Port 111/139/334 – RPC
Pentesting RPC
RPC services are particularly useful in Active Directory penetration testing, as they enable enumeration of Domain Controllers (DCs), users, groups, and trust relationships. This page provides a comprehensive list of enumeration techniques and exploitation methods using rpcclient, enum4linux, and other tools.
Discovery and Enumeration
Use Nmap to identify RPC services running on the target IP or network. Scanning for open RPC-related ports can help identify exposed services.
nmap -sT -p 111,135,139,445,593,2049,3389,49152-65535 -Pn 10.1.1.1 #Check for common RPC-related ports nmap -sV -sC --script=rpcinfo -p 111 10.1.1.1 #Get RPC service details nmap -p 111 --script=nfs-ls,nfs-showmount 10.1.1.1 #Check for exposed NFS shares
Enumerating RPC Services
Once open RPC ports are found, use the following tools to list available services. I use several tools to enumerate RPC services, such as rpcinfo and rpcdump.py from impacket and showmount.
rpcinfo -p 10.1.1.1 #List available RPC services rpcdump.py @10.1.1.1 #Extract RPC bindings and service details showmount -e 10.1.1.1 #Identify exposed NFS shares via RPC
Checking for Open Named Pipes
Windows RPC often interacts with SMB named pipes, which can be enumerated for misconfiguration. smbclient, rpcclient and smbmap are some useful tools to check for open named pipes.
smbclient -L 10.1.1.1 -N #List available SMB shares without authentication rpcclient -U "" -N 10.1.1.1 #Check if null sessions are allowed on RPC smbmap -H 10.1.1.1 #Identify readable and writable SMB shares
RPC Enumeration and Exploitation
After you’ve discovered active RPC services, you can use rpcclient to extract domain and system information.
Using RPCClient
Testing for if Null sessions are allowed. If anonymous RPC access is enabled, the following command will allow unauthenticated enumeration:
rpcclient -U "" -N 10.1.1.1 #Connect using a null session (no username or password) rpcclient -U "" -N target.domain.com #Attempt null session connection on a domain target
If you have domain credentials, you can perform authentication-based enumeration if null sessions are restricted.
rpcclient -U "DOMAIN\username%passwd" 10.1.1.1 #Authenticate with a domain user account rpcclient -U "admin%password" 10.1.1.1 #Authenticate with administrator credentials rpcclient -U "user%pass" -W WORKGROUP 10.1.1.1 #Specify authentication within a workgroup environment
Extracting Domain Information
Once you have connected to an RPC session using rpcclient you can extract useful domain information for further attacks against the environment.
dsr_getdcname #Retrieve the name of the Domain Controller dsr_enumtrustdom #Enumerate trust relationships (e.g., parent/child domains, external trusts) lsaquery #Retrieve the domain SID (Security Identifier) lookupsids <SID> #Convert a SID to a username lookupnames <name> #Convert a username to a SID querydominfo #Get domain security settings, such as lockout policies querydispinfo #List all users and groups within the domain enumprinters #Look for printer passwords
Enumerating Users via SAMR
The SAMR protocol allows the retrieval of domain users, groups, and security settings. However, Microsoft has restricted SAMR access in recent Windows updates.
enumdomains #Enumerate available domains in the SAM database enumdomusers #List all domain users (similar to 'net user /domain') enumalsgroups builtin #List built-in local groups (e.g., Administrators, Guests) enumalsgroups builtin #List built-in local groups (e.g., Administrators, Guests) enumdomgroups #List domain groups (similar to 'net group /domain') queryaliasmem builtin 0x220 #Retrieve members of the Administrators group (SID 544) query user 500 #Get details of the Administrator account (0x220 == RID 500) querygroupmem 513 #Retrieve members of the "Domain Users" group getdompwinfo #Extract password policy (complexity requirements, expiration, etc.)
Advanced Enumeration and Attacks
Bruteforcing Usernames with rpcclient
You can use the following bash script with rpcclient to brute force a list of usernames to discover valid accounts. This script attempts to log in without a password, identifying valid accounts.
for user in $(cat usernames.txt); do rpcclient -U "$user%" -N 10.1.1.1 done