RPCClient
RPCClient Guide
RPCClient is a powerful command-line tool that's part of the Samba suite, designed for interacting with Microsoft RPC (Remote Procedure Call) services. It provides a versatile interface for enumerating and working with Windows-based systems, particularly Active Directory environments and SMB/CIFS services.
Introduction to RPCClient
RPCClient leverages Microsoft's Remote Procedure Call (RPC) protocol to communicate with Windows services. The tool is particularly useful for:
Enumerating domain users and groups
Gathering information about servers and domains
Querying user information
Exploring available shares
Testing authentication credentials
Performing password resets (with appropriate privileges)
Basic Connection Syntax
The basic syntax for connecting to a system with RPCClient is:
rpcclient -U [username] [target]For a null session (anonymous) connection:
rpcclient -U "" -N [target]Command options:
-U [username]: Specify the username-P [password]: Specify the password (not recommended - insecure)-N: No password (for null sessions)-W [domain]: Specify the domain-c [command]: Run a single command and exit-I [IP address]: Connect to specific IP address-p [port]: Connect to specific port-d [debug level]: Set debug level
Key RPC Commands
Once connected, these essential commands can help enumerate the target system:
Server Information
rpcclient $> srvinfoExample output:
INLANEFREIGHT Wk Sv PrQ Unx NT SNT INLANEFREIGHT server
platform_id : 500
os version : 6.1
server type : 0x809a03This output provides:
Server name
Operating system version
Server platform information
Server type flags
Domain Information
rpcclient $> enumdomainsExample output:
name:[INLANEFREIGHT] idx:[0x0]
name:[Builtin] idx:[0x1]For more detailed domain information:
rpcclient $> querydominfoExample output:
Domain: INLANEFREIGHT
Server: DC01
Comment: INLANEFREIGHT Domain Controller
Total Users: 2985
Total Groups: 116
Total Aliases: 26
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1Share Enumeration
List all available shares:
rpcclient $> netshareenumallExample output:
netname: ADMIN$
remark: Remote Admin
path: C:\Windows
password:
netname: C$
remark: Default share
path: C:\
password:
netname: IPC$
remark: Remote IPC
path:
password:
netname: NETLOGON
remark: Logon server share
path: C:\Windows\SYSVOL\sysvol\inlanefreight.local\SCRIPTS
password:
netname: SYSVOL
remark: Logon server share
path: C:\Windows\SYSVOL\sysvol
password:For detailed information about a specific share:
rpcclient $> netsharegetinfo SYSVOLUser Enumeration
List all domain users:
rpcclient $> enumdomusersExample output:
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[jsmith] rid:[0x44f]
user:[svc_backup] rid:[0x585]User Information
Query detailed information about a specific user using their Relative ID (RID):
rpcclient $> queryuser 0x44fExample output:
User Name : jsmith
Full Name : John Smith
Home Drive : \\dc01\users\jsmith
Dir Drive :
Profile Path: \\dc01\profiles\jsmith
Logon Script: logon.bat
Description : Marketing User
Workstations:
Comment :
Remote Dial :
Logon Time : Wed, 27 Oct 2021 10:56:58 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT
Password last set Time : Tue, 26 Oct 2021 09:32:26 EDT
Password can change Time : Wed, 27 Oct 2021 09:32:26 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x44f
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000001
padding1[0..7]...
