RPCCLIENT

rpcclientwww.samba.org

This is a Linux tool (part of the Samba suite) that allows you to make Remote Procedure Calls (RPCs) to Windows systems over SMB. It's often used by penetration testers and sysadmins to enumerate information from Windows hosts, like users, shares, policies, etc. It offers us many different requests with which we can execute specific functions on the SMB server to get information. The Remote Procedure Call (RPC) is a concept and a central tool to realize operational and work-sharing structures in networks and client-server architectures. The communication process via RPC includes passing parameters and the return of a function value.

ANONYMOUS CONNECTION

root@oco:~$ rpcclient -U "" 10.129.14.128
 Enter WORKGROUP\'s password:

 * The -U flag specifies the username. 
 * The empty string ("") tries to login with no username
    - use null/anonymous session (if allowed by the server)

CMDS

ENUMERATION

“Enumeration of an SMB server and its shares is possible if the server is misconfigured, such as when anonymous (null session) access is allowed.”

DISPLAY SERVER INFORMATION

rpcclient $> srvinfo
 DEVSMB         Wk Sv PrQ Unx NT SNT DEVSM
 platform_id     :       500
 os version      :       6.1
 server type     :       0x809a03

DISPLAY DEPLOYED DOMAINS

rpcclient $> enumdomains
 name:[DEVSMB] idx:[0x0]
 name:[Builtin] idx:[0x1]

QUERY DOMAIN INFORMATION

rpcclient $> querydominfo
 Domain:         DEVOPS
 Server:         DEVSMB
 Comment:        DEVSM
 Total Users:    2
 Total Groups:   0
 Total Aliases:  0
 Sequence No:    1632361158
 Force Logoff:   -1
 Domain Server State:    0x1
 Server Role:    ROLE_DOMAIN_PDC
 Unknown 3:      0x1

DISPLAY SHARES

rpcclient $> netshareenumall
 netname: print$
   remark: Printer Drivers
   path:   C:\var\lib\samba\printers
   password:
 netname: home
   remark: INFREIGHT Samba
   path:   C:\home\
   password:
 netname: dev
   remark: DEVenv
   path:   C:\home\sambauser\dev\
   password:
 netname: notes
   remark: CheckIT
   path:   C:\mnt\notes\
   password:
 netname: IPC$
   remark: IPC Service (DEVSM)
   path:   C:\tmp
   password:

rpcclient $> netsharegetinfo notes
 netname: notes
   remark: CheckIT
   path:   C:\mnt\notes\
   password:
   type:   0x0
   perms:  0
   max_uses:       -1
   num_uses:       1
 revision: 1
 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE 
 DACL
        ACL     Num ACEs:       1       revision:       2
        ---
        ACE
                type: ACCESS ALLOWED (0) flags: 0x00 
                Specific bits: 0x1ff
                Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS 
                SID: S-1-1-0

USER ENUMERATION

rpcclient $> enumdomusers
 user:[mrb3n] rid:[0x3e8]
 user:[cry0l1t3] rid:[0x3e9]

rpcclient $> queryuser 0x3e9
 User Name   :   cry0l1t3
 Full Name   :   cry0l1t3
 Home Drive  :   \\devsmb\cry0l1t3
 Dir Drive   :
 Profile Path:   \\devsmb\cry0l1t3\profile
 Logon Script:
 Description :
 Workstations:
 Comment     :
 Remote Dial :
 Logon Time               :      Do, 01 Jan 1970 01:00:00 CET
 Logoff Time              :      Mi, 06 Feb 2036 16:06:39 CET
 Kickoff Time             :      Mi, 06 Feb 2036 16:06:39 CET
 Password last set Time   :      Mi, 22 Sep 2021 17:50:56 CEST
 Password can change Time :      Mi, 22 Sep 2021 17:50:56 CEST
 Password must change Time:      Do, 14 Sep 30828 04:48:05 CEST
 unknown_2[0..31]...
 user_rid :      0x3e9
 group_rid:      0x201
 acb_info :      0x00000014
 fields_present: 0x00ffffff
 logon_divs:     168
 bad_password_count:     0x00000000
 logon_count:    0x00000000
 padding1[0..7]...
 logon_hrs[0..21]...

rpcclient $> queryuser 0x3e8
 User Name   :   mrb3n
 Full Name   :
 Home Drive  :   \\devsmb\mrb3n
 Dir Drive   :
 Profile Path:   \\devsmb\mrb3n\profile
 Logon Script:
 Description :
 Workstations:
 Comment     :
 Remote Dial :
 Logon Time               :      Do, 01 Jan 1970 01:00:00 CET
 Logoff Time              :      Mi, 06 Feb 2036 16:06:39 CET
 Kickoff Time             :      Mi, 06 Feb 2036 16:06:39 CET
 Password last set Time   :      Mi, 22 Sep 2021 17:47:59 CEST
 Password can change Time :      Mi, 22 Sep 2021 17:47:59 CEST
 Password must change Time:      Do, 14 Sep 30828 04:48:05 CEST
 unknown_2[0..31]...
 user_rid :      0x3e8
 group_rid:      0x201
 acb_info :      0x00000010
 fields_present: 0x00ffffff
 logon_divs:     168
 bad_password_count:     0x00000000
 logon_count:    0x00000000
 padding1[0..7]...
 logon_hrs[0..21]...

GROUP ENUMERATION

rpcclient $> querygroup 0x201
 Group Name:     None
 Description:    Ordinary Users
 Group Attribute:7
 Num Members:2
 
 * due to certain restrictions based on the user, the querygroup may not produce
   pertinent results

BRUTE FORCING USER RIDS

The cmd queryuser <RID> is mostly allowed based on the RID and thus can be used along with the rpcclient utility to brute force the RIDs to get information

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

impacket/examples/samrdump.py at master · fortra/impacketGitHub

root@htb:~$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
 User Name   :   sambauser
 user_rid :      0x1f5
 group_rid:      0x201
		
 User Name   :   mrb3n
 user_rid :      0x3e8
 group_rid:      0x201
		
 User Name   :   cry0l1t3
 user_rid :      0x3e9
 group_rid:      0x201
 
 * An alternative to this would be a Python script from Impacket called samrdump.py.

PreviousRESPONDER NextR-SERVICES

Last updated 3 months ago