A tool for enumerating Active Directory objects through MSSQL Server by bruteforcing RIDs. I wrote this tool while doing HackTheBox's Redelegate machine. It does basically the same thing as metasploit's mssql_enum_domain_accounts module.
pip install pymssql coloramapython sidseeker.py -H <host> -u <username> -p <password> <range>-H, --host- Target MSSQL server hostname or IP-u, --user- Database username-p, --password- Database passwordrange- RID range to scan in formatx-y(e.g.,500-2000)
--port- Database port (default: 1433)--database- Database name (default: master)-o, --output- Output file for results--csv- Output in CSV format with headers
Terminal output:
python3 sidseeker.py -H redelegate.vl -u SQLGuest -p secret 500-1500 -o sids.csv --csv
.::::::. ::::::::::-. .::::::..,:::::: .,:::::: ::: . .,:::::: :::::::..
;;;` ` ;;; ;;, `';,;;;` `;;;;'''' ;;;;'''' ;;; .;;,.;;;;'''' ;;;;``;;;;
'[==/[[[[,[[[ `[[ [['[==/[[[[,[[cccc [[cccc [[[[[/' [[cccc [[[,/[[['
''' $$$$ $$, $$ ''' $$$"""" $$"""" _$$$$, $$"""" $$$$$$c
88b dP888 888_,o8P' 88b dP888oo,__ 888oo,__"888"88o, 888oo,__ 888b "88bo,
"YMmMY" MMM MMMMP"` "YMmMY" """"YUMMM""""YUMMMMMM "MMP" """"YUMMMMMMM "W"
[*] Target: mssql://SQLGuest@redelegate.vl/master
[*] Range: 500-1500
[*] Output: sids.csv
[*] Attempting database connection...
[+] Connected successfully!
[*] Database version: Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (Build 20348: ) (Hypervisor)
[*] Writing results to: sids.csv
[*] Found domain: REDELEGATE
[*] Found domain SID: S-1-5-21-4024337825-2033394866-2055507597-
[*] Starting RID bruteforcing...
[+] Found object: WIN-Q13O908QBPG\Administrator (S-1-5-21-4024337825-2033394866-2055507597-500)
[+] Found object: REDELEGATE\Guest (S-1-5-21-4024337825-2033394866-2055507597-501)
[+] Found object: REDELEGATE\krbtgt (S-1-5-21-4024337825-2033394866-2055507597-502)
[+] Found object: REDELEGATE\Domain Admins (S-1-5-21-4024337825-2033394866-2055507597-512)
[+] Found object: REDELEGATE\Domain Users (S-1-5-21-4024337825-2033394866-2055507597-513)
[+] Found object: REDELEGATE\Domain Guests (S-1-5-21-4024337825-2033394866-2055507597-514)
[+] Found object: REDELEGATE\Domain Computers (S-1-5-21-4024337825-2033394866-2055507597-515)
[+] Found object: REDELEGATE\Domain Controllers (S-1-5-21-4024337825-2033394866-2055507597-516)
[+] Found object: REDELEGATE\Cert Publishers (S-1-5-21-4024337825-2033394866-2055507597-517)
[+] Found object: REDELEGATE\Schema Admins (S-1-5-21-4024337825-2033394866-2055507597-518)
[+] Found object: REDELEGATE\Enterprise Admins (S-1-5-21-4024337825-2033394866-2055507597-519)
[+] Found object: REDELEGATE\Group Policy Creator Owners (S-1-5-21-4024337825-2033394866-2055507597-520)
[+] Found object: REDELEGATE\Read-only Domain Controllers (S-1-5-21-4024337825-2033394866-2055507597-521)
[+] Found object: REDELEGATE\Cloneable Domain Controllers (S-1-5-21-4024337825-2033394866-2055507597-522)
[+] Found object: REDELEGATE\Protected Users (S-1-5-21-4024337825-2033394866-2055507597-525)
[+] Found object: REDELEGATE\Key Admins (S-1-5-21-4024337825-2033394866-2055507597-526)
[+] Found object: REDELEGATE\Enterprise Key Admins (S-1-5-21-4024337825-2033394866-2055507597-527)
[+] Found object: REDELEGATE\RAS and IAS Servers (S-1-5-21-4024337825-2033394866-2055507597-553)
[+] Found object: REDELEGATE\Allowed RODC Password Replication Group (S-1-5-21-4024337825-2033394866-2055507597-571)
[+] Found object: REDELEGATE\Denied RODC Password Replication Group (S-1-5-21-4024337825-2033394866-2055507597-572)
[+] Found object: REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG (S-1-5-21-4024337825-2033394866-2055507597-1000)
[+] Found object: REDELEGATE\DC$ (S-1-5-21-4024337825-2033394866-2055507597-1002)
[+] Found object: REDELEGATE\FS01$ (S-1-5-21-4024337825-2033394866-2055507597-1103)
[+] Found object: REDELEGATE\Christine.Flanders (S-1-5-21-4024337825-2033394866-2055507597-1104)
[+] Found object: REDELEGATE\Marie.Curie (S-1-5-21-4024337825-2033394866-2055507597-1105)
