Pentesting Quick Reference OSCP and Beyond

Port 135 - RPC

PreviousPort 111 -RPC Bind NextPort 137 NetBios

Last updated 3 months ago

Port 135 - RPC

RPC Enumeration

Connect with null authentication

┌──(kali㉿kali)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> ^C

Now enumerate users

└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[l0v3] rid:[0x2581]

So, we have our usernames. I can list the groups as well:

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]          
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]            
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]

I can also look at a group for it’s members. For example, the Domain Admins group has one member, rid 0x1f4:

rpcclient $> querygroup 0x200          
        Group Name:     Domain Admins     
        Description:    Designated administrators of the domain
        Group Attribute:7              
        Num Members:1                  
rpcclient $> querygroupmem 0x200
        rid:[0x1f4] attr:[0x7]

That’s the Administrator account:

rpcclient $> queryuser 0x1f4            
        User Name   :   Administrator
        Full Name   :   Administrator
        Home Drive  :   
        Dir Drive   :      
        Profile Path:      
        Logon Script:
        Description :   Built-in account for administering the computer/domain
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Mon, 07 Oct 2019 06:57:07 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Wed, 18 Sep 2019 13:09:08 EDT
        Password can change Time :      Thu, 19 Sep 2019 13:09:08 EDT
        Password must change Time:      Wed, 30 Oct 2019 13:09:08 EDT
        unknown_2[0..31]...
        user_rid :      0x1f4
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000031
        padding1[0..7]...
        logon_hrs[0..21]...

RPC Enumeration

Use rpcinfo to list all RPC services on the target machine:

rpcinfo -p 10.129.202.41

PreviousPort 111 -RPC Bind NextPort 137 NetBios

Last updated 3 months ago

RPC Enumeration

Connect with null authentication

┌──(kali㉿kali)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> ^C

Now enumerate users

└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[l0v3] rid:[0x2581]

So, we have our usernames. I can list the groups as well:

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]          
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]            
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]

I can also look at a group for it’s members. For example, the Domain Admins group has one member, rid 0x1f4:

rpcclient $> querygroup 0x200          
        Group Name:     Domain Admins     
        Description:    Designated administrators of the domain
        Group Attribute:7              
        Num Members:1                  
rpcclient $> querygroupmem 0x200
        rid:[0x1f4] attr:[0x7]

That’s the Administrator account:

rpcclient $> queryuser 0x1f4            
        User Name   :   Administrator
        Full Name   :   Administrator
        Home Drive  :   
        Dir Drive   :      
        Profile Path:      
        Logon Script:
        Description :   Built-in account for administering the computer/domain
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Mon, 07 Oct 2019 06:57:07 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Wed, 18 Sep 2019 13:09:08 EDT
        Password can change Time :      Thu, 19 Sep 2019 13:09:08 EDT
        Password must change Time:      Wed, 30 Oct 2019 13:09:08 EDT
        unknown_2[0..31]...
        user_rid :      0x1f4
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000031
        padding1[0..7]...
        logon_hrs[0..21]...

RPC Enumeration

Use rpcinfo to list all RPC services on the target machine:

rpcinfo -p 10.129.202.41