Cheatsheet
  • Documentation
  • Nmap
  • Ffuf
  • FTP
  • SMB
  • RPC
  • NFS
  • DNS
  • SMTP
  • IMAP / POP3
  • SNMP
  • SQL
  • Rsync
  • Certipy
  • CrackMapExec
  • Transferring Files
  • Windows Remote Management
  • Windows AV
  • Wordpress
  • Infrastructure Enumeration
  • Privilege Escalation
  • Docker Breakout
  • Shells
  • SSTI
  • XSS
  • Pivot
    • SSH Tunneling
    • Chisel
    • Ligolo-ng
    • Meterpreter
  • LDAP
  • Spray
  • Antivirus / EDR
  • Impacket
  • Bloodhound
  • Powershell
  • Kerberosting
  • Password Attacks
  • Command Injections
  • Sliver C2
  • Windows credentials
  • Windows persistance
  • VSCode Debug
Powered by GitBook
On this page
  • RPCClient
  • Enumeration
  • References

RPC

PreviousSMBNextNFS

Last updated 1 year ago

RPCClient

rpcclient -U '' -N 10.10.10.10
rpcclient -U 'qu35t' 10.10.10.10

Enumeration

List all users.

enumdomusers

Get informations from a user.

queryuser 0x450

List all groups.

enumdomgroups

Get informations from a group.

querygroup 0x450

Show members of a group.

querygroupmem 0x450
enumprinters

List all domains.

enumdomains

Get informations from a domain.

querydominfo

List all shares.

netshareenumall

Get share informations.

netsharegetinfo notes
lookupnames qu35t
querydisplayinfo
lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008

Brute forcing user RIDs.

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

With an impacket script.

samrdump.py 10.10.10.10
setuserinfo2 'qu35t' 23 'NewPassw0rd!'

References

samdump.py