March 08, 2013
New Tool Release - RPC_ENUM - RID Cycling Attack
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
Null session attacks are nothing new when it comes to what we typically do on a penetration test. There is already some great tools out there such as dumpusers, dumpsec, and others however most are for Windows. We set out to write something that we could use in a standard install of Back|Track or any NIX platform.
First, a brief explanation, null sessions are an unauthenticated access to the IPC$ share on a standard machine. In most cases as penetration testers, if you can establish a null session to a remote server, you can query it for a ton of information including user names. The first thing we'll do in our favorite Linux distribution is establish a null session via rpcclient:
rpcclient -U "" -N
The -U "" specifies a blank username the -N specifies no password and the IP address of the server (recommend doing these on domain controllers).
You should be at a rpcclient $> prompt.
From there, you need to figure out the GUID/SID string for the domain, there are two ways to accomplish this, the first is through lsaquery.
rpcclient $> lsaquery
Domain Name: DOMAINNAME
Domain Sid: S-1-2-9-9391244-393484712-394982418
rpcclient $>
The Domain SID provided tells us everything we will need to know to enumerate the users. When a default install of Windows/AD is implemented, the RID will start off at 500 (administrator), 501 (guest), etc.
Next we need to enumerate the actual accounts and can cycle from 500 to 10,000 until we enumerate all of the accounts in the domain. Note that all we do is take the domain sid from above and append a -500 and -501 (administrator and guest):
rpcclient $> lookupsids S-1-2-9-9391244-393484712-394982418-500
S-1-2-9-9391244-393484712-3949824185-500 DOMAINNAMEAdministrator (1)
rpcclient $> lookupsids S-1-2-9-9391244-393484712-394982418-501
S-1-2-9-9391244-393484712-394982418-501 DOMAINNAMEGuest (1)
rpcclient $>
If we were to cycle through lets say 10,000 (based on size of company and user accounts), we could enumerate every user account in the domain. From there run a brute force looking for simplistic password accounts. Now in stating of all this, there are certain cases where lsaquery will give you an access is denied. If this occurs, you know that typically there are three different accounts, administrator, guest, and krbtgt (500, 501, 502). You can enumerate these user accounts the same way and get the domain sid:
rpcclient $> lookupnames administrator
administrator S-1-2-9-9391244-393484712-3949824185-500 (User: 1)
rpcclient $>
Now that we have this, we can cycle through and enumerate the same exact way.
TrustedSec is releasing a new tool called rpc_enum that automates all of this. You can get it here:
https://github.com/trustedsec/ridenum
The tool is simple, run python rpc_enum.py and specify the IP address of the server/DC, the start RID (500) and stop rid (lets say 10000). You can also specify a password list (purely optional) and this will automatically brute force the user accounts once its done extracting the user accounts. You do need python-pexpect for this to run properly.
root@bt:~/Desktop/git/ridenum# python rid_enum.py
RID_ENUM
Written by: David Kennedy (ReL1K)
Version: 0.1
Company: https://www.trustedsec.com
Twitter: @TrustedSec
Twitter: @Dave_ReL1K
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when its finished enumerating.
- RID_ENUM is open source and uses all standard python libraries minus python-pexpect. -
Example: ./rid_enum.py 192.168.1.50 500 50000 /root/dict.txt
Usage: ./rid_enum.py