added support for --generate-st and --delegate-spn flags

[gatariee]

Description

1. Adds the --generate-st Option to save the kerberos tickets when doing RBCD #809 flag when doing RBCD (or CD) with --delegate, opted not to use --generate-tgt as suggested by @NeffIsBack as the resultant ticket is not a TGT and would probably cause some confusion.

2. Fixed a minor bug in forming the Principal object for the delegation, modified to use the FQDN of the target instead of just the hostname

# serverName = Principal(f"cifs/{self.hostname}", type=constants.PrincipalNameType.NT_SRV_INST.value)
serverName = Principal(f"cifs/{self.hostname}.{self.domain}", type=constants.PrincipalNameType.NT_SRV_INST.value)

4. Adds the --delegate-spn flag for abusing delegations to services that are not cifs.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

A machine that is configured with either Constrained Delegation, or Resource-Based Constrained Delegation on another machine.

Screenshots (if appropriate):

FS01$ is allowed to act on behalf of any user to DC02$ on any protocol (RBCD)

Update: --delegate-spn flag, 28/7/2025

FS01$ can delegate to DC02$ on the snmp/dc02.asia.earth.local service.

When used with the --generate-st flag, the resultant CCache is also updated accordingly.

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[mpgn]

Why not --generate-st as option name ? 😊

[NeffIsBack]

Thanks for the PR! I will take a look at it when i got some time

[RajChowdhury240]

for SPN is it gonna do only cifs/ ? not others ?

[gatariee]

for SPN is it gonna do only cifs/ ? not others ?

that was a design choice by whomever designed the --delegate flag, but it makes sense since the SMB service is provisioned using the cifs SPN. I guess you could add host as an alternative

[RajChowdhury240]

service_types = ["cifs", "host", "http", "ldap", "rpcss", "wsman"]  

spns = []
for service in service_types:
    spn = Principal(f"{service}/{self.hostname}.{self.domain}", type=PrincipalNameType.NT_SRV_INST.value)
    spns.append(spn)

not sure if this would make sense ?

[gatariee]

if the --delegate flag is ever extended to other protocols (ldap, winrm) then it would make sense, but for now cifs will suffice imo

[mpgn]

if the --delegate flag is ever extended to other protocols (ldap, winrm) then it would make sense, but for now cifs will suffice imo

maybe a flag --delegate-spn xxxx i don't think a delegate flag will make ever sense on other proto juste to change an spn

[gatariee]

if the --delegate flag is ever extended to other protocols (ldap, winrm) then it would make sense, but for now cifs will suffice imo

maybe a flag --delegate-spn xxxx i don't think a delegate flag will make ever sense on other proto juste to change an spn

this was relatively simple, added it to the original PR since it doesn't affect any existing functionality