Ridrelay – Quick And Easy Way To Get Domain Usernames While On An Internal Network

Ridrelay – Quick And Easy Way To Get Domain Usernames While On An Internal Network

Enumerate usernames on a website the place you don’t have any creds by utilizing SMB Relay with low priv. Quick and simple solution to get area usernames whereas on an inner community.

How it really works

RidRelay combines the SMB Relay assault, widespread lsarpc based mostly queries and RID biking to get an inventory of area usernames. It takes these steps:
  1. Spins up an SMB server and waits for an incoming SMB connection
  2. The incoming credentials are relayed to a specified goal, making a reference to the context of the relayed person
  3. Queries are made down the SMB connection to the lsarpc pipe to get the checklist of area usernames. This is completed by biking as much as 50000 RIDs

(For finest outcomes, use with Responder)


  • Python 2.7 (sorry however impacket does not play good with 3 🙁 )
  • Impacket v0.9.17 or above


pipenv set up --two
pipenv shell

# Optional: Run if putting in impacket
git submodule replace --init --recursive
cd submodules/impacket
python setup.py set up
cd ../..

First, discover a goal host to relay to. The goal should be a member of the area and MUST have SMB Signin off. CrackMapExec can get this data for you very fast!
Start RidRelay pointing to the goal:

python ridrelay.py -t

Also output usernames to file

python ridrelay.py -t -o path_to_output.txt

Highly Recommended: Start Responder to trick customers to connecting to RidRelay


  • Add password coverage enumeration
  • Dynamic relaying based mostly on the place incoming creds have admin rights
  • Getting lively classes???
  • Connect with Bloodhound???



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.