RPC (tcp-135)
Post

RPC (tcp-135)

Null Session

1
rpcclient -U "" -N 10.10.10.10

Authenticated

1
rpcclient -U "htb.local\amanda%Ashare1972" 10.10.10.103

Sizzle

If an RPC console is prompted then you can execute following commands:

Enumerate printers

1
2
rpcclient $> enumprinters
rpcclient $> srvinfo

Enumerate Users and Groups

1
2
3
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> lookupnames <user>

Queries

The above command will output user/group RIDs. You can pass those into further queries like:

1
2
3
rpcclient $> querygroup <RID>
rpcclient $> querygroupenum <RID>
rpcclient $> queryuser <RID>

Automatic enumeration with S4vitar script

Resource: rpcenum Execute a full enumeration as follows:

1
./rpcenum -e All -i 10.10.10.103

#Note Remember that you need to exchange all the lines that contains “rpcclient” if your enumeration is unauthenticated:

1
2
3
4
# From this:
domain_users=$(rpcclient -U "" $1 -c "enumdomusers" -N | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]')
# To this:
domain_users=$(rpcclient -U "htb.local\amanda%Ashare1972" $1 -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]')

Account Description

Works better with privileged users

1
2
3
4
5
6
7
rpcclient $> querydispinfo
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: <password> in clear text
index: 0xfaf RID: 0x451 acb: 0x00010210 Account: FSmith Name: Fergus Smith      Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfad RID: 0x44f acb: 0x00000210 Account: HSmith Name: Hugo Smith        Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: svc_loanmgr    Name: L Manager Desc: (null)