Port 135 - RPC

Password Spraying & Other Fun with RPCCLIENT - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

RPC Enumeration

Connect with null authentication

Now enumerate users

So, we have our usernames. I can list the groups as well:

I can also look at a group for it’s members. For example, the Domain Admins group has one member, rid 0x1f4:

That’s the Administrator account:

RPC Enumeration

• Use rpcinfo to list all RPC services on the target machine:

rpcinfo -p 10.129.202.41