☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Enumeration
  • impacket pcdump.py
  • impacket samrdump.py
  • msrpc-enum NSE Script
  • Query RPC
  • rpcclient

Was this helpful?

Edit on GitHub
  1. Services Exploitation

135, 593 - MSRPC

Enumeration

You can query the RPC locator service and individual RPC endpoints to catalog services running over TCP, UDP, HTTP, and SMB (via named pipes).

Each returned IFID value represents an RPC service. See Notable RPC Interfaces.

By default, impacket will try to match them with a list of well known endpoints.

impacket pcdump.py

Dump the list of RPC endpoints.

rpcdump.py 10.0.0.3
Parameters
  • target: [[domain/]username[:password]@]address

  • -port <ports>: Destination port to connect to SMB server. Default: 135.

impacket samrdump.py

List system user accounts, available resource shares and other sensitive information exported through the SAMR (Security Account Manager Remote) interface.

samrdump.py 10.0.0.3
Parameters
  • target: [[domain/]username[:password]@]address

  • -port <ports>: Destination port to connect to SMB server. Default: 445.

nmap -sV -script msrpc-enum -Pn 10.0.0.3

Query RPC

The rpcclient can be used to interact with individual RPC endpoints via named pipes. By default, Windows systems and Windows 2003 domain controllers allow anonymous (Null Sessions) access to SMB, so these interfaces can be queried in this way.

Note: If null session access is not permitted, a valid username and password must be provided.

rpcclient

rpcclient -U "" -N 10.0.0.3
Parameters
  • -U: Set the network username.

  • -N: Don’t ask for a password.

Commands that you can issue to SAMR, LSARPC, and LSARPC-DS.

Command
Interface
Description

queryuser

SAMR

Retrieve user information.

querygroup

SAMR

Retrieve group information.

querydominfo

SAMR

Retrieve domain information.

enumdomusers

SAMR

Enumerate domain users.

enumdomgroups

SAMR

Enumerate domain groups.

createdomuser

SAMR

Create a domain user.

deletedomuser

SAMR

Delete a domain user.

lookupnames

LSARPC

Look up usernames to SID values.

lookupsids

LSARPC

Look up SIDs to usernames (RID cycling).

lsaaddacctrights

LSARPC

Add rights to a user account.

lsaremoveacctrights

LSARPC

Remove rights from a user account.

dsroledominfo

LSARPC-DS

Get primary domain information.

dsenumdomtrusts

LSARPC-DS

Enumerate trusted domains within an AD forest

Previous111 - NFS/RPCNext139, 445 - SMB

Last updated 2 years ago

Was this helpful?

NSE Script

msrpc-enum