tools.thehacker.recipes
Open in
urlscan Pro
104.18.1.81
Public Scan
URL:
https://tools.thehacker.recipes/impacket/examples/getnpusers.py
Submission: On August 20 via manual from IL — Scanned from ES
Submission: On August 20 via manual from IL — Scanned from ES
Form analysis 0 forms found in the DOM
Text Content
The Hacker Tools
More
SearchCtrl + K
* Introduction
* Mimikatz 🥝
* General 🛠️
* Modules
* crypto
* capi
* certificates
* certtohw
* cng
* extract
* hash
* keys
* kutil 🛠️
* providers
* sc
* scauth 🛠️
* stores
* system
* tpminfo
* dpapi
* blob
* cache
* capi
* chrome
* cloudapkd 🛠️
* cloudapreg
* cng
* create 🛠️
* cred
* credhist
* luna
* masterkey
* protect
* ps
* rdg
* sccm
* ssh
* tpm
* vault
* wifi
* wwan
* event
* clear
* drop
* kerberos
* ask
* clist
* golden
* hash
* list
* ptc
* ptt
* purge
* tgt
* lsadump
* backupkeys
* cache
* changentlm
* dcshadow
* dcsync
* mbc
* netsync
* lsa
* packages
* postzerologon
* rpdata
* sam
* secrets
* setntlm
* trust
* zerologon
* misc
* aadcookie
* clip
* compress
* cmd
* detours
* easyntlmchall
* efs
* lock
* memssp
* mflt
* ncroutemon
* ngcsign
* printnightmare
* regedit
* sccm
* shadowcopies
* skeleton
* spooler
* taskmgr
* wp
* xor
* net
* alias
* deleg
* group
* if
* serverinfo
* session
* share
* stats
* tod
* trust
* user
* wsession
* privilege
* backup
* debug
* driver
* id
* name
* restore
* security
* sysenv
* tcb
* process
* exports
* imports
* list
* resume
* run
* runp
* start
* stop
* suspend
* rpc
* close
* connect
* enum
* server
* sekurlsa
* backupkeys
* bootkey
* cloudap
* credman
* dpapi
* dpapisystem
* ekeys
* kerberos
* krbtgt
* livessp
* logonpasswords
* minidump
* msv
* process
* pth
* ssp
* tickets
* trust
* tspkg
* wdigest
* service
* -
* +
* preshutdown
* remove
* resume
* shutdown
* start
* stop
* suspend
* sid
* add
* clear
* lookup
* modify
* patch
* query
* standard
* answer
* base64
* cd
* cls
* coffee
* exit
* hostname
* localtime
* log
* sleep
* version
* token
* elevate
* list
* revert
* run
* whoami
* ts
* logonpasswords
* mstsc
* multirdp
* remote
* sessions
* vault
* cred
* list
* 🛠️Impacket
* Library
* SMB
* LDAP
* MSRPC
* NTLM
* Kerberos
* Script examples
* addcomputer.py
* atexec.py
* dcomexec.py
* dpapi.py
* esentutl.py
* exchanger.py
* findDelegation.py
* GetADUsers.py
* getArch.py
* Get-GPPPassword.py
* GetNPUsers.py
* getPac.py
* getST.py
* getTGT.py
* GetUserSPNs.py
* goldenPac.py
* karmaSMB.py
* kintercept.py
* lookupsid.py
* mimikatz.py
* mqtt_check.py
* mssqlclient.py
* mssqlinstance.py
* netview.py
* nmapAnswerMachine.py
* ntfs-read.py
* ntlmrelayx.py
* ping.py
* ping6.py
* psexec.py
* raiseChild.py
* rdp_check.py
* reg.py
* registry-read.py
* rpcdump.py
* rpcmap.py
* sambaPipe.py
* samrdump.py
* secretsdump.py
* services.py
* smbclient.py
* smbexec.py
* smbpasswd.py
* smbrelayx.py
* smbserver.py
* sniff.py
* sniffer.py
* split.py
* ticketConverter.py
* ticketer.py
* wmiexec.py
* wmipersist.py
* wmiquery.py
* CrackMapExec
* BloodHound
* Rubeus
* Exegol
* PowerSploit
* Hashcat
* for Active Directory
* Official docs
Powered by GitBook
GETNPUSERS.PY
GetNPUsers.py can be used to retrieve domain users who have "Do not require
Kerberos preauthentication" set and ask for their TGTs without knowing their
passwords. It is then possible to attempt to crack the session key sent along
the ticket to retrieve the user password. This attack is known as ASREProast.
