skorov / Ridrelay
Licence: gpl-3.0
Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
Stars: ✭ 359
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Ridrelay
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 1,392 (+287.74%)
Mutual labels: pentesting, activedirectory
Docker Onion Nmap
Scan .onion hidden services with nmap using Tor, proxychains and dnsmasq in a minimal alpine Docker container.
Stars: ✭ 345 (-3.9%)
Mutual labels: pentesting
Airgeddon
This is a multi-use bash script for Linux systems to audit wireless networks.
Stars: ✭ 3,830 (+966.85%)
Mutual labels: pentesting
Getaltname
Extract subdomains from SSL certificates in HTTPS sites.
Stars: ✭ 320 (-10.86%)
Mutual labels: pentesting
Black Hat Rust
Applied offensive security with Rust - Early access - https://academy.kerkour.com/black-hat-rust?coupon=GITHUB
Stars: ✭ 331 (-7.8%)
Mutual labels: pentesting
Webanalyze
Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
Stars: ✭ 311 (-13.37%)
Mutual labels: pentesting
Sqli Hunter
SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
Stars: ✭ 340 (-5.29%)
Mutual labels: pentesting
Offensive Docker
Offensive Docker is an image with the more used offensive tools to create an environment easily and quickly to launch assessment to the targets.
Stars: ✭ 328 (-8.64%)
Mutual labels: pentesting
Langhost
👻 A LAN dropbox chatbot controllable via Telegram
Stars: ✭ 324 (-9.75%)
Mutual labels: pentesting
Injuredandroid
A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
Stars: ✭ 317 (-11.7%)
Mutual labels: pentesting
Vajra
Vajra is a highly customizable target and scope based automated web hacking framework to automate boring recon tasks and same scans for multiple target during web applications penetration testing.
Stars: ✭ 269 (-25.07%)
Mutual labels: pentesting
Reconnote
Web Application Security Automation Framework which recons the target for various assets to maximize the attack surface for security professionals & bug-hunters
Stars: ✭ 322 (-10.31%)
Mutual labels: pentesting
Cobalt strike extension kit
Attempting to be an all in one repo for others' userful aggressor scripts as well as things we've found useful during Red Team Operations.
Stars: ✭ 345 (-3.9%)
Mutual labels: pentesting
RidRelay
Quick and easy way to get domain usernames while on an internal network.
Hit me up: @skorov8
How it works
RidRelay combines the NTLM Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:
- Spins up an SMB and HTTP servers and waits for an incoming connection
- The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
- Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs
- The password policy is extracted through the samr pipe
(For best results, use with Responder)
Dependencies
- Python 3.6
- Impacket v0.9.20-dev or above
Installation
pipenv install
pipenv shell
# Optional: Run if installing impacket
git submodule update --init --recursive
cd submodules/impacket
pip install .
cd ../..
Usage
First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signing off. CrackMapExec can get this info for you very quick!
Start RidRelay pointing to the target:
python ridrelay.py -t 10.0.0.50
OR
Also output usernames to file
python ridrelay.py -t 10.0.0.50 -o path_to_output.txt
Highly Recommended: Start Responder to trick users to connecting to RidRelay
Shout out
Mad props go to:
- Ronnie Flathers (@ropnop) - Original idea on low priv smb relaying
TODO:
- Add password policy enumeration - DONE
Dynamic relaying based on where incoming creds have admin rightsGetting active sessions???Connect with Bloodhound???- Decided to keep this tool simple. Above functionality will come in a new tool at some stage
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].