hacktricks/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md

# rpcclient enumeration

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

### **What is a RID**

A [Relative Identifier (RID)](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) is a **unique identifier** (represented in hexadecimal format) utilized by Windows to **track and identify objects**. To explain how this fits in, let's look at the examples below:

* The [SID](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) for the NAME\_DOMAIN.LOCAL domain is: `S-1-5-21-1038751438-1834703946-36937684957`.
* When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
* So the domain user `john` with a RID:\[0x457] Hex 0x457 would = decimal `1111`, will have a full user SID of: `S-1-5-21-1038751438-1834703946-36937684957-1111`.
* This is unique to the `john` object in the NAME\_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.

Definition from [**here**](https://academy.hackthebox.com/module/143/section/1269).

### **Enumeration with rpcclient**

The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials.

#### Server Information

* To obtain **Server Information**: `srvinfo` command is used.

#### Enumeration of Users

* **Users can be listed** using: `querydispinfo` and `enumdomusers`.
* **Details of a user** by: `queryuser <0xrid>`.
* **Groups of a user** with: `queryusergroups <0xrid>`.
* **A user's SID is retrieved** through: `lookupnames <username>`.
* **Aliases of users** by: `queryuseraliases [builtin|domain] <sid>`.

```bash
# Users' RIDs-forced
for i in $(seq 500 1100); do
    rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# samrdump.py can also serve this purpose
```

#### Enumeration of Groups

* **Groups** by: `enumdomgroups`.
* **Details of a group** with: `querygroup <0xrid>`.
* **Members of a group** through: `querygroupmem <0xrid>`.

#### Enumeration of Alias Groups

* **Alias groups** by: `enumalsgroups <builtin|domain>`.
* **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`.

#### Enumeration of Domains

* **Domains** using: `enumdomains`.
* **A domain's SID is retrieved** through: `lsaquery`.
* **Domain information is obtained** by: `querydominfo`.

#### Enumeration of Shares

* **All available shares** by: `netshareenumall`.
* **Information about a specific share is fetched** with: `netsharegetinfo <share>`.

#### Additional Operations with SIDs

* **SIDs by name** using: `lookupnames <username>`.
* **More SIDs** through: `lsaenumsid`.
* **RID cycling to check more SIDs** is performed by: `lookupsids <sid>`.

#### **Extra commands**

| **Command**         | **Interface**                                                                                                                                     | **Description**                                                                                                                           |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| queryuser           | SAMR                                                                                                                                              | Retrieve user information                                                                                                                 |
| querygroup          | Retrieve group information                                                                                                                        |                                                                                                                                           |
| querydominfo        | Retrieve domain information                                                                                                                       |                                                                                                                                           |
| enumdomusers        | Enumerate domain users                                                                                                                            |                                                                                                                                           |
| enumdomgroups       | Enumerate domain groups                                                                                                                           |                                                                                                                                           |
| createdomuser       | Create a domain user                                                                                                                              |                                                                                                                                           |
| deletedomuser       | Delete a domain user                                                                                                                              |                                                                                                                                           |
| lookupnames         | LSARPC                                                                                                                                            | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
| lookupsids          | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) |                                                                                                                                           |
| lsaaddacctrights    | Add rights to a user account                                                                                                                      |                                                                                                                                           |
| lsaremoveacctrights | Remove rights from a user account                                                                                                                 |                                                                                                                                           |
| dsroledominfo       | LSARPC-DS                                                                                                                                         | Get primary domain information                                                                                                            |
| dsenumdomtrusts     | Enumerate trusted domains within an AD forest                                                                                                     |                                                                                                                                           |

To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}


<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>