Add more ntlm relaying cve checks

[TheGr3atJosh]

Alongside the already existing check for CVE-2025-33073 I think checking for:

• Remove mic CVE-2019-1040
• Remove partial mic CVE-2025-54918
• Ghost spn CVE-2025-58728

Could be interesting.

[logansdiomedi]

@TheGr3atJosh Certainly not bad ideas. I actually already have python tooling created for the ghost SPN flaw that I could easily port in as a detector. Can probably just make it a default check as well, which I think is probably desirable since its not very heavy at all to look for.

Remove MIC would be easy enough - UBR prior to that patch can be identified as having it and I agree it should be added also. Will add it in.

As for CVE-2025-54918/Partial MIC:

RelayKing-Depth/detectors/ntlm_reflection.py

Line 148 in 320aca8

# Special check for Server 2025 DCs with PrintSpooler (CVE-2025-54918)

This exists currently, but I believe the way I have the check set up right now is that it only really flags it if its a domain controller AND has print spooler running. In hindsight, this isn't really great logic because there are in fact situations where you may want to relay to a another protocol besides LDAPS on a separate machine that also has print spooler enabled. They're rare, edge cases, but I'm certain they exist. The reason why you need the print spooler enabled is because MS moved it to RPC instead of named pipes in later versions of Server 2025 - and the CMTI abuse -> NTLM local auth reflection was largely fixed from SMB named pipe coercion with the patch for CVE-2025-33073. But local auth coercion is still in fact possible via RPC on the print spooler. Hence why its a bit of an edge case.

All that being said - these are good additions and should probably just be checked by default when scanning a targets file with AD credentials set and/or when running in --audit mode. Should have a PR in to add all of these fairly soon.

[TheGr3atJosh]

Sounds awesome!

[logansdiomedi]

Features added via c39ea64. Enjoy!