Pentesting RPC

RPC
Remote Procedure Call (RPC) is a fundamental service used for inter-process communication in Windows environments. Ports 111, 139, and 334 are commonly associated with RPC services, allowing clients to interact with remote systems. Attackers and penetration testers often leverage RPC to enumerate domain information, extract user accounts, and even exploit misconfigurations.

RPC services are particularly useful in Active Directory penetration testing, as they enable enumeration of Domain Controllers (DCs), users, groups, and trust relationships. This page provides a comprehensive list of enumeration techniques and exploitation methods using rpcclient, enum4linux, and other tools.

Discovery and Enumeration

Use Nmap to identify RPC services running on the target IP or network. Scanning for open RPC-related ports can help identify exposed services.

nmap -sT -p 111,135,139,445,593,2049,3389,49152-65535 -Pn 10.1.1.1    #Check for common RPC-related ports
nmap -sV -sC --script=rpcinfo -p 111 10.1.1.1                         #Get RPC service details
nmap -p 111 --script=nfs-ls,nfs-showmount 10.1.1.1                    #Check for exposed NFS shares

Enumerating RPC Services

Once open RPC ports are found, use the following tools to list available services. I use several tools to enumerate RPC services, such as rpcinfo and rpcdump.py from impacket and showmount.

rpcinfo -p 10.1.1.1     #List available RPC services
rpcdump.py @10.1.1.1    #Extract RPC bindings and service details
showmount -e 10.1.1.1   #Identify exposed NFS shares via RPC

Checking for Open Named Pipes

Windows RPC often interacts with SMB named pipes, which can be enumerated for misconfiguration. smbclient, rpcclient and smbmap are some useful tools to check for open named pipes.

smbclient -L 10.1.1.1 -N      #List available SMB shares without authentication
rpcclient -U "" -N 10.1.1.1   #Check if null sessions are allowed on RPC
smbmap -H 10.1.1.1            #Identify readable and writable SMB shares

RPC Enumeration and Exploitation

After you’ve discovered active RPC services, you can use rpcclient to extract domain and system information.

Using RPCClient

Testing for if Null sessions are allowed. If anonymous RPC access is enabled, the following command will allow unauthenticated enumeration:

rpcclient -U "" -N 10.1.1.1             #Connect using a null session (no username or password)
rpcclient -U "" -N target.domain.com    #Attempt null session connection on a domain target

If you have domain credentials, you can perform authentication-based enumeration if null sessions are restricted.

rpcclient -U "DOMAIN\username%passwd" 10.1.1.1    #Authenticate with a domain user account
rpcclient -U "admin%password" 10.1.1.1            #Authenticate with administrator credentials
rpcclient -U "user%pass" -W WORKGROUP 10.1.1.1    #Specify authentication within a workgroup environment

Extracting Domain Information

Once you have connected to an RPC session using rpcclient you can extract useful domain information for further attacks against the environment.

dsr_getdcname        #Retrieve the name of the Domain Controller
dsr_enumtrustdom     #Enumerate trust relationships (e.g., parent/child domains, external trusts)
lsaquery             #Retrieve the domain SID (Security Identifier)
lookupsids <SID>     #Convert a SID to a username
lookupnames <name>   #Convert a username to a SID
querydominfo         #Get domain security settings, such as lockout policies
querydispinfo        #List all users and groups within the domain
enumprinters         #Look for printer passwords

Enumerating Users via SAMR

The SAMR protocol allows the retrieval of domain users, groups, and security settings. However, Microsoft has restricted SAMR access in recent Windows updates.

enumdomains                   #Enumerate available domains in the SAM database
enumdomusers                  #List all domain users (similar to 'net user /domain')
enumalsgroups builtin         #List built-in local groups (e.g., Administrators, Guests)
enumalsgroups builtin         #List built-in local groups (e.g., Administrators, Guests)
enumdomgroups                 #List domain groups (similar to 'net group /domain')
queryaliasmem builtin 0x220   #Retrieve members of the Administrators group (SID 544)
query user 500                #Get details of the Administrator account (0x220 == RID 500)
querygroupmem 513             #Retrieve members of the "Domain Users" group
getdompwinfo                  #Extract password policy (complexity requirements, expiration, etc.)

Advanced Enumeration and Attacks

Bruteforcing Usernames with rpcclient

You can use the following bash script with rpcclient to brute force a list of usernames to discover valid accounts. This script attempts to log in without a password, identifying valid accounts.

for user in $(cat usernames.txt); do
  rpcclient -U "$user%" -N 10.1.1.1
done