x

RPC (111)

https://www.thehacker.recipes/ad/recon/ms-rpc

Enumerate

nmap -sV -p 111 --script=rpcinfo $IP

impacket-rpcdump 10.10.11.174

Rpcclient

rpcclient -U username%password ip_or_hostname

rpcclient -U 'V.Ventz%HotelCalifornia194!' 192.168.217.175

User enumeration (list all domain users) 

enumdomusers

Query detailed info about a user (use RID from enumdomusers) 

queryuser RID

List computers in the domain 

enumcomputers

List all domain groups querygroup RID (Can be used to RID/SID bruteforce) 

enumdomgroups

Get name from SID 

lookupsids <SID>

Get name from RID 

lookuprids <RID>

Get users in a group (older method) 

querygroupmem RID
````
</div>



Get the domain SID   
<div class="lang-general">
lsaquery 
</div>



Get password policy info   
<div class="lang-general">
getdompwinfo 
</div>



 Get password policy for a specific user   
<div class="lang-general">
getusrdompwinfo 
</div>



List shared folders   
<div class="lang-general">
netshareenum 
</div>



Get share information   
<div class="lang-general">
netshareinfo 
</div>



Server info   
<div class="lang-general">
srvinfo 
</div>



## **Bruteforce SIDs**   
Attempt bruteforce with lookupsid   
<div class="lang-general">
lookupsid.py anonymous@10.10.10.1 
</div>



## **Bruteforce RIDs**   
Try RID brute if you have found any RIDs   
<div class="lang-general">
crackmapexec smb 10.10.10.1 -u '' -p '' --rid-brute ```
Left-click: follow link, Right-click: select node, Scroll: zoom
x