rpcclient enumeration
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Relative Identifiers (RID) na Security Identifiers (SID) ni sehemu muhimu katika mifumo ya uendeshaji ya Windows kwa kutambulisha na kusimamia vitu, kama watumiaji na vikundi, ndani ya eneo la mtandao.
SIDs hutumikia kama vitambulisho vya kipekee kwa maeneo, kuhakikisha kwamba kila eneo linaweza kutambulika.
RIDs huongezwa kwa SIDs ili kuunda vitambulisho vya kipekee kwa vitu ndani ya maeneo hayo. Mchanganyiko huu unaruhusu kufuatilia na kusimamia ruhusa za vitu na udhibiti wa ufikiaji kwa usahihi.
Kwa mfano, mtumiaji anayeitwa pepe anaweza kuwa na kitambulisho cha kipekee kinachounganisha SID ya eneo na RID yake maalum, kinachowakilishwa kwa mifumo ya hexadecimal (0x457) na decimal (1111). Hii inasababisha kitambulisho kamili na cha kipekee kwa pepe ndani ya eneo kama: S-1-5-21-1074507654-1937615267-42093643874-1111.
Zana ya rpcclient kutoka Samba inatumika kwa kuingiliana na RPC endpoints kupitia mabomba yaliyopewa majina. Amri zilizo hapa chini zinaweza kutolewa kwa interfaces za SAMR, LSARPC, na LSARPC-DS baada ya sehemu ya SMB kuanzishwa, mara nyingi ikihitaji akidi.
Ili kupata Taarifa za Server: amri ya srvinfo inatumika.
Watumiaji wanaweza kuorodheshwa kwa kutumia: querydispinfo na enumdomusers.
Maelezo ya mtumiaji kwa: queryuser <0xrid>.
Vikundi vya mtumiaji kwa: queryusergroups <0xrid>.
SID ya mtumiaji inapatikana kupitia: lookupnames <username>.
Majina ya watumiaji kwa: queryuseraliases [builtin|domain] <sid>.
Groups by: enumdomgroups.
Details of a group with: querygroup <0xrid>.
Members of a group through: querygroupmem <0xrid>.
Alias groups by: enumalsgroups <builtin|domain>.
Members of an alias group with: queryaliasmem builtin|domain <0xrid>.
Domains using: enumdomains.
A domain's SID is retrieved through: lsaquery.
Domain information is obtained by: querydominfo.
All available shares by: netshareenumall.
Information about a specific share is fetched with: netsharegetinfo <share>.
SIDs by name using: lookupnames <username>.
More SIDs through: lsaenumsid.
RID cycling to check more SIDs is performed by: lookupsids <sid>.
Command
Interface
Description
queryuser
SAMR
Retrieve user information
querygroup
Retrieve group information
querydominfo
Retrieve domain information
enumdomusers
Enumerate domain users
enumdomgroups
Enumerate domain groups
createdomuser
Create a domain user
deletedomuser
Delete a domain user
lookupnames
LSARPC
lookupsids
lsaaddacctrights
Add rights to a user account
lsaremoveacctrights
Remove rights from a user account
dsroledominfo
LSARPC-DS
Get primary domain information
dsenumdomtrusts
Enumerate trusted domains within an AD forest
To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
Look up usernames to SID values
Look up SIDs to usernames (RID cycling)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
