# rpcbind port converts RPC to universal address # allows to access the NFS, port:111 nmap--script=nfs-ls,nfs-statfs,nfs-showmount-p111 $ipnmap--scriptrpcinfo.nse-p111 $iprpcinfo–pIPrpcbind-pIP# dumps the remote RPC endpoints information via epmapper.impacket-rpcdump@[IP|DOMAIN]
rpcclient-U [''|USER%PASS|DOMAIN\USER%PASS]IP [-N]# -N: no passwordsrvinfo:serverinformation =>os.version,samba-version.netshareenum:enumerateshares# basic infoquerydominfo:domaininfoenumdomusers:enumdomainusersenumdomgroups:enumdomaingroupsdsr_enumtrustdom:enumeratetrusteddomains# query group info and membershipquerygroup0xGROUPquerygrupmem0xGROUP# query specific user by RIDqueryuserUSERlookupnamesUSER (if userexists)# password policyquerydompwinfoenumdriversenumprinters
enumerate users using SIDs (windows only)
# needs some user creds (smb also works)impacket-lookupsidUSER:PASS@IP