hacktricks/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md

# rpcclient enumeration

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Overview of Relative Identifiers (RID) and Security Identifiers (SID)

**Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain. 

- **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable.
- **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.

For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`.


### **Enumeration with rpcclient**

The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials.

#### Server Information

* To obtain **Server Information**: `srvinfo` command is used.

#### Enumeration of Users

* **Users can be listed** using: `querydispinfo` and `enumdomusers`.
* **Details of a user** by: `queryuser <0xrid>`.
* **Groups of a user** with: `queryusergroups <0xrid>`.
* **A user's SID is retrieved** through: `lookupnames <username>`.
* **Aliases of users** by: `queryuseraliases [builtin|domain] <sid>`.

```bash
# Users' RIDs-forced
for i in $(seq 500 1100); do
    rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# samrdump.py can also serve this purpose
```

#### Enumeration of Groups

* **Groups** by: `enumdomgroups`.
* **Details of a group** with: `querygroup <0xrid>`.
* **Members of a group** through: `querygroupmem <0xrid>`.

#### Enumeration of Alias Groups

* **Alias groups** by: `enumalsgroups <builtin|domain>`.
* **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`.

#### Enumeration of Domains

* **Domains** using: `enumdomains`.
* **A domain's SID is retrieved** through: `lsaquery`.
* **Domain information is obtained** by: `querydominfo`.

#### Enumeration of Shares

* **All available shares** by: `netshareenumall`.
* **Information about a specific share is fetched** with: `netsharegetinfo <share>`.

#### Additional Operations with SIDs

* **SIDs by name** using: `lookupnames <username>`.
* **More SIDs** through: `lsaenumsid`.
* **RID cycling to check more SIDs** is performed by: `lookupsids <sid>`.

#### **Extra commands**

| **Command**         | **Interface**                                                                                                                                     | **Description**                                                                                                                           |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| queryuser           | SAMR                                                                                                                                              | Retrieve user information                                                                                                                 |
| querygroup          | Retrieve group information                                                                                                                        |                                                                                                                                           |
| querydominfo        | Retrieve domain information                                                                                                                       |                                                                                                                                           |
| enumdomusers        | Enumerate domain users                                                                                                                            |                                                                                                                                           |
| enumdomgroups       | Enumerate domain groups                                                                                                                           |                                                                                                                                           |
| createdomuser       | Create a domain user                                                                                                                              |                                                                                                                                           |
| deletedomuser       | Delete a domain user                                                                                                                              |                                                                                                                                           |
| lookupnames         | LSARPC                                                                                                                                            | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
| lookupsids          | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) |                                                                                                                                           |
| lsaaddacctrights    | Add rights to a user account                                                                                                                      |                                                                                                                                           |
| lsaremoveacctrights | Remove rights from a user account                                                                                                                 |                                                                                                                                           |
| dsroledominfo       | LSARPC-DS                                                                                                                                         | Get primary domain information                                                                                                            |
| dsenumdomtrusts     | Enumerate trusted domains within an AD forest                                                                                                     |                                                                                                                                           |

To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			`# rpcclient enumeration`

a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			`<details>`

a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-08 21:36:15 +00:00			`### Overview of Relative Identifiers (RID) and Security Identifiers (SID)`
GitBook: [#3559] No subject 2022-10-04 23:49:59 +00:00
a 2024-02-08 21:36:15 +00:00			`Relative Identifiers (RID) and Security Identifiers (SID) are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.`

			`- SIDs serve as unique identifiers for domains, ensuring that each domain is distinguishable.`
			`- RIDs are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.`

			For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`.
GitBook: [#3559] No subject 2022-10-04 23:49:59 +00:00

			`### Enumeration with rpcclient`

a 2024-02-05 02:28:59 +00:00			The `rpcclient` utility from Samba is utilized for interacting with RPC endpoints through named pipes. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a SMB session is established, often necessitating credentials.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Server Information`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* To obtain Server Information: `srvinfo` command is used.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Enumeration of Users`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* Users can be listed using: `querydispinfo` and `enumdomusers`.
			* Details of a user by: `queryuser <0xrid>`.
			* Groups of a user with: `queryusergroups <0xrid>`.
			* A user's SID is retrieved through: `lookupnames <username>`.
			* Aliases of users by: `queryuseraliases [builtin\|domain] <sid>`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
			```bash
a 2024-02-05 02:28:59 +00:00			`# Users' RIDs-forced`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			`for i in $(seq 500 1100); do`
a 2024-02-05 02:28:59 +00:00			`rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" \| grep "User Name\\|user_rid\\|group_rid" && echo "";`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			`done`

a 2024-02-05 02:28:59 +00:00			`# samrdump.py can also serve this purpose`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			```

a 2024-02-05 02:28:59 +00:00			`#### Enumeration of Groups`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* Groups by: `enumdomgroups`.
			* Details of a group with: `querygroup <0xrid>`.
			* Members of a group through: `querygroupmem <0xrid>`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Enumeration of Alias Groups`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* Alias groups by: `enumalsgroups <builtin\|domain>`.
			* Members of an alias group with: `queryaliasmem builtin\|domain <0xrid>`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Enumeration of Domains`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* Domains using: `enumdomains`.
			* A domain's SID is retrieved through: `lsaquery`.
			* Domain information is obtained by: `querydominfo`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Enumeration of Shares`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* All available shares by: `netshareenumall`.
			* Information about a specific share is fetched with: `netsharegetinfo <share>`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			`#### Additional Operations with SIDs`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-02-05 02:28:59 +00:00			* SIDs by name using: `lookupnames <username>`.
			* More SIDs through: `lsaenumsid`.
			* RID cycling to check more SIDs is performed by: `lookupsids <sid>`.
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
			`#### Extra commands`

			`\| Command \| Interface \| Description \|`
			`\| ------------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------------------------- \|`
			`\| queryuser \| SAMR \| Retrieve user information \|`
			`\| querygroup \| Retrieve group information \| \|`
			`\| querydominfo \| Retrieve domain information \| \|`
			`\| enumdomusers \| Enumerate domain users \| \|`
			`\| enumdomgroups \| Enumerate domain groups \| \|`
			`\| createdomuser \| Create a domain user \| \|`
			`\| deletedomuser \| Delete a domain user \| \|`
			`\| lookupnames \| LSARPC \| Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values \|`
			`\| lookupsids \| Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) \| \|`
			`\| lsaaddacctrights \| Add rights to a user account \| \|`
			`\| lsaremoveacctrights \| Remove rights from a user account \| \|`
			`\| dsroledominfo \| LSARPC-DS \| Get primary domain information \|`
			`\| dsenumdomtrusts \| Enumerate trusted domains within an AD forest \| \|`

			`To understand better how the tools _samrdump_ and _rpcdump_ works you should read [Pentesting MSRPC](../135-pentesting-msrpc.md).`

a 2024-07-18 23:15:55 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00			`<details>`

a 2024-07-18 23:15:55 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
a 2024-07-18 23:15:55 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3557] No subject 2022-10-04 21:36:29 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`