Skip to main content

Overview

impacket-lookupsid enumerates Windows users and groups by brute forcing SID (Security Identifier) lookups through the LSARPC named pipe. It queries the LSA (Local Security Authority) to resolve RIDs (Relative Identifiers) to account names. Works over SMB (port 445) and can often succeed with NULL sessions on misconfigured Domain Controllers.

Authentication

MethodFlagExample
Passworddomain/user:passwordCORP/admin:Password1
NTLM hash-hashes-hashes :aad3b435b51404eeaad3b435b51404ee
NULL session''/''@target''/'':''@10.10.10.5
Guestguest@targetguest:''@10.10.10.5

Basic Usage

Enumerate domain users and groups: 
impacket-lookupsid CORP/admin:[email protected]
Output shows RID, account name, and type (SidTypeUser, SidTypeGroup, SidTypeAlias): 
500: CORP\Administrator (SidTypeUser)
501: CORP\Guest (SidTypeUser)
502: CORP\krbtgt (SidTypeUser)
512: CORP\Domain Admins (SidTypeGroup)
513: CORP\Domain Users (SidTypeGroup)
1103: CORP\svc_backup (SidTypeUser)
1104: CORP\j.smith (SidTypeUser)

Specify Maximum RID

The max RID is a positional argument (passed after the target), not a flag. Default is 4000. Increase for larger environments: 
impacket-lookupsid CORP/admin:[email protected] 20000
Lower for faster scans when you only need well-known accounts: 
impacket-lookupsid CORP/admin:[email protected] 1000
Common RID ranges:
RID RangeAccounts
500-501Administrator, Guest
502krbtgt
512-514Domain Admins, Domain Users, Domain Guests
515-519Domain Computers, Domain Controllers, Schema/Enterprise Admins
1000+Custom users and groups

NULL Session Enumeration

No credentials needed on misconfigured Domain Controllers: 
impacket-lookupsid ''/'':''@10.10.10.5
Alternative syntax: 
impacket-lookupsid ''@10.10.10.5 -no-pass
NULL sessions work when:
  • RestrictAnonymous is not set or set to 0
  • RestrictAnonymousSAM is disabled
  • The “Network access: Restrict anonymous access to Named Pipes and Shares” policy is not enforced
  • Common on older Domain Controllers (2008/2012) and misconfigured environments

Finding Domain SID

The domain SID is printed at the top of the output: 
impacket-lookupsid CORP/admin:[email protected] 1
Output: 
[*] Domain SID is: S-1-5-21-3623811015-3361044348-30300820
The domain SID is needed for:
  • Forging Golden Tickets (ticketer.py)
  • Forging Silver Tickets
  • SID History injection
  • Cross-domain attacks via trust relationships

Enumerating Users for Password Spraying

Extract only user accounts and format for spraying tools: 
impacket-lookupsid CORP/admin:[email protected] | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 > domain_users.txt
Use the user list with password spraying: 
# With crackmapexec
crackmapexec smb 10.10.10.5 -u domain_users.txt -p 'Spring2024!' --no-bruteforce

# With kerbrute
kerbrute passwordspray -d corp.local --dc 10.10.10.1 domain_users.txt 'Spring2024!'

Cross-Domain Enumeration via Trusts

Enumerate accounts in a trusted domain by targeting the trust relationship: 
# Enumerate the trusting domain through the DC
impacket-lookupsid CORP/admin:[email protected] -domain-sids
Target a specific domain SID: 
impacket-lookupsid CORP/admin:[email protected] 10000
If you have the SID of a trusted domain, you can enumerate its accounts through any DC that has a trust relationship with it.

Quick Reference

# Basic enumeration
impacket-lookupsid CORP/admin:[email protected]

# NULL session (no creds)
impacket-lookupsid ''/'':''@10.10.10.5

# Guest account
impacket-lookupsid guest:''@10.10.10.5

# Pass-the-hash
impacket-lookupsid -hashes :NT_HASH [email protected]

# Increase RID range
impacket-lookupsid CORP/admin:[email protected] 20000

# Get domain SID only
impacket-lookupsid CORP/admin:[email protected] 1

# Extract usernames for spraying
impacket-lookupsid CORP/admin:[email protected] | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1

# Kerberos auth
export KRB5CCNAME=/tmp/admin.ccache
impacket-lookupsid -k -no-pass CORP/[email protected]
FlagDescription
maxRid (positional)Maximum RID to brute force, passed after the target (default: 4000)
-hashesNTLM hash for pass-the-hash (LM:NT or :NT)
-kUse Kerberos authentication
-no-passNo password prompt
-target-ipIP of the target machine (overrides target resolution)
-domain-sidsEnumerate SIDs for the domain
-portTarget port (default: 445)