thanks @bryanmcnulty)
• Added custom dialer support for LDAP