Published on August 1st, 2018📅| 0
Ridrelay – Quick And Easy Way To Get Domain Usernames While On An Internal Network
- Spins up an SMB server and waits for an incoming SMB connection
- The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
- Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs
- Python 2.7 (sorry but impacket doesn’t play nice with 3 🙁 )
- Impacket v0.9.17 or above
pipenv install --two pipenv shell # Optional: Run if installing impacket git submodule update --init --recursive cd submodules/impacket python setup.py install cd ../..
First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signin off. CrackMapExec can get this info for you very quick!
Start RidRelay pointing to the target:
python ridrelay.py -t 10.0.0.50
Also output usernames to file
python ridrelay.py -t 10.0.0.50 -o path_to_output.txt
Highly Recommended: Start Responder to trick users to connecting to RidRelay
- Add password policy enumeration
- Dynamic relaying based on where incoming creds have admin rights
- Getting active sessions???
- Connect with Bloodhound???