mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 14:40:37 +00:00
126 lines
12 KiB
Markdown
126 lines
12 KiB
Markdown
# rpcclient enumeration
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/image (674).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
|
|
|
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
|
|
|
***
|
|
|
|
### **What is a RID**
|
|
|
|
A [Relative Identifier (RID)](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) is a **unique identifier** (represented in hexadecimal format) utilized by Windows to **track and identify objects**. To explain how this fits in, let's look at the examples below:
|
|
|
|
* The [SID](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) for the NAME\_DOMAIN.LOCAL domain is: `S-1-5-21-1038751438-1834703946-36937684957`.
|
|
* When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
|
|
* So the domain user `john` with a RID:\[0x457] Hex 0x457 would = decimal `1111`, will have a full user SID of: `S-1-5-21-1038751438-1834703946-36937684957-1111`.
|
|
* This is unique to the `john` object in the NAME\_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
|
|
|
|
Definition from [**here**](https://academy.hackthebox.com/module/143/section/1269).
|
|
|
|
### **Enumeration with rpcclient**
|
|
|
|
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
|
|
|
|
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
|
|
|
|
#### Server Info
|
|
|
|
* **Server Info**: `srvinfo`
|
|
|
|
#### Users enumeration
|
|
|
|
* **List users**: `querydispinfo` and `enumdomusers`
|
|
* **Get user details**: `queryuser <0xrid>`
|
|
* **Get user groups**: `queryusergroups <0xrid>`
|
|
* **GET SID of a user**: `lookupnames <username>`
|
|
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
|
|
|
|
```bash
|
|
# Brute-Force users RIDs
|
|
for i in $(seq 500 1100); do
|
|
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
|
|
done
|
|
|
|
# You can also use samrdump.py for this purpose
|
|
```
|
|
|
|
#### Groups enumeration
|
|
|
|
* **List groups**: `enumdomgroups`
|
|
* **Get group details**: `querygroup <0xrid>`
|
|
* **Get group members**: `querygroupmem <0xrid>`
|
|
|
|
#### Aliasgroups enumeration
|
|
|
|
* **List alias**: `enumalsgroups <builtin|domain>`
|
|
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
|
|
|
|
#### Domains enumeration
|
|
|
|
* **List domains**: `enumdomains`
|
|
* **Get SID**: `lsaquery`
|
|
* **Domain info**: `querydominfo`
|
|
|
|
#### Shares enumeration
|
|
|
|
* **Enumerate all available shares**: `netshareenumall`
|
|
* **Info about a share**: `netsharegetinfo <share>`
|
|
|
|
#### More SIDs
|
|
|
|
* **Find SIDs by name**: `lookupnames <username>`
|
|
* **Find more SIDs**: `lsaenumsid`
|
|
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
|
|
|
|
#### **Extra commands**
|
|
|
|
| **Command** | **Interface** | **Description** |
|
|
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
|
| queryuser | SAMR | Retrieve user information |
|
|
| querygroup | Retrieve group information | |
|
|
| querydominfo | Retrieve domain information | |
|
|
| enumdomusers | Enumerate domain users | |
|
|
| enumdomgroups | Enumerate domain groups | |
|
|
| createdomuser | Create a domain user | |
|
|
| deletedomuser | Delete a domain user | |
|
|
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
|
|
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
|
|
| lsaaddacctrights | Add rights to a user account | |
|
|
| lsaremoveacctrights | Remove rights from a user account | |
|
|
| dsroledominfo | LSARPC-DS | Get primary domain information |
|
|
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
|
|
|
|
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
|
|
|
|
<figure><img src="../.gitbook/assets/image (674).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
|
|
|
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
|
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|