Enumerating RIDs (enumerid)

What is enumerid?

Enumerid is an impacket based Relative Identifier (RID) enumeration utility. It was initially created to solve a common problem that attackers face after getting an initial compromise- getting oriented within the network. Historically this means looking through ARP tables, VPN routes, wireshark, etc.

With a valid set of credentials, you can now enumerate all valid network ranges.. even if you don’t currently have access to them.

You can get download a copy of it on my github page here.

How does enumerid work?

Enumerid works by querying the Domain Controller (DC) and asking for a list of RIDs for every asset in the “Domain Computers” groups. It will then ask the DC resolve those RIDs to the corresponding clear text hostnames. With this information, you simply perform a DNS lookup on each hostname.

DNS doesn’t check if you have access to the host in question. It simply resolves the IP address for you- therefore you are able to get a list of all currently leased IP addresses. All information is output into greppable format for easy parsing.

If the host currently has a leased IP, it will resolve. Otherwise the hostname will appear without an IP.

Want to enumerate other RIDs?

Enumerid does more than network enumeration. The utility has been created to be a bit more open ended. You can specify any valid RID that exists on the remote host and enumerate it. Want a list of Domain Users? How about Domain Admins?

If you know the RID exists on the target, you can enumerate information out of it. Here’s a list of common RIDs on a DC (you can display this with -h on enumerid.py ):

Domain Computers: 515 Domain Controllers: 516 Domain Users: 513 Domain Admins: 512 Domain Guests: 514 Enterprise Admins: 519

Anonymous Enumeration

If the domain controller allows anonymous logins, you can use two single quotes for the username and password:

./enumerid.py domain/'':''@<DC IP> -r 515 -d

Troubleshooting DNS resolution

Shout out to @silburfuchs for initially discovering this problem and coding up a fix for it.

Sometimes DNS resolution requires the Fully Qualified Domain Name (FQDN) to properly resolve the IP address. If you find yourself in the situation where you know IP addresses should be resolving but are not- try adding the FQDN.