impacket-getnpusers

Enumerate usernames without authentication in Active Directory

TLDR

View documentation for the original command

$ tldr GetNPUsers.py

SYNOPSIS

impacket-getNPUsers domain[/user] [-h] [-debug] [-no-pass] [-dc-ip IP] [-target-ip IP] [-usersfile FILE] [-format {john,hashcat}] [-outputfile FILE]

-h, --help
    Show help message and exit

-debug
    Enable DEBUG output

-no-pass
    Skip password prompt (anonymous mode)

-dc-ip IP
    Domain Controller IP address

-target-ip IP
    Target machine IP (SMB-related)

-usersfile FILE
    File with usernames (one per line)

-format {john,hashcat}
    Output format: john (default) or hashcat

-outputfile FILE
    Base output filename (stdout default)

DESCRIPTION

impacket-getNPUsers is a tool from the Impacket suite designed for security testing against Active Directory environments. It enumerates domain users and requests Kerberos Ticket Granting Tickets (TGTs) without pre-authentication for accounts where the 'Do not require Kerberos preauthentication' flag is enabled. These TGTs contain NTLM hashes that can be extracted and cracked offline using tools like Hashcat or John the Ripper.

The tool targets As-Realtime Service (AS-REP) roasting attacks, a common initial access technique in penetration testing. By providing a domain controller IP and either a single user or a file of usernames, it performs unauthenticated requests to gather crackable material. Output formats support popular cracking tools, making it efficient for red team operations.

Usage requires network access to the DC and is ineffective against users with pre-authentication enforced. It's widely used in ethical hacking but demands explicit authorization to avoid legal issues.

impacket-getnpusers

Enumerate usernames without authentication in Active Directory

TLDR

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

EXAMPLE USAGE

INSTALLATION

HISTORY

SEE ALSO