RPC

RPCClient is a utility originally developed to test MS-RPC functionality. It has undergone several stages of development and stability. Many system administrators have now written scripts around this utility to manage Windows clients from their UNIX workstations.

Connection

# Test if an anonymous session can be opened
rpcclient -U "" -N 10.10.10.5

# Log in with a domain account
rpcclient --user <DOMAIN>\<USERNAME>%<PASSWORD> 10.10.10.5

OS version:

rpcclient $> srvinfo
10.10.10.5    Wk Sv BDC Tim NT
platform_id     :       500
os version      :       6.3
server type     :       0x801033

Enumeration :

rpcclient $> enum

enumalsgroups  enumdomains    enumdrivers    enumkey     enumprivs
enumdata       enumdomgroups  enumforms      enumports   enumtrust
enumdataex     enumdomusers   enumjobs       enumprinter

Get domain:

enumdomains
name:[xxxx] idx:[0x0]
name:[Builtin] idx:[0x0]

Domain enumeration:

rpcclient $> querydominfo
Domain               :  xxxx
Server               :  HMC_PDC-TEMP
Comment              :
Total Users          :  9043
Total Groups         :  0
Total Aliases        :  616
Sequence No          :  1
Force Logoff         : -1
Domain Server State  :  0x1
Server Role          :  ROLE_DOMAIN_BDC
Unknown 3           :    0x1

Users enumeration :

rpcclient $> enumdomusers
user:[administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[TestUser1] rid:[0xc46]
user:[TestUser2] rid:[0xc47]
user:[TestUser3] rid:[0xc48]

Groups enumeration:

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Protected Users] rid:[0x20d]
group:[IT Support] rid:[0x105b]

rpcclient $> querygroup 0x200
Group Name:     Domain Admins
Description:    Designated administrators of the domain
Group Attribute:7
Num Members:5

rpcclient $> querygroupmem 0x200
rid:[0x2227] attr:[0x7]
rid:[0x3601] attr:[0x7]
rid:[0x36aa] attr:[0x7]
rid:[0x36e0] attr:[0x7]
rid:[0x3c23] attr:[0x7]
rid:[0x5528] attr:[0x7]
rid:[0x1f4]  attr:[0x7]
rid:[0x363b] attr:[0x7]
rid:[0x573e] attr:[0x7]
rid:[0x56bc] attr:[0x7]
rid:[0x5e5e] attr:[0x7]
rid:[0x7fe1] attr:[0x7]
rid:[0x86d9] attr:[0x7]
rid:[0x9367] attr:[0x7]
rid:[0x829c] attr:[0x7]
rid:[0xa26e] attr:[0x7]

User enumeration by RID:

rpcclient $> queryuser 0x3601
User Name   :   TestUser1
Full Name   :   TestUser1 Proof
Home Drive  :
Dir Drive   :
Profile Path:
Logon Script:
Description :   Password : Passw0rd!12345
Workstations:
Comment     :
Logon Time               :      Tue, 24 Jan 2022 19:28:14 IST
Logoff Time              :      Thu, 01 Jan 2022 05:30:00 IST
Kickoff Time             :      Thu, 14 Sep 30828 08:18:05 IST
Password last set Time   :      Fri, 21 Nov 2022 02:34:34 IST
Password can change Time :      Fri, 21 Nov 2022 02:34:34 IST
Password must change Time:      Thu, 14 Sep 30822 08:18:05 IST

Password Policy:

rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000000

References

Active Directory Enumeration: RPCClientHacking Articles

https://bitvijays.github.io/LFF-IPS-P3-Exploitation.htmlbitvijays.github.io

PreviousNetBIOS NextLDAP

Last updated 2 years ago

Was this helpful?