# rpcclient enumeration {{#include ../../banners/hacktricks-training.md}} ### Overview of Relative Identifiers (RID) and Security Identifiers (SID) **Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain. - **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable. - **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls. For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`. ### **Enumeration with rpcclient** The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials. #### Server Information - To obtain **Server Information**: `srvinfo` command is used. #### Enumeration of Users - **Users can be listed** using: `querydispinfo` and `enumdomusers`. - **Details of a user** by: `queryuser <0xrid>`. - **Groups of a user** with: `queryusergroups <0xrid>`. - **A user's SID is retrieved** through: `lookupnames `. - **Aliases of users** by: `queryuseraliases [builtin|domain] `. ```bash # Users' RIDs-forced for i in $(seq 500 1100); do rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; done # samrdump.py can also serve this purpose ``` #### Enumeration of Groups - **Groups** by: `enumdomgroups`. - **Details of a group** with: `querygroup <0xrid>`. - **Members of a group** through: `querygroupmem <0xrid>`. #### Enumeration of Alias Groups - **Alias groups** by: `enumalsgroups `. - **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`. #### Enumeration of Domains - **Domains** using: `enumdomains`. - **A domain's SID is retrieved** through: `lsaquery`. - **Domain information is obtained** by: `querydominfo`. #### Enumeration of Shares - **All available shares** by: `netshareenumall`. - **Information about a specific share is fetched** with: `netsharegetinfo `. #### Additional Operations with SIDs - **SIDs by name** using: `lookupnames `. - **More SIDs** through: `lsaenumsid`. - **RID cycling to check more SIDs** is performed by: `lookupsids `. #### **Extra commands** | **Command** | **Interface** | **Description** | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | queryuser | SAMR | Retrieve user information | | querygroup | Retrieve group information | | | querydominfo | Retrieve domain information | | | enumdomusers | Enumerate domain users | | | enumdomgroups | Enumerate domain groups | | | createdomuser | Create a domain user | | | deletedomuser | Delete a domain user | | | lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values | | lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | | | lsaaddacctrights | Add rights to a user account | | | lsaremoveacctrights | Remove rights from a user account | | | dsroledominfo | LSARPC-DS | Get primary domain information | | dsenumdomtrusts | Enumerate trusted domains within an AD forest | | To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md). {{#include ../../banners/hacktricks-training.md}}