PRIMARY CATEGORY → PROTOCOLS AND SERVICES
RPC → Remote Procedure Call
Ports
- 135 → EMP (Endpoint Mapper)
The Endpoint Mapper is the service that listens on this port. It stores information related to all RCP Available Endpoints and maps those endpoints to a specific dynamic port or namedpipe
Therefore, when a RPC Client connects to the 135 Port requesting to connect to a given RCP Endpoint, the EMP is responsible for providing a dynamic port or named pipe to connect to
- 49152-65535 → RPC Dynamic Ports
These are the dynamic ports to which a specific RCP Endpoint maps to
RPC Endpoints
SRVSVC
SRVSVC or Server Service
It manages information about →
-
System General Information
-
Available Shared Resources
-
OS information
LSARPC
Local Security Authority or LSA
It manages information about Security Policies and the Domain Configuration
SAMR
Security Account Manager Remote or SAMR
It manages User Accounts and Groups in a domain or local system
Enumeration
RCP Endpoints Enumeration via EMP
rpcdump.py <TARGET>Check Null/Anonymous Auth
rpcclient --user '' --no-pass --command '<COMMAND>' <TARGET>Server Information
SRVSVC
rpcclient --user '' --no-pass --command 'srvinfo' <TARGET>Domains Enumeration
List Available Domains
LSARPC & SAMR
rpcclient --user '' --no-pass --command 'enumdomains' <TARGET>Get Domain Information
SAMR
rpcclient --user '' --no-pass --command 'querydominfo' <TARGET>Shares Enumeration
SRVSVC
List All Shares
rcpclient --user '' --no-pass --command 'netshareenumall' <TARGET>List Information about a Specific Share
rpcclient --user '' --no-pass --command 'netsharegetinfo <SHARE>' <TARGET>Users and Groups Enumeration
SAMR
All Users Display Information
rpcclient --user '' --no-pass --command 'querydispinfo' <TARGET>Information about a Specific User
rpcclient --user '' --no-pass --command 'queryuser <RID>' <TARGET>All Users and Groups Enumeration
- Null Auth
rpcclient --user '' --no-pass --command 'enumdomusers' <TARGET>
rpcclient --user '' --no-pass --command 'enumdomgroups' <TARGET>- Guest Auth
rpcclient --user 'guest%' --command 'enumdomusers' <TARGET>
rpcclient --user 'guest%' --command 'enumdomgroups' <TARGET>- User Account Authentication
rpcclient --user '<USER>%<PASSWORD>' --command 'enumdomusers' <TARGET>
rpcclient --user '<USER>%<PASSWORD>' --command 'enumdomgroups' <TARGET>List Users Members of a Group
First, list the members of a given domain group
rpcclient --user '<USER>%<PASSWORD>' --command 'querygroupmem 0x<GROUP_RID>' <TARGET>The output of the above command is the RID of each user
Therefore, proceed as follows to extract the usernames related to those RIDs
rpcclient --user '<USER>%<PASSWORD>' --command 'queryuser 0x<USER_RID>' <TARGET>- To extract all of them quickly →
while IFS= read -r _rid ; do rpcclient --user '<DOMAIN>\<USER>%<PASSWORD>' --command "queryuser $_rid" <TARGET> | grep -iP '(User|Full)\sname|Description' && echo ; done < <( rpcclient --user '<DOMAIN>\<USER>%<PASSWORD>' --command 'querygroupmem <GROUP_RID>' <TARGET> | grep -iPo -- 'rid:\[\K.*?(?=\])' )Enumeration via samrdump (Impacket)
samrdump.py <TARGET>RID Bruteforce/Cycling
RPCClient
SAMR
for _rid in {500..1100} ; do rpcclient --user '' --no-pass <TARGET> --command "queryuser 0x$_rid" | grep -iP -- 'User name|user_rid|group_rid' && echo ; done