Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

rpcclient enumeration

Support HackTricks

Try Hard Security Group

Overview of Relative Identifiers (RID) and Security Identifiers (SID)

Relative Identifiers (RID) na Security Identifiers (SID) ni sehemu muhimu katika mifumo ya uendeshaji ya Windows kwa ajili ya kutambulisha na kusimamia vitu, kama watumiaji na vikundi, ndani ya eneo la mtandao.

  • SIDs hutumikia kama vitambulisho vya kipekee kwa maeneo, kuhakikisha kwamba kila eneo linaweza kutambulika.

  • RIDs huongezwa kwa SIDs ili kuunda vitambulisho vya kipekee kwa vitu ndani ya maeneo hayo. Mchanganyiko huu unaruhusu kufuatilia na kusimamia ruhusa za vitu na udhibiti wa ufikiaji kwa usahihi.

Kwa mfano, mtumiaji anayeitwa pepe anaweza kuwa na kitambulisho cha kipekee kinachounganisha SID ya eneo na RID yake maalum, kinachowakilishwa kwa mifumo ya hexadecimal (0x457) na decimal (1111). Hii inasababisha kitambulisho kamili na cha kipekee kwa pepe ndani ya eneo kama: S-1-5-21-1074507654-1937615267-42093643874-1111.

Enumeration with rpcclient

Zana ya rpcclient kutoka Samba inatumika kwa ajili ya kuingiliana na RPC endpoints kupitia mabomba yaliyopewa majina. Amri zilizo hapa chini zinaweza kutolewa kwa interfaces za SAMR, LSARPC, na LSARPC-DS baada ya sehemu ya SMB kuanzishwa, mara nyingi ikihitaji akidi.

Server Information

  • Ili kupata Taarifa za Server: amri ya srvinfo inatumika.

Enumeration of Users

  • Watumiaji wanaweza kuorodheshwa kwa kutumia: querydispinfo na enumdomusers.

  • Maelezo ya mtumiaji kwa: queryuser <0xrid>.

  • Vikundi vya mtumiaji kwa: queryusergroups <0xrid>.

  • SID ya mtumiaji inapatikana kupitia: lookupnames <username>.

  • Majina ya watumiaji kwa: queryuseraliases [builtin|domain] <sid>.

# Users' RIDs-forced
for i in $(seq 500 1100); do
rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# samrdump.py can also serve this purpose

Enumeration of Groups

  • Groups by: enumdomgroups.

  • Details of a group with: querygroup <0xrid>.

  • Members of a group through: querygroupmem <0xrid>.

Enumeration of Alias Groups

  • Alias groups by: enumalsgroups <builtin|domain>.

  • Members of an alias group with: queryaliasmem builtin|domain <0xrid>.

Enumeration of Domains

  • Domains using: enumdomains.

  • A domain's SID is retrieved through: lsaquery.

  • Domain information is obtained by: querydominfo.

Enumeration of Shares

  • All available shares by: netshareenumall.

  • Information about a specific share is fetched with: netsharegetinfo <share>.

Additional Operations with SIDs

  • SIDs by name using: lookupnames <username>.

  • More SIDs through: lsaenumsid.

  • RID cycling to check more SIDs is performed by: lookupsids <sid>.

Extra commands

Command

Interface

Description

queryuser

SAMR

Retrieve user information

querygroup

Retrieve group information

querydominfo

Retrieve domain information

enumdomusers

Enumerate domain users

enumdomgroups

Enumerate domain groups

createdomuser

Create a domain user

deletedomuser

Delete a domain user

lookupnames

LSARPC

Look up usernames to SIDa values

lookupsids

Look up SIDs to usernames (RIDb cycling)

lsaaddacctrights

Add rights to a user account

lsaremoveacctrights

Remove rights from a user account

dsroledominfo

LSARPC-DS

Get primary domain information

dsenumdomtrusts

Enumerate trusted domains within an AD forest

To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.

Try Hard Security Group

Support HackTricks
Previous139,445 - Pentesting SMBNext143,993 - Pentesting IMAP

Last updated