impacket-getnpusers

View documentation for the original command

$ tldr GetNPUsers.py

impacket-getnpusers [options] /

-debug
    Turn DEBUG output ON

-usersfile
    File containing usernames, one per line. Defaults to domain users if not provided.

-outputfile
    Base output filename to write the usernames into. Default: output

-dc-ip
    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

-port
    LDAP port to connect to (default 389)

impacket-getnpusers is a Python script that leverages Kerberos to enumerate user accounts on a domain. It achieves this by attempting to request Kerberos tickets (TGTs) for users without requiring valid credentials. By analyzing the Kerberos responses, the script can identify valid usernames, even if the user doesn't have their password set and "Do not require preauthentication" is set. This is often used to discover usernames which can be targeted for other attacks such as password spraying or Kerberoasting.

The script attempts to exploit a misconfiguration within the Kerberos implementation known as "AS-REP Roasting." When the 'preauth' flag is not set, the Kerberos service will return parts of a TGT, which allows an attacker to extract potentially useful user information. The tool is part of the Impacket collection, a set of Python classes for working with network protocols.

This script requires that you have Kerberos enabled and configured correctly. It's also crucial to understand that exploiting AS-REP Roasting is often considered an intrusion attempt, and may be logged by the domain controller. Running this script could alert security teams.

To enumerate users against the 'example.com' domain, using the domain controller at IP 192.168.1.1:
impacket-getnpusers example.com/192.168.1.1

To specify a usersfile named 'userlist.txt':
impacket-getnpusers -usersfile userlist.txt example.com/192.168.1.1

Using impacket-getnpusers, like any penetration testing tool, requires proper authorization. It is essential to obtain explicit permission from the target organization before running this script against their infrastructure. Unauthorized use could lead to legal consequences.

impacket-getnpusers is part of the Impacket project, developed by SecureAuth Corporation (now Core Security), and subsequently maintained by the open-source community. It was created to provide penetration testers and security researchers with tools for interacting with network protocols at a low level. Its usage has increased as AS-REP Roasting has become a well-known technique for reconnaissance within Active Directory environments.

impacket-GetUserSPNs(1), impacket-secretsdump(1), kinit(1)