[Feature Request] Add ability to authenticate via PFX (Pass-the-Certificate / Schannel)

[g0h4n]

Feature description

It would be very useful to add support for certificate-based authentication using a PFX file in RustHound-CE, leveraging a Pass-the-Certificate technique via Schannel. This feature would allow operators to authenticate to Active Directory using an exported certificate (PFX) without requiring a password, NT hash, or Kerberos ticket, similarly to existing techniques like Pass-the-Hash or Pass-the-Ticket.

Motivation / Use case

Certificate-based authentication is increasingly common in modern Active Directory environments (AD CS, smartcard logon, machine certs, etc.) and is often overlooked by traditional detection.

Expected behavior

• Ability to authenticate using a PFX certificate + private key

• Authentication performed via Schannel

• No password, NTLM hash, or Kerberos ticket required

• Compatible with existing RustHound-CE enumeration logic once authenticated

Example:

# from .pfx
rusthound-ce \
  --domain essos.local \
  --pfx user.pfx \
  --pfx-pass "<Optionnal>"
  -u username

# or from .crt and .key
rusthound-ce \
  --domain essos.local \
  --crt user.crt \
  --key user.key \
  -u username

References

• Pass-the-Certificate technique explained here: https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate
• PassTheCert tool: https://github.com/AlmondOffSec/PassTheCert/tree/main/Python

Ideas / Leads

• Investigate adding PFX / Pass-the-Certificate authentication via Schannel directly in sspi-rs (Schannel credentials and certificate context handling): https://github.com/Devolutions/sspi-rs
• Explore support in ldap3 for TLS client certificate authentication + SASL EXTERNAL bind (LDAP authentication using a certificate): https://github.com/inejge/ldap3