RPC

Port 135 | Used to query for information on the machine.

Resources

#Null session
rpcclient -U "" <IP> -N
rpcclient -U <Username> <IP> -c "enumdomusers"

rpcclient -p <target>

#Use cached TGT
rpcclient -k <Target-DC>

#Authenticated Enumeration:
#Enumerate accessible machines with creds using below script:
cat ips.txt | while readline
> do 
echo $line && rpcclient -U "domain\user%Pass" -c "enumdomusers;quit"
$line
> done

#Server info
srvinfo
enumprivs

#Enumerate user/group using RID
queryusergroups <RID>
querygroup <RID>
queryuser 500

#Groups
enumalsgroups domain
enumalsgroups builtin

#Identify SID
lookupnames <username/groupname>

#Enum description
querydispinfo

#Password Policy
getdompwinfo

#Change password for a user
rpcclient -U blackfield/support 10.10.10.192

#setuserinfo2 username level password
setuserinfo <user> 23 <pass>

Last updated