hacktricks/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
Carlos Polop 10a3b640d6 a
2024-02-08 04:08:28 +01:00

12 KiB

rpcclient enumeration

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}


What is a RID

A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects. To explain how this fits in, let's look at the examples below:

  • The SID for the NAME_DOMAIN.LOCAL domain is: S-1-5-21-1038751438-1834703946-36937684957.
  • When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
  • So the domain user john with a RID:[0x457] Hex 0x457 would = decimal 1111, will have a full user SID of: S-1-5-21-1038751438-1834703946-36937684957-1111.
  • This is unique to the john object in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.

Definition from here.

Enumeration with rpcclient

The rpcclient utility from Samba is utilized for interacting with RPC endpoints through named pipes. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a SMB session is established, often necessitating credentials.

Server Information

  • To obtain Server Information: srvinfo command is used.

Enumeration of Users

  • Users can be listed using: querydispinfo and enumdomusers.
  • Details of a user by: queryuser <0xrid>.
  • Groups of a user with: queryusergroups <0xrid>.
  • A user's SID is retrieved through: lookupnames <username>.
  • Aliases of users by: queryuseraliases [builtin|domain] <sid>.
# Users' RIDs-forced
for i in $(seq 500 1100); do
    rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# samrdump.py can also serve this purpose

Enumeration of Groups

  • Groups by: enumdomgroups.
  • Details of a group with: querygroup <0xrid>.
  • Members of a group through: querygroupmem <0xrid>.

Enumeration of Alias Groups

  • Alias groups by: enumalsgroups <builtin|domain>.
  • Members of an alias group with: queryaliasmem builtin|domain <0xrid>.

Enumeration of Domains

  • Domains using: enumdomains.
  • A domain's SID is retrieved through: lsaquery.
  • Domain information is obtained by: querydominfo.

Enumeration of Shares

  • All available shares by: netshareenumall.
  • Information about a specific share is fetched with: netsharegetinfo <share>.

Additional Operations with SIDs

  • SIDs by name using: lookupnames <username>.
  • More SIDs through: lsaenumsid.
  • RID cycling to check more SIDs is performed by: lookupsids <sid>.

Extra commands

Command Interface Description
queryuser SAMR Retrieve user information
querygroup Retrieve group information
querydominfo Retrieve domain information
enumdomusers Enumerate domain users
enumdomgroups Enumerate domain groups
createdomuser Create a domain user
deletedomuser Delete a domain user
lookupnames LSARPC Look up usernames to SIDa values
lookupsids Look up SIDs to usernames (RIDb cycling)
lsaaddacctrights Add rights to a user account
lsaremoveacctrights Remove rights from a user account
dsroledominfo LSARPC-DS Get primary domain information
dsenumdomtrusts Enumerate trusted domains within an AD forest

To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