GetNPUsers.py Explained (video)

Recently seen a few comments from people saying they’d like to understand how the Impacket GetNPUsers script works and what exactly makes an account vulnerable to this kind of attack. So I made this video that hopefully helps :slight_smile:

I want to make sure you know how much i appreciate your involvement in the community and the dedication and quality you put into the videos you post. you just need to publish more videos, id like a series on windows enumeration techniques.

fyi i heard you said hashcat didnt work in the vm- you have to supply the " --force" option at the end of command in a virtualized environment, hashcat natively wants to use your gpu, you’ll need to explicitly force it to use the cpu

Type your comment> @Ad0n said:

fyi i heard you said hashcat didnt work in the vm- you have to supply the " --force" option at the end of command in a virtualized environment, hashcat natively wants to use your gpu, you’ll need to explicitly force it to use the cpu

oh cool thanks for the tip! I’ll try that next time

I want to make sure you know how much i appreciate your involvement in the community and the dedication and quality you put into the videos you post. you just need to publish more videos, id like a series on windows enumeration techniques.

haha thanks :slight_smile: tbh I was worried people might be fed up of seeing me post/mention my videos :lol: but yeah hopefully most people are finding them useful like you are. Will get to work on some more videos next week

Excellent work, thanks for the clarifications, starting my journey on windows stuff and used this script recently, could not not warp my head on every detail when i tried to dig on the code, but you made it so clear and simple, we are grateful to have you among us.
I want just to add my little push, this video (which i dont claim ownership) has helped me understand Kerberos immensly and is kinda of a prerequisite to follow your video for the windows environment newbies like me:

EDIT: Very low volume, consider downloading it then forcing volume up.

@3l0nMu5k will take a look at that video cheers - I still need to brush up on some of the other aspects of kerberos so I’m sure it will come in handy

Great video @VbScrub , very well explained !

thanks for all contributions

Cheers guys glad it is helping people out

Type your comment> @VbScrub said:

tbh I was worried people might be fed up of seeing me post/mention my videos

Yea, I was, getting annoyed (only cause there were no videos), but holy shit the wait was worth it. Thanks a ton!

Quick question though: I’m a bit confused on the purpose of the Username:password in the command. In the Username-less request, will that be able to find all users in the domain or is it potential that we’d need credentials to find some users? In other words, is there ‘authenticated’ ldap that would return different users, or are all anonymous requests the same?

@Seferan
Yeah by default anonymous ldap query can’t actually read anything from the domain, you have to kinda go out of your way to enable that. However all domain users can read pretty much everything from the domain, so I guess the password option in impacket is for if you’ve got valid domain user creds and want to use them to search the domain for users without pre authentication enabled. Maybe you get lucky and those accounts have more privs than the account you currently have.

Great video!

Type your comment> @VbScrub said:

@Seferan
Yeah by default anonymous ldap query can’t actually read anything from the domain, you have to kinda go out of your way to enable that. However all domain users can read pretty much everything from the domain, so I guess the password option in impacket is for if you’ve got valid domain user creds and want to use them to search the domain for users without pre authentication enabled. Maybe you get lucky and those accounts have more privs than the account you currently have.

Awesome, thanks…

Last question…I assume NP stands for No-PreAuth??? Any idea? Couldn’t find an immediate answer anywhere.

@Seferan yeah I assumed the same

Absolutely legend you are mate! :smiley Subscribing! keep up the great work!

Nice work @VbScrub, a very useful video, it is good to understand why this is a weakness and knowing what do do to prevent some of it.

Keep up the good work mate :smiley:

@acidbat @z3r0shred thanks for the positive feedback guys :smile: much appreciated

I liked it too. Thanks a lot.

Thanks for making this video. It really helped with understanding getnpusers. I do have to say that I’ve never actually seen a user in real life with preauthentication turned off or seen an application that requires it. I’m sure it must exist for Microsoft to keep supporting the option.

I’m a noob and I also suck at Windows boxes but your content has really helped on my learning experience. Thank you for all of the contributions you’ve made to the community!