Implement s4u abuse

[zblurx]

Added --delegate option to implement s4u abuse over smb

This option will do a full S4U abuse (S4U2Self + S4U2Proxy) in an automated way, allowing to use all postex functionalities of NXC 🔥

[bongobongoland]

omg.

[Marshall-Hallenbeck]

@zblurx can you add this to the e2e tests command file as well?

[XiaoliChan]

I test it, it works (with protocol transition)

BTW, I think should tell the user this attack is for constrained delegation (with protocol transition) attack @zblurx

[zblurx]

As @XiaoliChan suggested to me, we should also support s4u2self only:

[XiaoliChan]

Really awesome!

[NeffIsBack]

Can you also replace the single quotes with double quotes?

Left some comments, the rest of the code looks good👍🏼

[Marshall-Hallenbeck]

Mostly a bunch of variable naming to conform to proper Pythonic naming, but also pointed out importing the nxc logger.

[zblurx]

All good now I think

[NeffIsBack]

There are still a few single quotes but we should probably wait until #35 is merged, a lot of it is fixed in there

[Marshall-Hallenbeck]

@zblurx #35 got merged in, if you can take care of the few conflicts here it should be good to merge.

[NeffIsBack]

There must be an hasattribute check on the delegation arg. Otherwise we get that error on other protocols:

EDIT: Fixed

[NeffIsBack]

Working like a charm, except --ntds. @zblurx is this fixable?

[zblurx]

So for the --ntds, the problem is with impacket secretsdump. Actually secretsdump needs a cifs ticket AND an ldap ticket, but the --delegate will only get a cifs ticket. So my workaround is :

• 1: You use --delegate to do a --lsa and get the nthash of the DC computer account
• 2: You use the DC computer account to do a dcsync with --ntds

[NeffIsBack]

Working flawlessly

[NeffIsBack]

LGTM 🎉

[Marshall-Hallenbeck]

LGTM