RPC

RPCClient

rpcclient -U '' -N 10.10.10.10

rpcclient -U 'qu35t' 10.10.10.10

Enumeration

List all users.

enumdomusers

Get informations from a user.

queryuser 0x450

List all groups.

enumdomgroups

Get informations from a group.

querygroup 0x450

Show members of a group.

querygroupmem 0x450

enumprinters

List all domains.

enumdomains

Get informations from a domain.

querydominfo

List all shares.

netshareenumall

Get share informations.

netsharegetinfo notes

lookupnames qu35t

querydisplayinfo

lookupsids S-1-5-21-4254423774-1266059056-3197185112-1008

Brute forcing user RIDs.

for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

With an impacket script.

samrdump.py 10.10.10.10

setuserinfo2 'qu35t' 23 'NewPassw0rd!'

References

samdump.py

PreviousSMB NextNFS

Last updated 11 months ago