# 135, 593 - MSRPC
## Enumeration
You can query the RPC locator service and individual RPC endpoints to catalog services running over TCP, UDP, HTTP, and SMB (via named pipes).
Each returned IFID value represents an RPC service. See Notable RPC Interfaces.
By default, `impacket` will try to match them with a list of well known endpoints.
### **impacket pcdump.py**
Dump the list of RPC endpoints.
```sh
rpcdump.py 10.0.0.3
```
Parameters
* `target`: `[[domain/]username[:password]@]address`
* `-port `: Destination port to connect to SMB server. Default: 135.
### **impacket samrdump.py**
List system user accounts, available resource shares and other sensitive information exported through the SAMR (Security Account Manager Remote) interface.
```sh
samrdump.py 10.0.0.3
```
Parameters
* `target`: `[[domain/]username[:password]@]address`
* `-port `: Destination port to connect to SMB server. Default: 445.
### [**msrpc-enum**](https://nmap.org/nsedoc/scripts/msrpc-enum.html) **NSE Script**
```sh
nmap -sV -script msrpc-enum -Pn 10.0.0.3
```
## Query RPC
The `rpcclient` can be used to interact with individual RPC endpoints via named pipes. By default, Windows systems and Windows 2003 domain controllers allow anonymous (Null Sessions) access to SMB, so these interfaces can be queried in this way.
Note: If null session access is not permitted, a valid username and password must be provided.
### **rpcclient**
```sh
rpcclient -U "" -N 10.0.0.3
```
Parameters
* `-U`: Set the network username.
* `-N`: Don’t ask for a password.
Commands that you can issue to SAMR, LSARPC, and LSARPC-DS.
| Command | Interface | Description |
| --------------------- | --------- | --------------------------------------------- |
| `queryuser` | SAMR | Retrieve user information. |
| `querygroup` | SAMR | Retrieve group information. |
| `querydominfo` | SAMR | Retrieve domain information. |
| `enumdomusers` | SAMR | Enumerate domain users. |
| `enumdomgroups` | SAMR | Enumerate domain groups. |
| `createdomuser` | SAMR | Create a domain user. |
| `deletedomuser` | SAMR | Delete a domain user. |
| `lookupnames` | LSARPC | Look up usernames to SID values. |
| `lookupsids` | LSARPC | Look up SIDs to usernames (RID cycling). |
| `lsaaddacctrights` | LSARPC | Add rights to a user account. |
| `lsaremoveacctrights` | LSARPC | Remove rights from a user account. |
| `dsroledominfo` | LSARPC-DS | Get primary domain information. |
| `dsenumdomtrusts` | LSARPC-DS | Enumerate trusted domains within an AD forest |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://oscp.nstsec.com/services-exploitation/135-593-msrpc.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.