Backlink: reference-notes-readme

RPCClient

To use an smb null session:

rpcclient -U "" 10.10.10.182 # when asked enter empty password.
srvinfo # lists system version info
enumdomusers # lists domain users
enumdomgroups # lists domain groups
querydominfo
getdompwinfo # password policy
netshareenum # looks up info on network shares
queryuyser 0x453 # looks up user info by user RID
netshareenumall
enumalsgroups domain # looks up domain groups
enumalsgroups builtin # looks up built-in groups
enumprivs # enums current users privs

Enumerate RPC Services

rpcdump.py 10.10.10.204 -p 135

Enumerate RPC Bind

rpcinfo 10.10.10.117

References

https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/

SANS Penetration Testing | Plundering Windows Account Info via Authenticated SMB Sessions | SANS Institute