v0.55.1 — Kerberos ccache fixes from HTB Sauna

Three Kerberos ccache findings from HTB Sauna (EGOTISTICAL-BANK.LOCAL). All three surfaced live; the clock-skew fix is the biggest operational win because HTB labs commonly run ~7h ahead of attacker-box time.

Fixed

Auth(kerberos=True) no longer requires -u

The user principal lives in the ccache; pre-fix ShareSift forced redundant -u <principal> on the CLI.

impacket kerberosLogin was called without kdcHost

Without an explicit KDC host, impacket falls back to DNS lookup for <realm>:88 which fails on attacker boxes without proper resolv.conf. New Auth.kdc_host field; both share.discovery._do_login and share.smb_impacket._do_login now pass kdcHost=auth.kdc_host or target_host, falling back to the SMB target for the AD case where DC == target.

Auto clock-skew shim

New share.auth.install_kerberos_clock_offset() reads the ccache's authtime, compares to local clock, and (if offset > 60s) monkey-patches impacket.krb5.kerberosv5.datetime to add the offset to all datetime.datetime.now(tz) calls. Surgical — only impacket's krb5 module is affected; the rest of Python sees real time. Called automatically from both impacket login dispatch sites.

Live-validated

KRB5CCNAME=/tmp/fsmith.ccache sharesift hunt //10.129.13.53 --use-kcache:

• Clock skew (~7h) → corrected by auto-shim
• No -u required (read from ccache)
• kdcHost defaulted to target host
• Hunt advances past AP-REQ to KDC_ERR_S_PRINCIPAL_UNKNOWN — that's the engagement-prep SPN-on-IP issue (operator adds DC FQDN to /etc/hosts and uses FQDN as target).

Tests

+14 (test_kerberos_fixes_v0p55p1.py). Full suite: 1439 passed, 29 skipped, 0 failed.