# 135, 593 - MSRPC

## <mark style="color:red;">Enumeration</mark> <a href="#enumeration" id="enumeration"></a>

You can query the RPC locator service and individual RPC endpoints to catalog services running over TCP, UDP, HTTP, and SMB (via named pipes).

Each returned IFID value represents an RPC service. See Notable RPC Interfaces.

By default, `impacket` will try to match them with a list of well known endpoints.

### <mark style="color:blue;">**impacket pcdump.py**</mark>

Dump the list of RPC endpoints.

```sh
rpcdump.py 10.0.0.3
```

<details>

<summary>Parameters</summary>

* `target`: `[[domain/]username[:password]@]address`
* `-port <ports>`: Destination port to connect to SMB server. Default: 135.

</details>

### <mark style="color:blue;">**impacket samrdump.py**</mark>

List system user accounts, available resource shares and other sensitive information exported through the SAMR (Security Account Manager Remote) interface.

```sh
samrdump.py 10.0.0.3
```

<details>

<summary>Parameters</summary>

* `target`: `[[domain/]username[:password]@]address`
* `-port <ports>`: Destination port to connect to SMB server. Default: 445.

</details>

### [<mark style="color:blue;">**msrpc-enum**</mark>](https://nmap.org/nsedoc/scripts/msrpc-enum.html) <mark style="color:blue;">**NSE Script**</mark>

```sh
nmap -sV -script msrpc-enum -Pn 10.0.0.3
```

## <mark style="color:red;">Query RPC</mark> <a href="#query-rpc" id="query-rpc"></a>

The `rpcclient` can be used to interact with individual RPC endpoints via named pipes. By default, Windows systems and Windows 2003 domain controllers allow anonymous (Null Sessions) access to SMB, so these interfaces can be queried in this way.

Note: If null session access is not permitted, a valid username and password must be provided.

### <mark style="color:blue;">**rpcclient**</mark>

```sh
rpcclient -U "" -N 10.0.0.3
```

<details>

<summary>Parameters</summary>

* `-U`: Set the network username.
* `-N`: Don’t ask for a password.

</details>

Commands that you can issue to SAMR, LSARPC, and LSARPC-DS.

| Command               | Interface | Description                                   |
| --------------------- | --------- | --------------------------------------------- |
| `queryuser`           | SAMR      | Retrieve user information.                    |
| `querygroup`          | SAMR      | Retrieve group information.                   |
| `querydominfo`        | SAMR      | Retrieve domain information.                  |
| `enumdomusers`        | SAMR      | Enumerate domain users.                       |
| `enumdomgroups`       | SAMR      | Enumerate domain groups.                      |
| `createdomuser`       | SAMR      | Create a domain user.                         |
| `deletedomuser`       | SAMR      | Delete a domain user.                         |
| `lookupnames`         | LSARPC    | Look up usernames to SID values.              |
| `lookupsids`          | LSARPC    | Look up SIDs to usernames (RID cycling).      |
| `lsaaddacctrights`    | LSARPC    | Add rights to a user account.                 |
| `lsaremoveacctrights` | LSARPC    | Remove rights from a user account.            |
| `dsroledominfo`       | LSARPC-DS | Get primary domain information.               |
| `dsenumdomtrusts`     | LSARPC-DS | Enumerate trusted domains within an AD forest |

<br>