coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d03ebfbcfc
hacktricks/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md

112 lines
11 KiB
Markdown
Raw Normal View History

GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
# rpcclient enumeration
<details>
update twitter
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
update twitter
2023-04-25 18:35:28 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
hacktricks twitch
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
</details>
GitBook: [#3559] No subject
2022-10-04 23:49:59 +00:00
### **What is a RID**
A [Relative Identifier (RID)](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) is a **unique identifier** (represented in hexadecimal format) utilized by Windows to **track and identify objects**. To explain how this fits in, let's look at the examples below:
* The [SID](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) for the NAME\_DOMAIN.LOCAL domain is: `S-1-5-21-1038751438-1834703946-36937684957`.
* When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
* So the domain user `john` with a RID:\[0x457] Hex 0x457 would = decimal `1111`, will have a full user SID of: `S-1-5-21-1038751438-1834703946-36937684957-1111`.
* This is unique to the `john` object in the NAME\_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
Definition from [**here**](https://academy.hackthebox.com/module/143/section/1269).
### **Enumeration with rpcclient**
GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
#### Server Info
* **Server Info**: `srvinfo`
#### Users enumeration
* **List users**: `querydispinfo` and `enumdomusers`
* **Get user details**: `queryuser <0xrid>`
* **Get user groups**: `queryusergroups <0xrid>`
* **GET SID of a user**: `lookupnames <username>`
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
```bash
# Brute-Force users RIDs
for i in $(seq 500 1100); do
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
# You can also use samrdump.py for this purpose
```
#### Groups enumeration
* **List groups**: `enumdomgroups`
* **Get group details**: `querygroup <0xrid>`
* **Get group members**: `querygroupmem <0xrid>`
#### Aliasgroups enumeration
* **List alias**: `enumalsgroups <builtin|domain>`
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
#### Domains enumeration
* **List domains**: `enumdomains`
* **Get SID**: `lsaquery`
* **Domain info**: `querydominfo`
#### Shares enumeration
* **Enumerate all available shares**: `netshareenumall`
* **Info about a share**: `netsharegetinfo <share>`
#### More SIDs
* **Find SIDs by name**: `lookupnames <username>`
* **Find more SIDs**: `lsaenumsid`
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
#### **Extra commands**
| **Command** | **Interface** | **Description** |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| queryuser | SAMR | Retrieve user information |
| querygroup | Retrieve group information | |
| querydominfo | Retrieve domain information | |
| enumdomusers | Enumerate domain users | |
| enumdomgroups | Enumerate domain groups | |
| createdomuser | Create a domain user | |
| deletedomuser | Delete a domain user | |
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
| lsaaddacctrights | Add rights to a user account | |
| lsaremoveacctrights | Remove rights from a user account | |
| dsroledominfo | LSARPC-DS | Get primary domain information |
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
<details>
update twitter
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
update twitter
2023-04-25 18:35:28 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
hacktricks twitch
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
GitBook: [#3557] No subject
2022-10-04 21:36:29 +00:00
</details>
Reference in New Issue Copy Permalink