RID Cycling

Relative Identifier

Perform RID cycling attack against a DC with SMB null sessions allowed with lookupsid.py:

$ lookupsid.py MEGACORP/snovvcrash:'Passw0rd!'@127.0.0.1 20000 [-domain-sids] | tee ~/ws/log/lookupsid.out
$ cat ~/ws/log/lookupsid.out | grep SidTypeUser | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F'\' '{print $2}' | awk '{print $1}' | perl -nle 'print if m{^[[:ascii:]]+$}' > ~/ws/enum/all-users.txt

With CrackMapExec:

$ cme smb 192.168.1.11 -u '' -p '' --users

Last updated