[+] Found object: REDELEGATE\Helen.Frost (S-1-5-21-4024337825-2033394866-2055507597-1106)
[+] Found object: REDELEGATE\Michael.Pontiac (S-1-5-21-4024337825-2033394866-2055507597-1107)
[+] Found object: REDELEGATE\Mallory.Roberts (S-1-5-21-4024337825-2033394866-2055507597-1108)
[+] Found object: REDELEGATE\James.Dinkleberg (S-1-5-21-4024337825-2033394866-2055507597-1109)
[+] Found object: REDELEGATE\Helpdesk (S-1-5-21-4024337825-2033394866-2055507597-1112)
[+] Found object: REDELEGATE\IT (S-1-5-21-4024337825-2033394866-2055507597-1113)
[+] Found object: REDELEGATE\Finance (S-1-5-21-4024337825-2033394866-2055507597-1114)
[+] Found object: REDELEGATE\DnsAdmins (S-1-5-21-4024337825-2033394866-2055507597-1115)
[+] Found object: REDELEGATE\DnsUpdateProxy (S-1-5-21-4024337825-2033394866-2055507597-1116)
[+] Found object: REDELEGATE\Ryan.Cooper (S-1-5-21-4024337825-2033394866-2055507597-1117)
[+] Found object: REDELEGATE\sql_svc (S-1-5-21-4024337825-2033394866-2055507597-1119)
[+] Process completed successfully
[+] Results written to sids.csvFile output (sids.csv):
Object,SID,RID
WIN-Q13O908QBPG\Administrator,S-1-5-21-4024337825-2033394866-2055507597-500,500
REDELEGATE\Guest,S-1-5-21-4024337825-2033394866-2055507597-501,501
REDELEGATE\krbtgt,S-1-5-21-4024337825-2033394866-2055507597-502,502
REDELEGATE\Domain Admins,S-1-5-21-4024337825-2033394866-2055507597-512,512
REDELEGATE\Domain Users,S-1-5-21-4024337825-2033394866-2055507597-513,513
REDELEGATE\Domain Guests,S-1-5-21-4024337825-2033394866-2055507597-514,514
REDELEGATE\Domain Computers,S-1-5-21-4024337825-2033394866-2055507597-515,515
REDELEGATE\Domain Controllers,S-1-5-21-4024337825-2033394866-2055507597-516,516
REDELEGATE\Cert Publishers,S-1-5-21-4024337825-2033394866-2055507597-517,517
REDELEGATE\Schema Admins,S-1-5-21-4024337825-2033394866-2055507597-518,518
REDELEGATE\Enterprise Admins,S-1-5-21-4024337825-2033394866-2055507597-519,519
REDELEGATE\Group Policy Creator Owners,S-1-5-21-4024337825-2033394866-2055507597-520,520
REDELEGATE\Read-only Domain Controllers,S-1-5-21-4024337825-2033394866-2055507597-521,521
REDELEGATE\Cloneable Domain Controllers,S-1-5-21-4024337825-2033394866-2055507597-522,522
REDELEGATE\Protected Users,S-1-5-21-4024337825-2033394866-2055507597-525,525
REDELEGATE\Key Admins,S-1-5-21-4024337825-2033394866-2055507597-526,526
REDELEGATE\Enterprise Key Admins,S-1-5-21-4024337825-2033394866-2055507597-527,527
REDELEGATE\RAS and IAS Servers,S-1-5-21-4024337825-2033394866-2055507597-553,553
REDELEGATE\Allowed RODC Password Replication Group,S-1-5-21-4024337825-2033394866-2055507597-571,571
REDELEGATE\Denied RODC Password Replication Group,S-1-5-21-4024337825-2033394866-2055507597-572,572
REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG,S-1-5-21-4024337825-2033394866-2055507597-1000,1000
REDELEGATE\DC$,S-1-5-21-4024337825-2033394866-2055507597-1002,1002
REDELEGATE\FS01$,S-1-5-21-4024337825-2033394866-2055507597-1103,1103
REDELEGATE\Christine.Flanders,S-1-5-21-4024337825-2033394866-2055507597-1104,1104
REDELEGATE\Marie.Curie,S-1-5-21-4024337825-2033394866-2055507597-1105,1105
REDELEGATE\Helen.Frost,S-1-5-21-4024337825-2033394866-2055507597-1106,1106
REDELEGATE\Michael.Pontiac,S-1-5-21-4024337825-2033394866-2055507597-1107,1107
REDELEGATE\Mallory.Roberts,S-1-5-21-4024337825-2033394866-2055507597-1108,1108
REDELEGATE\James.Dinkleberg,S-1-5-21-4024337825-2033394866-2055507597-1109,1109
REDELEGATE\Helpdesk,S-1-5-21-4024337825-2033394866-2055507597-1112,1112
REDELEGATE\IT,S-1-5-21-4024337825-2033394866-2055507597-1113,1113
REDELEGATE\Finance,S-1-5-21-4024337825-2033394866-2055507597-1114,1114
REDELEGATE\DnsAdmins,S-1-5-21-4024337825-2033394866-2055507597-1115,1115
REDELEGATE\DnsUpdateProxy,S-1-5-21-4024337825-2033394866-2055507597-1116,1116
REDELEGATE\Ryan.Cooper,S-1-5-21-4024337825-2033394866-2055507597-1117,1117
REDELEGATE\sql_svc,S-1-5-21-4024337825-2033394866-2055507597-1119,1119