Pennyw0rth · Marshall-Hallenbeck · Jul 29, 2025 · Aug 2, 2025 · Aug 2, 2025 · Aug 2, 2025
@@ -24,3 +24,18 @@ def __call__(self, parser, namespace, values, option_string=None):
         # Set an attribute to track whether the value was explicitly set
         setattr(namespace, self.dest, values)
         setattr(namespace, f"{self.dest}_explicitly_set", True)
+
+
+def get_conditional_action(baseAction):
+    class ConditionalAction(baseAction):
+        def __init__(self, option_strings, dest, **kwargs):
+            x = kwargs.pop("make_required", [])
+            super().__init__(option_strings, dest, **kwargs)
+            self.make_required = x
+
+        def __call__(self, parser, namespace, values, option_string=None):
+            for x in self.make_required:
+                x.required = True
+            super().__call__(parser, namespace, values, option_string)
+
+    return ConditionalAction
@@ -1031,8 +1031,27 @@ def kerberoasting(self):
                         f.write(line + "\n")
             return
 
-        # Building the search filter
-        searchFilter = "(&(servicePrincipalName=*)(!(objectCategory=computer)))"
+        if self.args.kerberoast_users:
+            target_usernames = []
+            for item in self.args.kerberoast_users:
+                if os.path.isfile(item):
+                    try:
+                        with open(item, encoding="utf-8") as f:
+                            target_usernames.extend(line.strip() for line in f if line.strip())
+                    except Exception as e:
+                        self.logger.fail(f"Failed to read file '{item}': {e}")
+                else:
+                    target_usernames.append(item.strip())
+
+            self.logger.info(f"Targeting specific users for kerberoasting: {', '.join(target_usernames)}")
+
+            # build search filter for specific users
+            user_filter = "".join([f"(sAMAccountName={username})" for username in target_usernames])
+            searchFilter = f"(&(servicePrincipalName=*)(!(objectCategory=computer))(|{user_filter}))"
+        else:
+            # default to all
+            searchFilter = "(&(servicePrincipalName=*)(!(objectCategory=computer)))"
+
         attributes = [
             "sAMAccountName",
             "userAccountControl",

@@ -1,4 +1,5 @@
-from nxc.helpers.args import DefaultTrackingAction, DisplayDefaultsNotNone
+from nxc.helpers.args import DefaultTrackingAction, DisplayDefaultsNotNone, get_conditional_action
+from argparse import _StoreAction
 
 
 def proto_args(parser, parents):
@@ -12,9 +13,13 @@ def proto_args(parser, parents):
 
     egroup = ldap_parser.add_argument_group("Retrieve hash on the remote DC", "Options to get hashes from Kerberos")
     egroup.add_argument("--asreproast", help="Output AS_REP response to crack with hashcat to file")
-    egroup.add_argument("--kerberoasting", help="Output TGS ticket to crack with hashcat to file")
+    kerberoasting_arg = egroup.add_argument("--kerberoasting", "--kerberoast", help="Output TGS ticket to crack with hashcat to file")
+    kerberoast_users_arg = egroup.add_argument("--kerberoast-users", nargs="+", dest="kerberoast_users", action=get_conditional_action(_StoreAction), make_required=[], help="Target specific users for kerberoasting (usernames or file containing usernames)")
     egroup.add_argument("--no-preauth-targets", nargs=1, dest="no_preauth_targets", help="Targeted kerberoastable users")
 
+    # Make kerberoast-users require kerberoasting
+    kerberoast_users_arg.make_required = [kerberoasting_arg]
+
     vgroup = ldap_parser.add_argument_group("Retrieve useful information on the domain")
     vgroup.add_argument("--base-dn", metavar="BASE_DN", dest="base_dn", type=str, default=None, help="base DN for search queries")
     vgroup.add_argument("--query", nargs=2, help="Query LDAP with a custom filter and attributes")

@@ -1,5 +1,5 @@
 from argparse import _StoreTrueAction
-from nxc.helpers.args import DisplayDefaultsNotNone, DefaultTrackingAction
+from nxc.helpers.args import DisplayDefaultsNotNone, DefaultTrackingAction, get_conditional_action
 
 
 def proto_args(parser, parents):
@@ -98,18 +98,3 @@ def proto_args(parser, parents):
     posh_group.add_argument("--no-encode", action="store_true", default=False, help="Do not encode the PowerShell command ran on target")
 
     return parser
-
-
-def get_conditional_action(baseAction):
-    class ConditionalAction(baseAction):
-        def __init__(self, option_strings, dest, **kwargs):
-            x = kwargs.pop("make_required", [])
-            super().__init__(option_strings, dest, **kwargs)
-            self.make_required = x
-
-        def __call__(self, parser, namespace, values, option_string=None):
-            for x in self.make_required:
-                x.required = True
-            super().__call__(parser, namespace, values, option_string)
-
-    return ConditionalAction
@@ -1,5 +1,5 @@
 from argparse import _StoreAction
-from nxc.helpers.args import DisplayDefaultsNotNone
+from nxc.helpers.args import DisplayDefaultsNotNone, get_conditional_action
 
 
 def proto_args(parser, parents):
@@ -22,18 +22,3 @@ def proto_args(parser, parents):
     cgroup.add_argument("-x", metavar="COMMAND", dest="execute", help="execute the specified command")
 
     return parser
-
-
-def get_conditional_action(baseAction):
-    class ConditionalAction(baseAction):
-        def __init__(self, option_strings, dest, **kwargs):
-            x = kwargs.pop("make_required", [])
-            super().__init__(option_strings, dest, **kwargs)
-            self.make_required = x
-
-        def __call__(self, parser, namespace, values, option_string=None):
-            for x in self.make_required:
-                x.required = True
-            super().__call__(parser, namespace, values, option_string)
-
-    return ConditionalAction