rpcclient enumeration
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Relative Identifiers (RID) and Security Identifiers (SID) are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.
SIDs serve as unique identifiers for domains, ensuring that each domain is distinguishable.
RIDs are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.
For instance, a user named pepe might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (0x457) and decimal (1111) formats. This results in a complete and unique identifier for pepe within the domain like: S-1-5-21-1074507654-1937615267-42093643874-1111.
The rpcclient utility from Samba is utilized for interacting with RPC endpoints through named pipes. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a SMB session is established, often necessitating credentials.
To obtain Server Information: srvinfo command is used.
Users can be listed using: querydispinfo and enumdomusers.
Details of a user by: queryuser <0xrid>.
Groups of a user with: queryusergroups <0xrid>.
A user's SID is retrieved through: lookupnames <username>.
Aliases of users by: queryuseraliases [builtin|domain] <sid>.
Groups by: enumdomgroups.
Details of a group with: querygroup <0xrid>.
Members of a group through: querygroupmem <0xrid>.
Alias groups by: enumalsgroups <builtin|domain>.
Members of an alias group with: queryaliasmem builtin|domain <0xrid>.
Domains using: enumdomains.
A domain's SID is retrieved through: lsaquery.
Domain information is obtained by: querydominfo.
All available shares by: netshareenumall.
Information about a specific share is fetched with: netsharegetinfo <share>.
SIDs by name using: lookupnames <username>.
More SIDs through: lsaenumsid.
RID cycling to check more SIDs is performed by: lookupsids <sid>.
Command
Interface
Description
queryuser
SAMR
Retrieve user information
querygroup
Retrieve group information
querydominfo
Retrieve domain information
enumdomusers
Enumerate domain users
enumdomgroups
Enumerate domain groups
createdomuser
Create a domain user
deletedomuser
Delete a domain user
lsaaddacctrights
Add rights to a user account
lsaremoveacctrights
Remove rights from a user account
dsroledominfo
LSARPC-DS
Get primary domain information
dsenumdomtrusts
Enumerate trusted domains within an AD forest
To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
