RPC
RPCClient is a utility originally developed to test MS-RPC functionality. It has undergone several stages of development and stability. Many system administrators have now written scripts around this utility to manage Windows clients from their UNIX workstations.
Connection
# Test if an anonymous session can be opened
rpcclient -U "" -N 10.10.10.5
# Log in with a domain account
rpcclient --user <DOMAIN>\<USERNAME>%<PASSWORD> 10.10.10.5OS version:
rpcclient $> srvinfo
10.10.10.5 Wk Sv BDC Tim NT
platform_id : 500
os version : 6.3
server type : 0x801033Enumeration :
rpcclient $> enum
enumalsgroups enumdomains enumdrivers enumkey enumprivs
enumdata enumdomgroups enumforms enumports enumtrust
enumdataex enumdomusers enumjobs enumprinterGet domain:
enumdomains
name:[xxxx] idx:[0x0]
name:[Builtin] idx:[0x0]Domain enumeration:
rpcclient $> querydominfo
Domain : xxxx
Server : HMC_PDC-TEMP
Comment :
Total Users : 9043
Total Groups : 0
Total Aliases : 616
Sequence No : 1
Force Logoff : -1
Domain Server State : 0x1
Server Role : ROLE_DOMAIN_BDC
Unknown 3 : 0x1Users enumeration :
rpcclient $> enumdomusers
user:[administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[TestUser1] rid:[0xc46]
user:[TestUser2] rid:[0xc47]
user:[TestUser3] rid:[0xc48]Groups enumeration:
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Protected Users] rid:[0x20d]
group:[IT Support] rid:[0x105b]rpcclient $> querygroup 0x200
Group Name: Domain Admins
Description: Designated administrators of the domain
Group Attribute:7
Num Members:5rpcclient $> querygroupmem 0x200
rid:[0x2227] attr:[0x7]
rid:[0x3601] attr:[0x7]
rid:[0x36aa] attr:[0x7]
rid:[0x36e0] attr:[0x7]
rid:[0x3c23] attr:[0x7]
rid:[0x5528] attr:[0x7]
rid:[0x1f4] attr:[0x7]
rid:[0x363b] attr:[0x7]
rid:[0x573e] attr:[0x7]
rid:[0x56bc] attr:[0x7]
rid:[0x5e5e] attr:[0x7]
rid:[0x7fe1] attr:[0x7]
rid:[0x86d9] attr:[0x7]
rid:[0x9367] attr:[0x7]
rid:[0x829c] attr:[0x7]
rid:[0xa26e] attr:[0x7]User enumeration by RID:
rpcclient $> queryuser 0x3601
User Name : TestUser1
Full Name : TestUser1 Proof
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Password : Passw0rd!12345
Workstations:
Comment :
Logon Time : Tue, 24 Jan 2022 19:28:14 IST
Logoff Time : Thu, 01 Jan 2022 05:30:00 IST
Kickoff Time : Thu, 14 Sep 30828 08:18:05 IST
Password last set Time : Fri, 21 Nov 2022 02:34:34 IST
Password can change Time : Fri, 21 Nov 2022 02:34:34 IST
Password must change Time: Thu, 14 Sep 30822 08:18:05 ISTPassword Policy:
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000000References
Last updated
Was this helpful?