Update kerberoast command output to be idiomatic

t94j0 · t94j0 · commit 74c252656a12 · 2025-05-29T17:13:14.000-04:00
The output currently shows as username\domain. Most of the time, tools output
usernames in the opposite way where the domain is first, and then the username
diff --git a/nxc/protocols/ldap.py b/nxc/protocols/ldap.py
@@ -201,7 +201,7 @@ def create_conn_obj(self):
             target_domain = sub(
                 r",DC=",
                 ".",
-                base_dn[base_dn.lower().find("dc="):],
+                base_dn[base_dn.lower().find("dc=") :],
                 flags=IGNORECASE,
             )[3:]
         except ConnectionRefusedError as e:
@@ -322,12 +322,7 @@ def enum_host_info(self):
         self.output_filename = os.path.expanduser(f"~/.nxc/logs/{self.hostname}_{self.host}".replace(":", "-"))
 
         try:
-            self.db.add_host(
-                self.host,
-                self.hostname,
-                self.domain,
-                self.server_os
-            )
+            self.db.add_host(self.host, self.hostname, self.domain, self.server_os)
         except Exception as e:
             self.logger.debug(f"Error adding host {self.host} into db: {e!s}")
 
@@ -343,7 +338,7 @@ def print_host_info(self):
         self.logger.display(f"{self.server_os} (name:{self.hostname}) (domain:{self.domain}) ({signing}) ({cbt_status}) {ntlm}")
 
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
-        self.username = username if not self.username else self.username    # With ccache we get the username from the ticket
+        self.username = username if not self.username else self.username  # With ccache we get the username from the ticket
         self.password = password
         self.domain = domain
         self.kdcHost = kdcHost
@@ -875,27 +870,12 @@ def resolve_and_display_hostname(name, domain_name=None):
                 trust_direction = int(trust["trustDirection"])
                 trust_type = int(trust["trustType"])
                 trust_attributes = int(trust["trustAttributes"])
-                
+
                 # See: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c
-                trust_attribute_flags = {
-                    0x1:    "Non-Transitive",
-                    0x2:    "Uplevel-Only",
-                    0x4:    "Quarantined Domain",
-                    0x8:    "Forest Transitive",
-                    0x10:   "Cross Organization",
-                    0x20:   "Within Forest",
-                    0x40:   "Treat as External",
-                    0x80:   "Uses RC4 Encryption",
-                    0x200:  "Cross Organization No TGT Delegation",
-                    0x800:  "Cross Organization Enable TGT Delegation",
-                    0x2000: "PAM Trust"
-                }
+                trust_attribute_flags = {0x1: "Non-Transitive", 0x2: "Uplevel-Only", 0x4: "Quarantined Domain", 0x8: "Forest Transitive", 0x10: "Cross Organization", 0x20: "Within Forest", 0x40: "Treat as External", 0x80: "Uses RC4 Encryption", 0x200: "Cross Organization No TGT Delegation", 0x800: "Cross Organization Enable TGT Delegation", 0x2000: "PAM Trust"}
 
                 # For check if multiple posibble flags, like Uplevel-Only, Treat as External
-                trust_attributes_text = ", ".join(
-                    text for flag, text in trust_attribute_flags.items()
-                    if trust_attributes & flag
-                ) or "Other"  # If Trust attrs not known
+                trust_attributes_text = ", ".join(text for flag, text in trust_attribute_flags.items() if trust_attributes & flag) or "Other"  # If Trust attrs not known
 
                 # Convert trust direction/type to human-readable format
                 direction_text = {
@@ -1050,7 +1030,7 @@ def kerberoasting(self):
                         self.logger.debug(f"Exception: {e}", exc_info=True)
                         self.logger.fail(f"Principal: {downLevelLogonName} - {e}")
                 else:
-                    self.logger.fail(f"Error retrieving TGT for {self.username}\\{self.domain} from {self.kdcHost}")
+                    self.logger.fail(f"Error retrieving TGT for {self.domain}\\{self.username} from {self.kdcHost}")
 
     def query(self):
         """
@@ -1111,14 +1091,10 @@ def printTable(items, header):
                 self.logger.highlight(outputFormat.format(*row))
 
         # Building the search filter
-        search_filter = (f"(&(|(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION})"
-                         f"(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_FOR_DELEGATION})"
-                         "(msDS-AllowedToDelegateTo=*)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))"
-                         f"(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_ACCOUNTDISABLE})))")
+        search_filter = f"(&(|(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION})(UserAccountControl:1.2.840.113556.1.4.803:={UF_TRUSTED_FOR_DELEGATION})(msDS-AllowedToDelegateTo=*)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_ACCOUNTDISABLE})))"
         # f"(!(UserAccountControl:1.2.840.113556.1.4.803:={UF_SERVER_TRUST_ACCOUNT})))")  This would filter out RBCD to DCs
 
-        attributes = ["sAMAccountName", "pwdLastSet", "userAccountControl", "objectCategory",
-                      "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-AllowedToDelegateTo"]
+        attributes = ["sAMAccountName", "pwdLastSet", "userAccountControl", "objectCategory", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-AllowedToDelegateTo"]
 
         resp = self.search(search_filter, attributes)
         answers = []
