RidRelay – SMB Relay Attack For Username Enumeration

Use Netsparker

RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.

RidRelay - SMB Relay Attack For Username Enumeration

How RidRelay SMB Relay Attack Works

RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:

  1. Spins up an SMB server and waits for an incoming SMB connection
  2. The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
  3. Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs

For best results, use with Responder.

Using RidRelay to Enumerate Usernames

First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signin off. CrackMapExec can get this info for you very quick!

Start RidRelay pointing to the target:


Also output usernames to file

You can download RidRelay here:


Or read more here.

Topic: Hacking Tools

NetBScanner – NetBIOS Network Scanner

The New Acunetix V12 Engine

NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.

NetBScanner - NetBIOS Network Scanner

For every computer located by this NetBIOS scanner, the following information is displayed:

  • IP Address
  • Computer Name
  • Workgroup or Domain
  • MAC Address
  • Network adapter manufacturer (from MAC address).

NetBScanner also shows whether a computer is a Master Browser. You can easily select one or more computers found by NetBScanner, and then export the list into csv/tab-delimited/xml/html file.

NetBIOS Network Scanner System Requirements

  • This utility works on every version of Windows, starting from Windows 2000 and up to Windows 10, including both 32-bit systems and x64 systems.
  • NetBIOS scan uses UDP port 137 to send and receive the NetBIOS data. If this port is blocked by your computer or in the remote network computers that you scan, the NetBIOS scan will not work.
  • When you run NetBScanner in the first time, you might get a warning from the Firewall of Windows. Even if you choose to keep blocking NetBScanner, the NetBIOS scan will still work properly.

Using NetBScanner NetBIOS Scanner

NetBScanner doesn’t require any installation process or additional dll files. In order to start using it, simply run the executable file – NetBScanner.exe

After running NetBScanner, you have to choose the IP addresses range to scan (by default, NetBScanner takes the IP addresses range from the configuration of your network adapter) and the scan speed. Be aware that if you increase the scan speed, the NetBIOS scan may become less reliable and miss some of your computers.

After you choose the desired scan option, click the ‘Ok’ button, and then NetBScanner will start scanning your network.

After the NetBIOS scan is finished, you can select one or more computers, and then export the computers list into csv/tab-delimited/xml/html file, by using the ‘Save Selected Items’ option (Ctrl+S)

Command-line Options for NetBIOS Scanning

Also check out:

nbtscan Download – NetBIOS Scanner For Windows & Linux

You can download NetBScanner here:


Or read more here.

Topic: Hacking Tools

Metta – Information Security Adversarial Simulation Tool

Use Netsparker

Metta is an information security preparedness tool in Python to help with adversarial simulation, this can help you check various detection and control capabilities within your organisation.

Metta - Information Security Adversarial Simulation Tool

This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.

Metta parses yaml files with a list of “actions” [multistep attacker behavior] and uses Celery to queue these actions up and run them one at a time requiring no manual interaction with the hosts.

You can also craft Scenarious which chain a bunch of Actions together.

Metta Adversarial Simulation Tool FAQ

1. Doesn’t atomic testing do this? Yes, but it is a manual tool. We’ve ported a bunch of the functionality into Metta.

2. Doesn’t $X do this? Maybe, create an GitHub issue and we’ll see if it makes sense to partner or port the functionality.

3. I changed some code but things aren’t working like they should. Any ideas? Try stopping your start_vagrant_celery.sh session and restarting it should pick up changes you made. In general it keeps the state of your code until you restart it. Didn’t work? create a GitHub issue.

You can download Metta here:


Or read more here.

Topic: Countermeasures

Powershell-RAT – Gmail Exfiltration RAT

Use Netsparker

Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.

Powershell-RAT - Gmail Exfiltration RAT

This RAT will help you during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.

It claims to not need Administrator access and is not currently detected by Anti-virus software.

How to setup Powershell-RAT Gmail Exfiltration RAT

  1. You need a throwaway Gmail email address
  2. Then enable “Allow less secure apps” by going to https://myaccount.google.com/lesssecureapps
  3. Modify the $username & $password variable for your account in the Mail.ps1 Powershell file
  4. Modify $msg.From & $msg.To.Add with the throwaway Gmail address

How I do use Powershell-RAT Gmail Backdoor?

  • Press 1: This option sets the execution policy to unrestricted using Set-ExecutionPolicy Unrestricted. This is useful on administrator machine
  • Press 2: This takes the screenshot of the current screen on the user machine using Shoot.ps1 Powershell script
  • Press 3: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesCore
  • Press 4: This option sends an email from the user machine using Powershell. These uses Mail.ps1 file to send screenshot as attachment to exfiltrate data
  • Press 5: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesUA
  • Press 6: This option deletes the screenshots from user machine to remain stealthy
  • Press 7: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesDF
  • Press 8: This option performs all of the above with a single button press 8 on a keyboard. Attacker will receive an email every 5 minutes with screenshots as an email attachment. Screenshots will be deleted after 12 minutes
  • Press 9: Exit gracefully from the program or press Control+C

Some other related tools are:

PyExfil – Python Data Exfiltration Tools
DET – Data Exfiltration Toolkit
dnsteal – DNS Exfiltration Tool

And using Gmail as a backchannel there is:

Gdog – Python Windows Backdoor With Gmail Command & Control
Gcat – Python Backdoor Using Gmail For Command & Control

You can download Powershell-RAT here:


Or read more here.

Topic: Hacking Tools
SCADA Hacking - Industrial Systems Woefully Insecure

SCADA Hacking – Industrial Systems Woefully Insecure

It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants, refineries and all kinds of other powerful and dangerous things. The latest talk given on the subject shows with just 4 lines of code and a small hardware drop device […]

Topic: Exploits/Vulnerabilities
airgeddon - Wireless Security Auditing Script

airgeddon – Wireless Security Auditing Script

Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list. Airgeddon Wireless Security Auditing Features Interface mode switcher (Monitor-Managed) keeping selection even on interface name changing DoS over wireless networks using different methods. “DoS Pursuit mode” available to avoid AP channel hopping (available also on DoS […]

Topic: Hacking Tools