Null Session
1
| rpcclient -U "" -N 10.10.10.10
|
Authenticated
1
| rpcclient -U "htb.local\amanda%Ashare1972" 10.10.10.103
|
Sizzle
If an RPC console is prompted then you can execute following commands:
Enumerate printers
1
2
| rpcclient $> enumprinters
rpcclient $> srvinfo
|
Enumerate Users and Groups
1
2
3
| rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> lookupnames <user>
|
Queries
The above command will output user/group RIDs. You can pass those into further queries like:
1
2
3
| rpcclient $> querygroup <RID>
rpcclient $> querygroupenum <RID>
rpcclient $> queryuser <RID>
|
Automatic enumeration with S4vitar script
Resource: rpcenum Execute a full enumeration as follows:
1
| ./rpcenum -e All -i 10.10.10.103
|
#Note Remember that you need to exchange all the lines that contains “rpcclient” if your enumeration is unauthenticated:
1
2
3
4
| # From this:
domain_users=$(rpcclient -U "" $1 -c "enumdomusers" -N | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]')
# To this:
domain_users=$(rpcclient -U "htb.local\amanda%Ashare1972" $1 -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]')
|
Account Description
Works better with privileged users
1
2
3
4
5
6
7
| rpcclient $> querydispinfo
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: <password> in clear text
index: 0xfaf RID: 0x451 acb: 0x00010210 Account: FSmith Name: Fergus Smith Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfad RID: 0x44f acb: 0x00000210 Account: HSmith Name: Hugo Smith Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: svc_loanmgr Name: L Manager Desc: (null)
|
