# rpcclient enumeration {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} **Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %} *** ### Overview of Relative Identifiers (RID) and Security Identifiers (SID) **Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain. - **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable. - **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls. For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`. ### **Enumeration with rpcclient** The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials. #### Server Information * To obtain **Server Information**: `srvinfo` command is used. #### Enumeration of Users * **Users can be listed** using: `querydispinfo` and `enumdomusers`. * **Details of a user** by: `queryuser <0xrid>`. * **Groups of a user** with: `queryusergroups <0xrid>`. * **A user's SID is retrieved** through: `lookupnames `. * **Aliases of users** by: `queryuseraliases [builtin|domain] `. ```bash # Users' RIDs-forced for i in $(seq 500 1100); do rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; done # samrdump.py can also serve this purpose ``` #### Enumeration of Groups * **Groups** by: `enumdomgroups`. * **Details of a group** with: `querygroup <0xrid>`. * **Members of a group** through: `querygroupmem <0xrid>`. #### Enumeration of Alias Groups * **Alias groups** by: `enumalsgroups `. * **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`. #### Enumeration of Domains * **Domains** using: `enumdomains`. * **A domain's SID is retrieved** through: `lsaquery`. * **Domain information is obtained** by: `querydominfo`. #### Enumeration of Shares * **All available shares** by: `netshareenumall`. * **Information about a specific share is fetched** with: `netsharegetinfo `. #### Additional Operations with SIDs * **SIDs by name** using: `lookupnames `. * **More SIDs** through: `lsaenumsid`. * **RID cycling to check more SIDs** is performed by: `lookupsids `. #### **Extra commands** | **Command** | **Interface** | **Description** | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | queryuser | SAMR | Retrieve user information | | querygroup | Retrieve group information | | | querydominfo | Retrieve domain information | | | enumdomusers | Enumerate domain users | | | enumdomgroups | Enumerate domain groups | | | createdomuser | Create a domain user | | | deletedomuser | Delete a domain user | | | lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values | | lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | | | lsaaddacctrights | Add rights to a user account | | | lsaremoveacctrights | Remove rights from a user account | | | dsroledominfo | LSARPC-DS | Get primary domain information | | dsenumdomtrusts | Enumerate trusted domains within an AD forest | | To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md). **Try Hard Security Group**
{% embed url="https://discord.gg/tryhardsecurity" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}