rpc

Recon

# rpcbind port converts RPC to universal address 
# allows to access the NFS, port:111 
nmap --script=nfs-ls,nfs-statfs,nfs-showmount -p 111 $ip

nmap --script rpcinfo.nse -p 111 $ip
rpcinfo –p IP
rpcbind -p IP

# dumps the remote RPC endpoints information via epmapper.
impacket-rpcdump @[IP | DOMAIN]

rpclient

Plundering Windows Account Info via ** Authenticated** SMB Sessions

rpcclient -U ['' | USER%PASS | DOMAIN\USER%PASS] IP [-N]
# -N: no password

srvinfo: server information => os.version, samba-version.
netshareenum: enumerate shares

# basic info
querydominfo: domain info
enumdomusers: enum domain users
enumdomgroups: enum domain groups
dsr_enumtrustdom: enumerate trusted domains

# query group info and membership
querygroup 0xGROUP
querygrupmem 0xGROUP

# query specific user by RID
queryuser USER
lookupnames USER (if user exists)

# password policy
querydompwinfo

enumdrivers
enumprinters

enumerate users using SIDs (windows only)

# needs some user creds (smb also works)
impacket-lookupsid USER:PASS@IP

Previousldap :389 :636 :3268 :3269 Nextsmb :135 :139 :445

Last updated 3 years ago

Was this helpful?