v0.53.1 — HTB Active smoke-test patch + MD4 LDAP fix

End-to-end validation against a real AD lab. First real-AD smoke test (HTB Active, 10.129.13.21, Server 2008 R2) — ShareSift caught the GPP cpassword in Groups.xml as Red tier with the gpp_xml parser, confidence 0.99. That's the exact credential the box is designed to leak.

Three real bugs surfaced; this patch ships the highest-priority fix.

Fixed

ldap3 NTLM bind on OpenSSL 3.x

hashlib.new('md4') raised ValueError: unsupported hash type MD4 on modern Python+OpenSSL (Kali default), blocking the entire v0.52 authenticated LDAP path. share/ad.py now installs a Cryptodome.Hash.MD4-backed shim at module import. Idempotent; no-op when hashlib already supports MD4 (older OpenSSL or legacy provider enabled).

Before:

$ sharesift discover --ad-domain active.htb --dc 10.129.13.21 -u SVC_TGS -p 'X'
ldap discovery failed: ValueError: unsupported hash type MD4

After:

$ sharesift discover --ad-domain active.htb --dc 10.129.13.21 -u SVC_TGS -p 'X'
ldap: 1 enabled computer object(s)

Anonymous LDAP empty-result UX

When AD policy blocks anonymous searches (operationsError, typical on modern AD), we now print a hint pointing at -u/-p, -H, or -k instead of silently reporting 0 results.

Documented

docs/v0p53_htb_smoke_test.md — full HTB Active run writeup with the headline GPP cpassword catch, three bugs surfaced, queued v0.54 fixes.

Queued for v0.54

1. smbprotocol anonymous fallback to impacket for SMB walks (pyspnego rejects empty creds; discover works because it uses impacket, but hunt --no-pass fails at the per-share probe).
2. Auto-detect SMB3 capability and fallback to unencrypted (Server 2008 R2 only does SMB 2.0/2.1; current default --encrypt=True fails). New --require-encrypt flag for the opsec case.
3. Live-DC validation of v0.53 DFS resolver (Active.htb has no DFS — DFS still unvalidated against real AD).

Tests

Full suite: 1391 passed, 29 skipped, 0 failed.