RidRelay

Enumerate usernames on a domain where you have no creds by using SMB relay.

Download Link --->--->---> https://github.com/skorov/ridrelay

RidRelay combines the NTLM Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps: - Spins up an SMB and HTTP servers and waits for an incoming connection - The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user - Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs - The password policy is extracted through the samr pipe

PreviousSnaffler Nextjackdaw

Last updated 2 years ago