mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
128 lines
10 KiB
Markdown
128 lines
10 KiB
Markdown
|
# rpcclient enumeration
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
||
|
|
||
|
{% embed url="https://academy.8ksec.io/" %}
|
||
|
|
||
|
### Overview of Relative Identifiers (RID) and Security Identifiers (SID)
|
||
|
|
||
|
**Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.
|
||
|
|
||
|
- **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable.
|
||
|
- **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.
|
||
|
|
||
|
For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`.
|
||
|
|
||
|
|
||
|
### **Enumeration with rpcclient**
|
||
|
|
||
|
The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials.
|
||
|
|
||
|
#### Server Information
|
||
|
|
||
|
* To obtain **Server Information**: `srvinfo` command is used.
|
||
|
|
||
|
#### Enumeration of Users
|
||
|
|
||
|
* **Users can be listed** using: `querydispinfo` and `enumdomusers`.
|
||
|
* **Details of a user** by: `queryuser <0xrid>`.
|
||
|
* **Groups of a user** with: `queryusergroups <0xrid>`.
|
||
|
* **A user's SID is retrieved** through: `lookupnames <username>`.
|
||
|
* **Aliases of users** by: `queryuseraliases [builtin|domain] <sid>`.
|
||
|
|
||
|
```bash
|
||
|
# Users' RIDs-forced
|
||
|
for i in $(seq 500 1100); do
|
||
|
rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
|
||
|
done
|
||
|
|
||
|
# samrdump.py can also serve this purpose
|
||
|
```
|
||
|
|
||
|
#### Enumeration of Groups
|
||
|
|
||
|
* **Groups** by: `enumdomgroups`.
|
||
|
* **Details of a group** with: `querygroup <0xrid>`.
|
||
|
* **Members of a group** through: `querygroupmem <0xrid>`.
|
||
|
|
||
|
#### Enumeration of Alias Groups
|
||
|
|
||
|
* **Alias groups** by: `enumalsgroups <builtin|domain>`.
|
||
|
* **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`.
|
||
|
|
||
|
#### Enumeration of Domains
|
||
|
|
||
|
* **Domains** using: `enumdomains`.
|
||
|
* **A domain's SID is retrieved** through: `lsaquery`.
|
||
|
* **Domain information is obtained** by: `querydominfo`.
|
||
|
|
||
|
#### Enumeration of Shares
|
||
|
|
||
|
* **All available shares** by: `netshareenumall`.
|
||
|
* **Information about a specific share is fetched** with: `netsharegetinfo <share>`.
|
||
|
|
||
|
#### Additional Operations with SIDs
|
||
|
|
||
|
* **SIDs by name** using: `lookupnames <username>`.
|
||
|
* **More SIDs** through: `lsaenumsid`.
|
||
|
* **RID cycling to check more SIDs** is performed by: `lookupsids <sid>`.
|
||
|
|
||
|
#### **Extra commands**
|
||
|
|
||
|
| **Command** | **Interface** | **Description** |
|
||
|
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
||
|
| queryuser | SAMR | Retrieve user information |
|
||
|
| querygroup | Retrieve group information | |
|
||
|
| querydominfo | Retrieve domain information | |
|
||
|
| enumdomusers | Enumerate domain users | |
|
||
|
| enumdomgroups | Enumerate domain groups | |
|
||
|
| createdomuser | Create a domain user | |
|
||
|
| deletedomuser | Delete a domain user | |
|
||
|
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
|
||
|
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
|
||
|
| lsaaddacctrights | Add rights to a user account | |
|
||
|
| lsaremoveacctrights | Remove rights from a user account | |
|
||
|
| dsroledominfo | LSARPC-DS | Get primary domain information |
|
||
|
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
|
||
|
|
||
|
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
|
||
|
|
||
|
|
||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
||
|
|
||
|
{% embed url="https://academy.8ksec.io/" %}
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|