Enumerate usernames on a domain where you have no creds by using SMB relay.
RidRelay combines the NTLM Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:
- Spins up an SMB and HTTP servers and waits for an incoming connection
- The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
- Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs
- The password policy is extracted through the samr pipe