135, 593 - MSRPC
Enumeration
You can query the RPC locator service and individual RPC endpoints to catalog services running over TCP, UDP, HTTP, and SMB (via named pipes).
Each returned IFID value represents an RPC service. See Notable RPC Interfaces.
By default, impacket will try to match them with a list of well known endpoints.
impacket pcdump.py
Dump the list of RPC endpoints.
impacket samrdump.py
List system user accounts, available resource shares and other sensitive information exported through the SAMR (Security Account Manager Remote) interface.
msrpc-enum NSE Script
Query RPC
The rpcclient can be used to interact with individual RPC endpoints via named pipes. By default, Windows systems and Windows 2003 domain controllers allow anonymous (Null Sessions) access to SMB, so these interfaces can be queried in this way.
Note: If null session access is not permitted, a valid username and password must be provided.
rpcclient
Commands that you can issue to SAMR, LSARPC, and LSARPC-DS.
queryuser
SAMR
Retrieve user information.
querygroup
SAMR
Retrieve group information.
querydominfo
SAMR
Retrieve domain information.
enumdomusers
SAMR
Enumerate domain users.
enumdomgroups
SAMR
Enumerate domain groups.
createdomuser
SAMR
Create a domain user.
deletedomuser
SAMR
Delete a domain user.
lookupnames
LSARPC
Look up usernames to SID values.
lookupsids
LSARPC
Look up SIDs to usernames (RID cycling).
lsaaddacctrights
LSARPC
Add rights to a user account.
lsaremoveacctrights
LSARPC
Remove rights from a user account.
dsroledominfo
LSARPC-DS
Get primary domain information.
dsenumdomtrusts
LSARPC-DS
Enumerate trusted domains within an AD forest
Last updated