Reduce false positives in ADCS and Ghost SPN detection

[Pebl3]

Logan full disclaimer... this is completely vibe-shat straight out of Anthropic's ass cheeks. Manually validated that code works as intended and reduced bloat.

Reduce false positives in ADCS and Ghost SPN detection

Both detectors were treating a single weak signal as proof, producing CRITICAL findings on benign infrastructure. This PR adds validation probes so unconfirmed signals get a softer label
(or are dropped) instead of triggering CRITICAL.

ADCS (protocols/http_detector.py, core/relay_analyzer.py)

The HTTP detector flagged is_adcs=True whenever /certsrv/ appeared in matched NTLM paths. On servers that 401-NTLM every URL (catchall web apps with site-wide Windows auth),
/certsrv/ always matches even when no CA is installed.

• Added _is_catchall_ntlm() which probes two random bogus paths. If both also 401-NTLM, it's a catchall and /certsrv/ is not proof of ADCS — set adcs_unconfirmed instead of
  is_adcs.
• Relay analyzer drops the unconfirmed case to MEDIUM with "/certsrv/ matched but ADCS unconfirmed (catchall NTLM site)" rather than CRITICAL ESC8.

Ghost SPN (detectors/ghost_spn.py)

• Filter SPNs with GUID-shaped service classes (e.g. DRSUAPI E3514235-4B06-11D1-AB04-00C04FC2DCD2) — these are Kerberos-only.
• Filter SPNs whose hostname is a bare GUID (DSA GUIDs from DC SPNs) — they resolve via _msdcs.<domain> CNAMEs, not via the GUID name itself.
• "Probably vulnerable (wildcard DNS)" fired whenever a wildcard existed in the zone, even when the SPN hostname had its own A record. Now probe a random bogus name per parent domain to
  discover what the wildcard actually returns, then only flag candidates whose IPs match — real A records get dropped.