← 返回命令列表

Linux command

impacket-getnpusers 命令

网络

复制后可按需替换文件名、目录或参数。

常用示例

Find AS-REP roastable users

impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt]

Get hash for specific user

impacket-GetNPUsers [domain]/[user] -dc-ip [dc-ip] -no-pass

Request hashes

impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt] -format hashcat -outputfile [hashes.txt]

Enumerate via LDAP

impacket-GetNPUsers [domain]/[user]:[password] -dc-ip [dc-ip] -request

Use Kerberos authentication

impacket-GetNPUsers [domain]/[user] -dc-ip [dc-ip] -k -no-pass

说明

impacket-GetNPUsers lists and requests TGTs for Active Directory users with "Do not require Kerberos preauthentication" set (UF_DONT_REQUIRE_PREAUTH). This enables AS-REP Roasting: the retrieved hashes can be cracked offline with hashcat or John the Ripper. Without -usersfile, the script queries LDAP to automatically enumerate vulnerable accounts (requires valid credentials). With -usersfile, it tests each username without needing domain credentials. Part of the Impacket toolkit. For authorized security testing only.

参数

-dc-ip _ip_
Domain controller IP address.
-usersfile _file_
File with usernames to test (one per line).
-no-pass
Don't ask for password (useful with -k or anonymous queries).
-request
Request TGT hashes for vulnerable users (default: only list them).
-format _type_
Hash output format: hashcat or john (default: hashcat).
-outputfile _file_
Save hashes to file instead of stdout.
-k
Use Kerberos authentication from ccache (KRB5CCNAME).
-hashes _LMHASH:NTHASH_
Authenticate using NTLM hashes instead of password.
-aesKey _KEY_
AES key to use for Kerberos authentication.
-ts
Add timestamp to logging output.
-debug
Turn on debug output.

FAQ

What is the impacket-getnpusers command used for?

impacket-GetNPUsers lists and requests TGTs for Active Directory users with "Do not require Kerberos preauthentication" set (UF_DONT_REQUIRE_PREAUTH). This enables AS-REP Roasting: the retrieved hashes can be cracked offline with hashcat or John the Ripper. Without -usersfile, the script queries LDAP to automatically enumerate vulnerable accounts (requires valid credentials). With -usersfile, it tests each username without needing domain credentials. Part of the Impacket toolkit. For authorized security testing only.

How do I run a basic impacket-getnpusers example?

Run `impacket-GetNPUsers [domain]/ -dc-ip [dc-ip] -usersfile [users.txt]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -dc-ip _ip_ do in impacket-getnpusers?

Domain controller IP address.