Information Gatheringridenumerationnull-sessionbrute-forcesid

ridenum

ridenum is a RID cycling attack tool that enumerates user accounts through null sessions and SID to RID enumeration. It can also brute force discovered accounts using an optional password file.

Description

Rid Enum performs a RID cycling attack to enumerate user accounts on remote Windows servers via null sessions and SID enumeration. This technique exploits the Security Identifier (SID) structure to guess Relative Identifiers (RIDs) for user accounts, typically starting from RID 500 upwards.

The tool first attempts to query the Local Security Authority (LSA) to obtain the base domain SID, then cycles through the specified RID range to identify valid user accounts. After enumeration, if a password file is provided, it automatically attempts to brute force the enumerated accounts.

Use cases include pre-exploitation reconnaissance on domain controllers or Windows servers with null session access enabled, helping identify valid usernames for subsequent password attacks or privilege escalation attempts.

How It Works

ridenum connects to a remote Windows server using null sessions (unauthenticated SMB connections) to query the Security Account Manager (SAM) database via LSA queries. It first enumerates the base domain SID, then performs SID-to-RID translation for each RID in the specified range (e.g., 500-50000). Valid RIDs correspond to existing user accounts. With a password file, it attempts SMB authentication against discovered usernames using dictionary attacks. Requires python3-pexpect for session handling.

Installation

bash

sudo apt install ridenum

Flags

<server_ip>IP address of the target server

<start_rid>Starting RID for enumeration (e.g., 500)

<end_rid>Ending RID for enumeration (e.g., 50000)

<optional_password_file>Password file for brute forcing enumerated accounts

<optional_username_filename>Pre-dumped username file in DOMAINNAME\USERNAME format

Examples

Connect to remote server 192.168.1.236 and enumerate RIDs 500-50000, then brute force with passwords from /tmp/passes.txt

ridenum 192.168.1.236 500 50000 /tmp/passes.txt

Enumerate RIDs 500-50000 on 192.168.1.50 using password file dict.txt and pre-dumped usernames from user.txt

./ridenum.py 192.168.1.50 500 50000 /root/dict.txt /root/user.txt

Narrow enumeration range 500-1000 on 192.168.1.236 with password brute forcing

ridenum 192.168.1.236 500 1000 /tmp/passes.txt

RID enumeration only (no password file) from 1000-20000 on 10.0.0.5

ridenum 10.0.0.5 1000 20000

Python version targeting gateway with full RID range and password dictionary

./ridenum.py 192.168.1.1 500 50000 /tmp/passwords.txt

Using both pre-dumped usernames and password file for comprehensive attack

ridenum 172.16.1.100 500 50000 /root/usernames.txt /root/passwords.txt

Updated 2026-04-16kali.org ↗