Forest
05-nmap
10 - Enumeration
15 - Impacket-GetNPUsers
20 - Getting a shell
25 - Bloodhound
30-creating a user
35-SecretsDump
40-Get Root
15 - Impacket-GetNPUsers
Normally, users are required to prove their identity during the initial authentication process. This is known as pre-authentication, and it helps prevent certain attacks. However, some user accounts may be configured to not require pre-authentication. These accounts are potentially vulnerable to certain attacks.

The `GetNPUsers` script takes advantage of this by attempting to request TGTs for user accounts that don't require pre-authentication. Instead of providing a password during the request, the script attempts to exploit the lack of pre-authentication requirement to extract TGTs without a password.

impacket-GetNPUsers -dc-ip 10.10.10.161 -request 'htb.local/'

impacket-GetNPUsers -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat

Pasted image 20240110113526.png

cracking the hash with hashcat

hashcat hash /usr/share/wordlists/rockyou.txt

Pasted image 20240110113658.png

svc-alfresco:s3rvice
Table Of Contents