GetNPUsers.py Explained (video)

edited February 2020 in Video Tutorials

Recently seen a few comments from people saying they'd like to understand how the Impacket GetNPUsers script works and what exactly makes an account vulnerable to this kind of attack. So I made this video that hopefully helps :)

Comments

  • I want to make sure you know how much i appreciate your involvement in the community and the dedication and quality you put into the videos you post. you just need to publish more videos, id like a series on windows enumeration techniques.

  • fyi i heard you said hashcat didnt work in the vm- you have to supply the " --force" option at the end of command in a virtualized environment, hashcat natively wants to use your gpu, you'll need to explicitly force it to use the cpu

  • Type your comment> @Ad0n said:

    fyi i heard you said hashcat didnt work in the vm- you have to supply the " --force" option at the end of command in a virtualized environment, hashcat natively wants to use your gpu, you'll need to explicitly force it to use the cpu

    oh cool thanks for the tip! I'll try that next time

    I want to make sure you know how much i appreciate your involvement in the community and the dedication and quality you put into the videos you post. you just need to publish more videos, id like a series on windows enumeration techniques.

    haha thanks :) tbh I was worried people might be fed up of seeing me post/mention my videos :lol: but yeah hopefully most people are finding them useful like you are. Will get to work on some more videos next week

  • edited February 2020

    Excellent work, thanks for the clarifications, starting my journey on windows stuff and used this script recently, could not not warp my head on every detail when i tried to dig on the code, but you made it so clear and simple, we are grateful to have you among us.
    I want just to add my little push, this video (which i dont claim ownership) has helped me understand Kerberos immensly and is kinda of a prerequisite to follow your video for the windows environment newbies like me:

    EDIT: Very low volume, consider downloading it then forcing volume up.


    Check out my blog
    Always happy to help! but please consider dropping some respect. ^^

  • @3l0nMu5k will take a look at that video cheers - I still need to brush up on some of the other aspects of kerberos so I'm sure it will come in handy

  • Great video @VbScrub , very well explained !

    Hack The Box

  • thanks for all contributions

    peek

  • Cheers guys glad it is helping people out
  • Type your comment> @VbScrub said:

    tbh I was worried people might be fed up of seeing me post/mention my videos

    Yea, I was, getting annoyed (only cause there were no videos), but holy shit the wait was worth it. Thanks a ton!

    Quick question though: I'm a bit confused on the purpose of the Username:password in the command. In the Username-less request, will that be able to find all users in the domain or is it potential that we'd need credentials to find some users? In other words, is there 'authenticated' ldap that would return different users, or are all anonymous requests the same?

  • edited February 2020
    @Seferan
    Yeah by default anonymous ldap query can't actually read anything from the domain, you have to kinda go out of your way to enable that. However all domain users can read pretty much everything from the domain, so I guess the password option in impacket is for if you've got valid domain user creds and want to use them to search the domain for users without pre authentication enabled. Maybe you get lucky and those accounts have more privs than the account you currently have.
  • Great video!

  • Type your comment> @VbScrub said:

    @Seferan
    Yeah by default anonymous ldap query can't actually read anything from the domain, you have to kinda go out of your way to enable that. However all domain users can read pretty much everything from the domain, so I guess the password option in impacket is for if you've got valid domain user creds and want to use them to search the domain for users without pre authentication enabled. Maybe you get lucky and those accounts have more privs than the account you currently have.

    Awesome, thanks...

    Last question...I assume NP stands for No-PreAuth??? Any idea? Couldn't find an immediate answer anywhere.

  • @Seferan yeah I assumed the same
  • Absolutely legend you are mate! :smiley Subscribing! keep up the great work!

    Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6

  • Nice work @VbScrub, a very useful video, it is good to understand why this is a weakness and knowing what do do to prevent some of it.

    Keep up the good work mate :smiley:

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • @acidbat @z3r0shred thanks for the positive feedback guys :smile: much appreciated
  • I liked it too. Thanks a lot.

  • Thanks for making this video. It really helped with understanding getnpusers. I do have to say that I've never actually seen a user in real life with preauthentication turned off or seen an application that requires it. I'm sure it must exist for Microsoft to keep supporting the option.

  • I'm a noob and I also suck at Windows boxes but your content has really helped on my learning experience. Thank you for all of the contributions you've made to the community!

    Watskip

    < Soli Deo Gloria >

  • @dreamerscoffee said:
    Thanks for making this video. It really helped with understanding getnpusers. I do have to say that I've never actually seen a user in real life with preauthentication turned off or seen an application that requires it. I'm sure it must exist for Microsoft to keep supporting the option.

    Yeah I find it pretty weird that the option even exists, as it completely destroys the security of any user account you enable it on. But there must be some legacy software out there that does kerberos auth but doesn't do pre auth. Weirdly when you connect to an SMB share in windows, it first tries kerberos without pre auth, which fails and so then it tries it with pre auth. That's still the case even in the latest version of Windows 10.

  • Great video! Thank you for sharing. I am always curious about how those tools work... Please consider making more of these explaination videos of common tools!

    Subscribed! ;)

  • Type your comment> @Chr0x6eOs said:

    Great video! Thank you for sharing. I am always curious about how those tools work... Please consider making more of these explaination videos of common tools!

    Subscribed! ;)

    Thanks :) and yeah I will be making more very soon. If there's any in particular you want to see videos on then let me know (windows only - I'm a noob when it comes to linux)

  • Type your comment> @VbScrub said:
    > Type your comment> @Chr0x6eOs said:
    >
    > (Quote)
    > Thanks :) and yeah I will be making more very soon. If there's any in particular you want to see videos on then let me know (windows only - I'm a noob when it comes to linux)

    Honestly any tool. I am not bad at linux, but an absolut windows noob. Everything you can teach is appreciated. :)
  • Great tutorial on GetNPusers.py, very helpful in my first hack on AD. Something to note for those Linux users. The double quote will interpret the $ and try to interpret it, the end result is you will get an error about the hash. Use single quote. Thanks for the tutorial.

  • @endoftime yeah I've not tried it on Linux, but thanks for the tip. Good to know

  • Type your comment> @VbScrub said:
    > Recently seen a few comments from people saying they'd like to understand how the Impacket GetNPUsers script works and what exactly makes an account vulnerable to this kind of attack. So I made this video that hopefully helps :)
    >
    >

    I hope you don't mind @VbScrub, I had to give you a mention and share your video in my walkthrough. In my opinion you hit the nail explaining this and it's worth watching so people understand this better.

    Hack The Box
    CISSP | eJPT

  • @grav3m1ndbyte of course not :) always glad to hear people are finding it useful and sharing it around

  • Type your comment> @grav3m1ndbyte said:

    Type your comment> @VbScrub said:

    Recently seen a few comments from people saying they'd like to understand how the Impacket GetNPUsers script works and what exactly makes an account vulnerable to this kind of attack. So I made this video that hopefully helps :)

    I hope you don't mind @VbScrub, I had to give you a mention and share your video in my walkthrough. In my opinion you hit the nail explaining this and it's worth watching so people understand this better.

    Thank you sir! :smiley:

    Hack The Box
    CISSP | eJPT

  • Pulling my hair out here so if somebody know the issue that would be great.
    Trying to run this but am getting errors when it hits the logger.

    Traceback (most recent call last):
    File "./GetNPUsers.py", line 397, in
    logger.init(options.ts)
    TypeError: init() takes no arguments (1 given)

    I havent specified an argument regardless of what it says. Ran as per your demonstration.

  • Great video, this helped me out with a foothold on a current box. Very well explained. I'll have to sub to your channel on YouTube.

Sign In to comment.