ToolsFebruary 9, 20261 min readby 0xt0pus

impacket-lookupsid

SID brute-forcing tool to enumerate domain users and groups via RPC

#active-directory#windows#impacket#enumeration

impacket-lookupsid

Description

impacket-lookupsid is an Impacket tool that performs SID brute-forcing (RID cycling) to enumerate users, groups, and other objects in a Windows/Active Directory environment via RPC. It queries the target using a known or guest account and iterates through RIDs to discover valid accounts. This is especially useful when SMB null sessions or anonymous LDAP queries are restricted.

Usage 1: Enumerate Domain Users with Guest Account (No Password)

Use the guest account with no password to enumerate all domain users via SID brute-forcing. The output can be redirected to a file for further processing.

Command:

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass > users.txt

Usage 2: Filter Only Valid Usernames from Output

After running impacket-lookupsid, extract only the valid usernames (SidTypeUser) from the output for use in password spraying or other attacks.

Command:

cat users.txt | awk -F '\' '/\\/ {print $2}' | grep SidTypeUser | awk '{print $1}' > users.txt

Usage 3: Alternative - SID Brute-Force with nxc

NetExec (nxc) can also perform RID brute-forcing as an alternative to impacket-lookupsid.

Command:

nxc smb cicada.htb -u 'a' -p '' --rid-brute