logon_hrs[0..21]...Group Enumeration
List all domain groups:
rpcclient $> enumdomgroupsExample output:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]Query group members:
rpcclient $> querygroupmem 0x200Example output:
rid:[0x1f4] attr:[0x7]
rid:[0x450] attr:[0x7]Then resolve these RIDs to usernames:
rpcclient $> queryuser 0x1f4Password Policy Information
Retrieve domain password policy:
rpcclient $> getdompwinfoExample output:
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEXQuery the password policy for a specific user:
rpcclient $> getusrdompwinfo 0x44fAdvanced Usage
Running Commands in Batch Mode
Instead of entering an interactive session, you can execute commands directly from the command line:
rpcclient -U "username%password" -c "enumdomusers" 192.168.1.100Using a script to run multiple commands:
echo -e "enumdomusers\nquerygroupmem 0x200" | rpcclient -U "username%password" 192.168.1.100User Manipulation (with Admin Rights)
Create a new user (if you have appropriate privileges):
rpcclient $> createdomuser newuserSet a user's password:
rpcclient $> setuserinfo2 newuser 23 'Password123!'Add a user to a group:
rpcclient $> addgroupmem 0x200 0x456Looking Up SIDs
Convert between names and SIDs:
rpcclient $> lookupnames administratorExample output:
administrator S-1-5-21-1036416015-3025729302-1618636688-500Convert SID back to name:
rpcclient $> lookupsids S-1-5-21-1036416015-3025729302-1618636688-500Printer Information
If print services are available, you can enumerate printers:
rpcclient $> enumprintersGet details about a specific printer:
rpcclient $> getprinter 0Automating RPCClient Tasks
Extracting All Domain Users
#!/bin/bash
# Script to extract domain users and save to file
target=$1
output_file="domain_users.txt"
# Connect and extract domain users
rpcclient -U "" -N $target -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v "_" | tr -d '[]' > $output_file
echo "Extracted $(wc -l < $output_file) users to $output_file"Enumerating Domain Information
#!/bin/bash
# Comprehensive domain enumeration script
target=$1
output_dir="domain_enum_$(date +%Y%m%d_%H%M%S)"
mkdir -p $output_dir
echo "Starting enumeration of $target"
# Run various enumeration commands
rpcclient -U "" -N $target -c "srvinfo" > $output_dir/server_info.txt
rpcclient -U "" -N $target -c "enumdomains" > $output_dir/domains.txt
rpcclient -U "" -N $target -c "querydominfo" > $output_dir/domain_info.txt
rpcclient -U "" -N $target -c "enumdomusers" > $output_dir/users.txt
rpcclient -U "" -N $target -c "enumdomgroups" > $output_dir/groups.txt
rpcclient -U "" -N $target -c "netshareenumall" > $output_dir/shares.txt
rpcclient -U "" -N $target -c "getdompwinfo" > $output_dir/password_policy.txt
echo "Enumeration complete. Results saved to $output_dir"Mapping Group Membership
#!/bin/bash
# Script to map domain group membership
target=$1
group_rid=$2 # e.g., 0x200 for Domain Admins
# Get group members
members=$(rpcclient -U "" -N $target -c "querygroupmem $group_rid" | grep rid | awk '{print $1}' | cut -d '[' -f 2 | cut -d ']' -f 1)
echo "Group members:"
for rid in $members; do
username=$(rpcclient -U "" -N $target -c "queryuser $rid" | grep "User Name" | cut -d ':' -f 2 | tr -d ' ')
echo "$username ($rid)"
doneTroubleshooting RPCClient
Common Issues and Solutions
Connection Failures
If you're having trouble connecting:
Error: NT_STATUS_CONNECTION_REFUSEDPossible solutions:
Verify that SMB service is running on the target
Check firewall settings
Ensure the target allows the authentication method you're using
Authentication Issues
Error: NT_STATUS_LOGON_FAILUREPossible solutions:
Verify username and password
Check domain name if using domain authentication
Confirm account is not locked out or disabled
Access Denied Errors
Error: NT_STATUS_ACCESS_DENIEDPossible solutions:
The authenticated user doesn't have sufficient privileges
Remote registry access might be disabled
Check local security policies on the target
Missing RPC Endpoints
Error: NT_STATUS_RPC_INTERFACE_NOT_FOUNDPossible solutions:
The requested RPC service might not be running
Firewall might be blocking specific RPC endpoints
Service might have been disabled
Security Considerations
When using RPCClient for penetration testing or security assessments:
Log your activities: Keep detailed records of all commands and output
Minimize authentication attempts: Avoid account lockouts
Consider detection impact: RPC enumeration may trigger security alerts
Handle discovered credentials securely: Protect any sensitive information
Clean up: If you create test accounts, ensure they are removed after testing
Defensive Measures Against RPC Enumeration
As a penetration tester, it's valuable to understand defensive measures:
Disable null sessions: Prevent anonymous enumeration
Restrict RPC access: Use firewalls to limit RPC connections
Implement least privilege: Minimize what authenticated users can enumerate
Enable detailed logging: Monitor for suspicious RPC activity
Use network segmentation: Limit which systems can make RPC calls to sensitive servers
Command Reference
srvinfo
Displays server information
enumdomains
Lists all domains
querydominfo
Shows detailed domain information
netshareenumall
Lists all available shares
netsharegetinfo <share>
Shows detailed share information
enumdomusers
Lists all domain users
queryuser <RID>
Shows detailed user information
enumdomgroups
Lists all domain groups
querygroupmem <RID>
Lists members of a group
getdompwinfo
Shows domain password policy
lookupnames <name>
Converts name to SID
lookupsids <SID>
Converts SID to name
createdomuser <username>
Creates a new domain user
deletedomuser <username>
Deletes a domain user
setuserinfo2 <user> 23 <password>
Sets a user's password
addgroupmem <group_rid> <user_rid>
Adds user to a group
enumprinters
Lists available printers
By mastering RPCClient, penetration testers can effectively enumerate and interact with Windows systems, gathering valuable information for security assessments and vulnerability identification.
Last updated