fix(kerberos): only use kcache if asked to via cml parameters; add additional debug and error handling

nxc/protocols/ldap/kerberos.py

@@ -104,6 +104,7 @@ class KerberosAttacks:
         return entry
 
     def get_tgt_kerberoasting(self):
+        if self.args.use_kcache:
             if getenv("KRB5CCNAME"):
                 nxc_logger.debug("KRB5CCNAME environment variable exists, attempting to use that...")
                 try:
@@ -121,6 +122,8 @@ class KerberosAttacks:
                         nxc_logger.debug("No valid credentials found in cache")
                 except Exception:
                     pass
+            else:
+                nxc_logger.fail("KRB5CCNAME environment variable not found, unable to use Kerberos Cache")
 
         # No TGT in cache, request it
         user_name = Principal(self.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
@@ -140,6 +143,12 @@ class KerberosAttacks:
                     self.aesKey,
                     kdcHost=self.kdcHost,
                 )
+            except OSError as e:
+                if e.errno == 113:
+                    nxc_logger.fail(f"Unable to resolve KDC hostname: {e!s}")
+                else:
+                    nxc_logger.fail(f"Some other OSError occured: {e!s}")
+                return None
             except Exception as e:
                 nxc_logger.debug(f"TGT: {e!s}")
                 tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(
@@ -151,7 +160,6 @@ class KerberosAttacks:
                     self.aesKey,
                     kdcHost=self.kdcHost,
                 )
-
         else:
             tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(
                 user_name,
@@ -166,7 +174,7 @@ class KerberosAttacks:
         tgt["KDC_REP"] = tgt
         tgt["cipher"] = cipher
         tgt["session_key"] = sessionKey
-
+        nxc_logger.debug(f"Final TGT: {tgt}")
         return tgt
 
     def get_tgt_asroast(self, userName, requestPAC=True):