impacket-getnpusers

View documentation for the original command

$ tldr GetNPUsers.py

impacket-getnpusers.py [options]

target is typically specified as [domain/]username[:password]@. For unauthenticated scans, the username:password part is often omitted, relying on connection to the Domain Controller via its IP or domain name, and optionally providing a file of users.

target
    Specifies the target, typically in the format [domain/]username[:password]@. For unauthenticated scans, the username:password part is often omitted, connecting to the Domain Controller via its IP or domain name.

-h, --help
    Displays the command's help message and exits.

-debug
    Enables verbose debug output for troubleshooting and detailed information.

-format {hashcat,john}
    Determines the output format for the extracted hashes, either hashcat (default) or john (John the Ripper).

-outputfile FILE
    Specifies a file to write the extracted hashes to.

-usersfile FILE
    Provides a file containing a list of usernames to query for the DONT_REQUIRE_PREAUTH flag. Each username should be on a new line.

-request-user USERNAME
    Requests a TGT specifically for the given USERNAME instead of attempting to enumerate and query all potential vulnerable users.

impacket-getnpusers is a Python script, part of the Impacket toolkit, designed for security assessments and penetration testing. Its primary function is to identify and extract Kerberos AS-REP hashes for Active Directory user accounts that have the DONT_REQUIRE_PREAUTH attribute enabled. This attribute is a common misconfiguration or legacy setting, allowing Kerberos pre-authentication to be bypassed for a user.

The tool exploits this vulnerability, known as AS-REPRoasting, by sending an unauthenticated Kerberos AS-REQ (Authentication Service Request) for such users to a Domain Controller. Since pre-authentication is not required, the KDC (Key Distribution Center) responds with an AS-REP (Authentication Service Response) containing an encrypted TGT (Ticket Granting Ticket) which is encrypted with the target user's NTLM hash. impacket-getnpusers captures this AS-REP and extracts the crackable hash, typically in formats suitable for offline brute-forcing tools like Hashcat or John the Ripper. This allows attackers to obtain domain user credentials without requiring any prior authentication or interaction with the target user, making it a powerful initial access or privilege escalation technique in unauthenticated scenarios.

impacket-getnpusers requires direct network connectivity to the target Domain Controller on port 88 (Kerberos). The attack is only successful if there are user accounts configured with the DONT_REQUIRE_PREAUTH flag in Active Directory. While no prior authentication is needed for the tool itself, the extracted hashes still need to be cracked offline using tools like Hashcat or John the Ripper to reveal the plaintext passwords. Kerberos AS-REQ attempts, even failed or unauthenticated ones, can be logged by Domain Controllers and potentially trigger alerts in Security Information and Event Management (SIEM) systems.

The AS-REPRoasting attack is a specific type of Kerberos attack that impacket-getnpusers automates. It targets user accounts in Active Directory that have the DONT_REQUIRE_PREAUTH attribute enabled. When this flag is set, the Kerberos Key Distribution Center (KDC) will issue a Ticket Granting Ticket (TGT) to a user without requiring a pre-authentication step (i.e., without verifying the user's password). An attacker can request a TGT for such a user; the KDC's response (AS-REP) contains the TGT encrypted with the target user's NTLM hash. By capturing this response, the attacker can then brute-force the encrypted portion offline to recover the user's plaintext password. This attack is particularly valuable as it allows for credential acquisition from the domain without needing any prior legitimate credentials or direct interaction with the user.

impacket-getnpusers is a component of the comprehensive Impacket Python library, originally developed by SecureAuth Corp (now Core Security). The Impacket toolkit is renowned for its collection of Python classes and scripts for working with network protocols, particularly those used in Windows environments. This specific script implements the client-side functionality for the AS-REPRoasting attack, a well-documented technique in cybersecurity that targets a specific misconfiguration in Active Directory. Its development and inclusion in Impacket underscore the library's focus on providing practical tools for penetration testing, red teaming, and security research against Windows infrastructure, enabling efficient discovery and exploitation of common Active Directory vulnerabilities.

impacket-secretsdump.py (used for extracting various credentials from Active Directory, requiring prior authentication), impacket-lookupsid.py (for enumerating SIDs and usernames in Active Directory), hashcat(1) (a powerful password recovery utility, used for cracking the extracted hashes), john(1) (John the Ripper, another popular password cracker), nmap(1) (a network scanner used for host discovery and port scanning to locate Domain Controllers), ldapsearch(1) (a command-line utility for making LDAP queries against directories, including Active Directory)