RPC | TLDRBins

Usage Tips:

Click on a keyword to enable inline editing.
Click inside a code block to copy (excludes comments).
Use the button to view examples.
Click outside to collapse all examples.

Remote Procedure Call

Tools


# Anonymous
rpcclient -U '' -N <TARGET>
Sample Output:
$ rpcclient -U '' -N 10.10.10.172
rpcclient $>


# Password
rpcclient -U '<DOMAIN>/<USER>%<PASSWORD>' <TARGET>
Sample Output:
TO-DO


# NTLM
rpcclient -U '<DOMAIN>/<USER>%<HASH>' --pw-nt-hash <TARGET>
Sample Output:
TO-DO


# Inline Execute Command
rpcclient -U '<DOMAIN>/<USER>%<PASSWORD>' <TARGET> -c 'querydispinfo'
Sample Output:
TO-DO

Basic Commands


# General info
querydispinfo
Sample Output:
rpcclient $> querydispinfo
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
...[SNIP]....


# List of users
enumdomusers
Sample Output:
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
...[SNIP]....


# List of groups
enumdomgroups
Sample Output:
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
...[SNIP]....


# Query group by rid
querygroup <RID>
Sample Output:
rpcclient $> querygroup 0x201
        Group Name:     Domain Users
        Description:    All domain users
        Group Attribute:7
        Num Members:11


# Query group member by rid
querygroupmem <RID>
Sample Output:
rpcclient $> querygroupmem 0x201
        rid:[0x1f4] attr:[0x7]
        rid:[0x1f6] attr:[0x7]
        rid:[0x450] attr:[0x7]
        rid:[0x641] attr:[0x7]
        rid:[0xa2a] attr:[0x7]
...[SNIP]....


# Query user by rid
queryuser <RID>
Sample Output:
rpcclient $> queryuser 0x641
        User Name   :   mhope
        Full Name   :   Mike Hope
        Home Drive  :   \\monteverde\users$\mhope
        Dir Drive   :   H:
        Profile Path:
...[SNIP]....


# Look up a user
lookupnames <USER>
Sample Output:
TO-DO


# Look up by SID
lookupsids <SID>
Sample Output:
TO-DO


impacket-lookupsid '<USER>:<PASSWORD>@<TARGET>'
Sample Output:
TO-DO