RPC (135, 1024-5000) Enum
With No Creds:
rpcclient {IP}
rpcclient -U "" {IP} -N
Then we can: enumdomusers, enumdomgroups
net rpc group members 'Domain Users' -W ' -l '' -U '%'
With Creds:
rpcclient -U "User%Password" {IP} -c 'enumdomusers'
We can improve this command to extract just the usernames: rpcclient -U "User%Password" {IP} -c 'enumdomusers' | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]' > users.txt
Then we can enumdomgroups and if we get an interesting rid we can enum users from a group:
rpcclient -U "User%Password" {IP} -c 'querygroupem 0x200'
Then we can:
rpcclient -U "User%Password" {IP} -c 'queryuser 0x1f4'
Also to list all descriptions we could use 'querydispinfo'
Also we can use tools like rpcenum to make this automaticly
Last updated