GetNPUsers

Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking.

This can be used to get tickets for users without having credentials to a domain. This is because the user does not require preauthentication to request a ticket.

From: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx

If pre-authentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash, which is available in the Active Directory, to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request.

When you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT.

PreviousGetADUsers NextgetST

Last updated 4 years ago