Links

rpcclient enumeration

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

What is a RID

A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects. To explain how this fits in, let's look at the examples below:
  • The SID for the NAME_DOMAIN.LOCAL domain is: S-1-5-21-1038751438-1834703946-36937684957.
  • When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
  • So the domain user john with a RID:[0x457] Hex 0x457 would = decimal 1111, will have a full user SID of: S-1-5-21-1038751438-1834703946-36937684957-1111.
  • This is unique to the john object in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
Definition from here.

Enumeration with rpcclient

Pat of this section was extracted from book "Network Security Assesment 3rd Edition"
You can use the Samba rpcclient utility to interact with RPC endpoints via named pipes. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon establishing a SMB session (often requiring credentials).

Server Info

  • Server Info: srvinfo

Users enumeration

  • List users: querydispinfo and enumdomusers
  • Get user details: queryuser <0xrid>
  • Get user groups: queryusergroups <0xrid>
  • GET SID of a user: lookupnames <username>
  • Get users aliases: queryuseraliases [builtin|domain] <sid>
# Brute-Force users RIDs
for i in $(seq 500 1100); do
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
​
# You can also use samrdump.py for this purpose

Groups enumeration

  • List groups: enumdomgroups
  • Get group details: querygroup <0xrid>
  • Get group members: querygroupmem <0xrid>

Aliasgroups enumeration

  • List alias: enumalsgroups <builtin|domain>
  • Get members: queryaliasmem builtin|domain <0xrid>

Domains enumeration

  • List domains: enumdomains
  • Get SID: lsaquery
  • Domain info: querydominfo

Shares enumeration

  • Enumerate all available shares: netshareenumall
  • Info about a share: netsharegetinfo <share>

More SIDs

  • Find SIDs by name: lookupnames <username>
  • Find more SIDs: lsaenumsid
  • RID cycling (check more SIDs): lookupsids <sid>

Extra commands

Command
Interface
Description
queryuser
SAMR
Retrieve user information
querygroup
Retrieve group information
​
querydominfo
Retrieve domain information
​
enumdomusers
Enumerate domain users
​
enumdomgroups
Enumerate domain groups
​
createdomuser
Create a domain user
​
deletedomuser
Delete a domain user
​
lookupnames
LSARPC
Look up usernames to SIDa values
lookupsids
Look up SIDs to usernames (RIDb cycling)
​
lsaaddacctrights
Add rights to a user account
​
lsaremoveacctrights
Remove rights from a user account
​
dsroledominfo
LSARPC-DS
Get primary domain information
dsenumdomtrusts
Enumerate trusted domains within an AD forest
​
To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.