This script can dynamically obtain the list of users in the domain
* either through an RPC null session
* or with an authenticated LDAP access to the domain (user or computer account)
If the users list cannot be dynamically retrieved, a file can be supplied.
COMMONS
It has the following generic command line arguments, similar to many other
tools:
* required positional argument: [domain/]username[:password] (e.g.
domain.local/user, domain/user:password).
* -hashes: the LM and/or NT hash to use for a pass-the-hash (NTLM). The format
is as follows: [LMhash]:NThash (the LM hash is optional, the NT hash must be
prepended with a colon (:).
* -aesKey: the AES128 or AES256 hexadecimal long-term key to use for a
pass-the-key authentication (Kerberos).
* -k: this flag must be set when authenticating using Kerberos. The utility
will try to grab credentials from a Ccache file which path must be set in the
KRB5CCNAME environment variable. In this case, the utility will do
pass-the-cache. If valid credentials cannot be found or if the KRB5CCNAME
variable is not or wrongly set, the utility will use the password specified
in the positional argument for plaintext Kerberos authentication, or the NT
hash (i.e. RC4 long-term key) in the -hashes argument for overpass-the-hash.
A Kirbi file could also be converted to a Ccache file using
ticketConverter.py in order to be used by the utility (indirect
pass-the-ticket).
* -no-pass: this flag must be set when an empty password will by used, or no
password at all. Without this flag, the user will be prompted for a password
when running the utility. This flag is especially useful when using -k.
* -dc-ip: IP address of the domain controller. If omitted, the positional
argument's domain part will be used (in that case, it must be a
Fully-Qualified-Domain-Name (FQDN)).
* -debug: with this flag set, the utility will be more verbose and will
possibly print useful information for debug purposes. With this flag set, the
utility will also print tracebacks.
* -ts: with this flag set, the utility will prepend all output with a
timestamp.
SPECIFICITIES
It also has the following specific command line arguments:
* -request: the script will retrieve the crackable hash. Without this option,
the script will just output vulnerable accounts, by identifying if "Do not
require Kerberos preauthentication" is set or not, without actually
requesting the TGT.
* -outputfile: the file name to write the retrieved hashed values in. Without
this option set, the values will be printed.
* -format: the format to output the hashes in. It must be hashcat or john.
Default is hashcat so that the hashes can be ingested by hashcat.
* -usersfile: a file with usernames to test. One username per line must be
specified (just the username, no domain needed). If omitted, the script will
automatically identify user accounts with "Do not require Kerberos
preauthentication" in the domain via LDAP.
If the -usersfile argument is not supplied, and no credentials are set (hashes,
password, ticket), the script will try to retrieve the users list through the
RPC enumdomusers command through an RPC null session.
Copy
# users list dynamically queried with an RPC null session
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
# with a users file
GetNPUsers.py -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/'
# users list dynamically queried with a LDAP authenticated bind (password)
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
# users list dynamically queried with a LDAP authenticated bind (NT hash)
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
PreviousGet-GPPPassword.pyNextgetPac.py
Last updated 4 months ago
On this page
* Commons
* Specificities
This site uses cookies to deliver its service and to analyse traffic. By
browsing this site, you accept the privacy policy.
AcceptReject