rpcclient enumeration
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.
A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects. To explain how this fits in, let's look at the examples below:
- When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
- So the domain user
johnwith a RID:[0x457] Hex 0x457 would = decimal1111, will have a full user SID of:S-1-5-21-1038751438-1834703946-36937684957-1111. - This is unique to the
johnobject in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
Pat of this section was extracted from book "Network Security Assesment 3rd Edition"
You can use the Samba
rpcclient utility to interact with RPC endpoints via named pipes. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon establishing a SMB session (often requiring credentials).- Server Info:
srvinfo
- List users:
querydispinfoandenumdomusers - Get user details:
queryuser <0xrid> - Get user groups:
queryusergroups <0xrid> - GET SID of a user:
lookupnames <username> - Get users aliases:
queryuseraliases [builtin|domain] <sid>
# Brute-Force users RIDs
for i in $(seq 500 1100); do
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
# You can also use samrdump.py for this purpose
- List groups:
enumdomgroups - Get group details:
querygroup <0xrid> - Get group members:
querygroupmem <0xrid>
- List alias:
enumalsgroups <builtin|domain> - Get members:
queryaliasmem builtin|domain <0xrid>
- List domains:
enumdomains - Get SID:
lsaquery - Domain info:
querydominfo
- Enumerate all available shares:
netshareenumall - Info about a share:
netsharegetinfo <share>
- Find SIDs by name:
lookupnames <username> - Find more SIDs:
lsaenumsid - RID cycling (check more SIDs):
lookupsids <sid>
Command | Interface | Description |
queryuser | SAMR | Retrieve user information |
querygroup | Retrieve group information | |
querydominfo | Retrieve domain information | |
enumdomusers | Enumerate domain users | |
enumdomgroups | Enumerate domain groups | |
createdomuser | Create a domain user | |
deletedomuser | Delete a domain user | |
lookupnames | LSARPC | |
lookupsids | | |
lsaaddacctrights | Add rights to a user account | |
lsaremoveacctrights | Remove rights from a user account | |
dsroledominfo | LSARPC-DS | Get primary domain information |
dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!