10 KiB
rpcclient enumeration
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
{% embed url="https://academy.8ksec.io/" %}
Overview of Relative Identifiers (RID) and Security Identifiers (SID)
Relative Identifiers (RID) and Security Identifiers (SID) are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.
- SIDs serve as unique identifiers for domains, ensuring that each domain is distinguishable.
- RIDs are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.
For instance, a user named pepe
might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (0x457
) and decimal (1111
) formats. This results in a complete and unique identifier for pepe within the domain like: S-1-5-21-1074507654-1937615267-42093643874-1111
.
Enumeration with rpcclient
The rpcclient
utility from Samba is utilized for interacting with RPC endpoints through named pipes. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a SMB session is established, often necessitating credentials.
Server Information
- To obtain Server Information:
srvinfo
command is used.
Enumeration of Users
- Users can be listed using:
querydispinfo
andenumdomusers
. - Details of a user by:
queryuser <0xrid>
. - Groups of a user with:
queryusergroups <0xrid>
. - A user's SID is retrieved through:
lookupnames <username>
. - Aliases of users by:
queryuseraliases [builtin|domain] <sid>
.
# Users' RIDs-forced
for i in $(seq 500 1100); do
rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
# samrdump.py can also serve this purpose
Enumeration of Groups
- Groups by:
enumdomgroups
. - Details of a group with:
querygroup <0xrid>
. - Members of a group through:
querygroupmem <0xrid>
.
Enumeration of Alias Groups
- Alias groups by:
enumalsgroups <builtin|domain>
. - Members of an alias group with:
queryaliasmem builtin|domain <0xrid>
.
Enumeration of Domains
- Domains using:
enumdomains
. - A domain's SID is retrieved through:
lsaquery
. - Domain information is obtained by:
querydominfo
.
Enumeration of Shares
- All available shares by:
netshareenumall
. - Information about a specific share is fetched with:
netsharegetinfo <share>
.
Additional Operations with SIDs
- SIDs by name using:
lookupnames <username>
. - More SIDs through:
lsaenumsid
. - RID cycling to check more SIDs is performed by:
lookupsids <sid>
.
Extra commands
Command | Interface | Description |
---|---|---|
queryuser | SAMR | Retrieve user information |
querygroup | Retrieve group information | |
querydominfo | Retrieve domain information | |
enumdomusers | Enumerate domain users | |
enumdomgroups | Enumerate domain groups | |
createdomuser | Create a domain user | |
deletedomuser | Delete a domain user | |
lookupnames | LSARPC | Look up usernames to SIDa values |
lookupsids | Look up SIDs to usernames (RIDb cycling) | |
lsaaddacctrights | Add rights to a user account | |
lsaremoveacctrights | Remove rights from a user account | |
dsroledominfo | LSARPC-DS | Get primary domain information |
dsenumdomtrusts | Enumerate trusted domains within an AD forest |
To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
{% embed url="https://academy.8ksec.io/" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.