#nmap Scan for RPC
nmap -sC -sV 10.10.10.10 -p111 -Pn
> output
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100021 1,3,4 35032/tcp6 nlockmgr
| 100021 1,3,4 42746/tcp nlockmgr
| 100021 1,3,4 49158/udp6 nlockmgr
| 100021 1,3,4 57136/udp nlockmgr
| 100024 1 38411/udp status
| 100024 1 39295/udp6 status
| 100024 1 44074/tcp6 status
|_ 100024 1 56308/tcp status
#List the ports using RPC
rpcinfo 10.10.10.10
> Output would look something like below
100024 1 udp 0.0.0.0.150.11 status 29
100024 1 tcp 0.0.0.0.219.244 status 29
100024 1 udp6 ::.153.127 status 29
100024 1 tcp6 ::.172.42 status 29
#list accessible RPC service endpoints
rpcinfo -p 10.10.10.10
Refer to this doc for exploitation
Domain Enumeration with RPcclient
#Enum using Null Session
rpcclient -U "" 10.10.10.10
#Login as a user
rpcclient -U USERNAME //10.10.10.10
#Find Users in the domain
rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10
#Find Domian Info
rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10
#Find Groups and their Alias
rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10
#Find more info using Alias and note SIDs
rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10
#Find more info using SIDs
rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105
#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'
Enum using RPCClient
rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass
enumdomusers #Enumerate Domain Users
enumprivs #Enum Privileges
enumprinters #Enum Printers
srvinfo #Server info
enumalsgroups domain #List the domain groups
enumalsgroups builtin #list builtin groups
queryuser 500 #find Admin users
lookupnames username/groupname #Find the SID of a user/group
