SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Reconnaissance #RPC

Recon of RPC

Anonymous connection

Anonymous RPC connection means no username and no password provided. Unauthenticated connection to RPC is possible (documentation), but the amount of information we can collect this way is limited. Anonymous connection can be disabled.

# Connect anonymously
rpcclient -U "%" $ip

Authenticated connection

# Connect with credentials
rpcclient -U "$domain\\$user%$pass" $ip
> ?                           # List all commands
> srvinfo                     # Server info
> enumdomusers                # Enum users
> enumdomgroups               # Enum groups
> enumdomains                 # Enum domains
> netshareenumall             # Enum SMB shares
> queryuser <username>        # Get detailed user's info
> lookupnames <username>      # Get SID of user
> querygroup <group_rid>      # Get group info
> enumprivs                   # Enum current users' privileges
> getusername                 # Get current username

More useful commands can be found here: HackingArticles.in, Active Directory Enumeration: RPCClient.

Automated enumeration

# Enumerate with SMB, RPC and NetBIOS
enum4linux-ng -A $ip
enum4linux-ng -A $ip -u $user -p $pass

Interfaces

Via TPC ports (ncacn_ip_tcp protocol):

# Enumerate RPC interfaces accessible via TCP
msfconsole
> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

Via named pipes (ncacn_np protocol):

# Enumerate named pipes available via SMB
msfconsole
> use auxiliary/scanner/smb/pipe_auditor
 
# Enumerate RPC interfaces accesible via named pipe
> use auxiliary/scanner/smb/pipe_dcerpc_auditor

Children

RPC