Quick and easy way to get domain usernames while on an internal network. RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:

  • Spins up an SMB server and waits for an incoming SMB connection
  • The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
  • Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs.

Also Read Mercure – Tool For Security Managers Who Want To Train Their Colleague To Phishing

RidRelay Dependencies

  • Python 2.7 (sorry but impacket doesn’t play nice with 3 🙁 )
  • Impacket v0.9.17 or above


pipenv install --two
pipenv shell

# Optional: Run if installing impacket
git submodule update --init --recursive
cd submodules/impacket
python setup.py install
cd ../..


First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signin off. CrackMapExec can get this info for you very quick!

Start RidRelay pointing to the target:

python ridrelay.py -t


Also output usernames to file

python ridrelay.py -t -o path_to_output.txt