# RPC

RPCClient is a utility originally developed to test MS-RPC functionality. It has undergone several stages of development and stability. Many system administrators have now written scripts around this utility to manage Windows clients from their UNIX workstations.

**Connection**

```bash
# Test if an anonymous session can be opened
rpcclient -U "" -N 10.10.10.5

# Log in with a domain account
rpcclient --user <DOMAIN>\<USERNAME>%<PASSWORD> 10.10.10.5
```

**OS version:**

```bash
rpcclient $> srvinfo
10.10.10.5    Wk Sv BDC Tim NT
platform_id     :       500
os version      :       6.3
server type     :       0x801033
```

**Enumeration :**

```bash
rpcclient $> enum

enumalsgroups  enumdomains    enumdrivers    enumkey     enumprivs
enumdata       enumdomgroups  enumforms      enumports   enumtrust
enumdataex     enumdomusers   enumjobs       enumprinter
```

**Get domain:**

```bash
enumdomains
name:[xxxx] idx:[0x0]
name:[Builtin] idx:[0x0]
```

**Domain enumeration:**

```bash
rpcclient $> querydominfo
Domain               :  xxxx
Server               :  HMC_PDC-TEMP
Comment              :
Total Users          :  9043
Total Groups         :  0
Total Aliases        :  616
Sequence No          :  1
Force Logoff         : -1
Domain Server State  :  0x1
Server Role          :  ROLE_DOMAIN_BDC
Unknown 3           :    0x1
```

**Users enumeration :**

```bash
rpcclient $> enumdomusers
user:[administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[TestUser1] rid:[0xc46]
user:[TestUser2] rid:[0xc47]
user:[TestUser3] rid:[0xc48]
```

**Groups enumeration:**

```bash
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Protected Users] rid:[0x20d]
group:[IT Support] rid:[0x105b]
```

```bash
rpcclient $> querygroup 0x200
Group Name:     Domain Admins
Description:    Designated administrators of the domain
Group Attribute:7
Num Members:5
```

```bash
rpcclient $> querygroupmem 0x200
rid:[0x2227] attr:[0x7]
rid:[0x3601] attr:[0x7]
rid:[0x36aa] attr:[0x7]
rid:[0x36e0] attr:[0x7]
rid:[0x3c23] attr:[0x7]
rid:[0x5528] attr:[0x7]
rid:[0x1f4]  attr:[0x7]
rid:[0x363b] attr:[0x7]
rid:[0x573e] attr:[0x7]
rid:[0x56bc] attr:[0x7]
rid:[0x5e5e] attr:[0x7]
rid:[0x7fe1] attr:[0x7]
rid:[0x86d9] attr:[0x7]
rid:[0x9367] attr:[0x7]
rid:[0x829c] attr:[0x7]
rid:[0xa26e] attr:[0x7]
```

**User enumeration by RID:**&#x20;

```bash
rpcclient $> queryuser 0x3601
User Name   :   TestUser1
Full Name   :   TestUser1 Proof
Home Drive  :
Dir Drive   :
Profile Path:
Logon Script:
Description :   Password : Passw0rd!12345
Workstations:
Comment     :
Logon Time               :      Tue, 24 Jan 2022 19:28:14 IST
Logoff Time              :      Thu, 01 Jan 2022 05:30:00 IST
Kickoff Time             :      Thu, 14 Sep 30828 08:18:05 IST
Password last set Time   :      Fri, 21 Nov 2022 02:34:34 IST
Password can change Time :      Fri, 21 Nov 2022 02:34:34 IST
Password must change Time:      Thu, 14 Sep 30822 08:18:05 IST
```

**Password Policy:**&#x20;

```bash
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000000
```

## References

{% embed url="<https://www.hackingarticles.in/active-directory-enumeration-rpcclient/>" %}

{% embed url="<https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.hacktive.bebzounette.com/active-directory/untitled/rpc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.