RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
How RidRelay SMB Relay Attack Works
RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:
- Spins up an SMB server and waits for an incoming SMB connection
- The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
- Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames.