rpcclient enumeration

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

What is a RID

A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects. To explain how this fits in, let's look at the examples below:

The SID for the NAME_DOMAIN.LOCAL domain is: S-1-5-21-1038751438-1834703946-36937684957.
When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
So the domain user john with a RID:[0x457] Hex 0x457 would = decimal 1111, will have a full user SID of: S-1-5-21-1038751438-1834703946-36937684957-1111.
This is unique to the john object in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.

Definition from here.

Enumeration with rpcclient

Pat of this section was extracted from book "Network Security Assesment 3rd Edition"

You can use the Samba rpcclient utility to interact with RPC endpoints via named pipes. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon establishing a SMB session (often requiring credentials).

Server Info

Server Info: srvinfo

Users enumeration

List users: querydispinfo and enumdomusers
Get user details: queryuser <0xrid>
Get user groups: queryusergroups <0xrid>
GET SID of a user: lookupnames <username>
Get users aliases: queryuseraliases [builtin|domain] <sid>

# Brute-Force users RIDs
for i in $(seq 500 1100); do
    rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# You can also use samrdump.py for this purpose

Groups enumeration

List groups: enumdomgroups
Get group details: querygroup <0xrid>
Get group members: querygroupmem <0xrid>

Aliasgroups enumeration

List alias: enumalsgroups <builtin|domain>
Get members: queryaliasmem builtin|domain <0xrid>

Domains enumeration

List domains: enumdomains
Get SID: lsaquery
Domain info: querydominfo

Shares enumeration

Enumerate all available shares: netshareenumall
Info about a share: netsharegetinfo <share>

More SIDs

Find SIDs by name: lookupnames <username>
Find more SIDs: lsaenumsid
RID cycling (check more SIDs): lookupsids <sid>

Extra commands

Command	Interface	Description
queryuser	SAMR	Retrieve user information
querygroup	Retrieve group information
querydominfo	Retrieve domain information
enumdomusers	Enumerate domain users
enumdomgroups	Enumerate domain groups
createdomuser	Create a domain user
deletedomuser	Delete a domain user
lookupnames	LSARPC	Look up usernames to SIDa values
lookupsids	Look up SIDs to usernames (RIDb cycling)
lsaaddacctrights	Add rights to a user account
lsaremoveacctrights	Remove rights from a user account
dsroledominfo	LSARPC-DS	Get primary domain information
dsenumdomtrusts	Enumerate trusted domains within an AD forest

To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.