rpcclient enumeration

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Muhtasari wa Vitambulisho vya Kijamii (RID) na Vitambulisho vya Usalama (SID)

Vitambulisho vya Kijamii (RID) na Vitambulisho vya Usalama (SID) ni sehemu muhimu katika mifumo ya uendeshaji ya Windows kwa kutambulisha na kusimamia vitu, kama watumiaji na vikundi, ndani ya eneo la mtandao.

  • SIDs hutumikia kama vitambulisho vya kipekee kwa maeneo, kuhakikisha kwamba kila eneo linaweza kutambulika.
  • RIDs huongezwa kwa SIDs ili kuunda vitambulisho vya kipekee kwa vitu ndani ya maeneo hayo. Mchanganyiko huu unaruhusu kufuatilia na kusimamia ruhusa za vitu na udhibiti wa ufikiaji kwa usahihi.

Kwa mfano, mtumiaji anayeitwa pepe anaweza kuwa na kitambulisho cha kipekee kinachounganisha SID ya eneo na RID yake maalum, inayowakilishwa kwa mifumo ya hexadecimal (0x457) na decimal (1111). Hii inasababisha kitambulisho kamili na cha kipekee kwa pepe ndani ya eneo kama: S-1-5-21-1074507654-1937615267-42093643874-1111.

Uhesabu wa rpcclient

Zana ya rpcclient kutoka Samba inatumika kwa kuingiliana na nukta za RPC kupitia bomba zilizotajwa. Amri zilizo hapa chini zinaweza kutolewa kwa interfaces za SAMR, LSARPC, na LSARPC-DS baada ya kikao cha SMB kuanzishwa, mara nyingi kinahitaji akidi.

Taarifa za Server

  • Ili kupata Taarifa za Server: amri ya srvinfo inatumika.

Uhesabu wa Watumiaji

  • Watumiaji wanaweza kuorodheshwa kwa kutumia: querydispinfo na enumdomusers.
  • Maelezo ya mtumiaji kwa: queryuser <0xrid>.
  • Vikundi vya mtumiaji kwa: queryusergroups <0xrid>.
  • SID ya mtumiaji inapatikana kupitia: lookupnames <username>.
  • Majina ya watumiaji kwa: queryuseraliases [builtin|domain] <sid>.
bash
# Users' RIDs-forced
for i in $(seq 500 1100); do
rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

# samrdump.py can also serve this purpose

Enumeration of Groups

  • Groups by: enumdomgroups.
  • Details of a group with: querygroup <0xrid>.
  • Members of a group through: querygroupmem <0xrid>.

Enumeration of Alias Groups

  • Alias groups by: enumalsgroups <builtin|domain>.
  • Members of an alias group with: queryaliasmem builtin|domain <0xrid>.

Enumeration of Domains

  • Domains using: enumdomains.
  • A domain's SID is retrieved through: lsaquery.
  • Domain information is obtained by: querydominfo.

Enumeration of Shares

  • All available shares by: netshareenumall.
  • Information about a specific share is fetched with: netsharegetinfo <share>.

Additional Operations with SIDs

  • SIDs by name using: lookupnames <username>.
  • More SIDs through: lsaenumsid.
  • RID cycling to check more SIDs is performed by: lookupsids <sid>.

Extra commands

CommandInterfaceDescription
queryuserSAMRRetrieve user information
querygroupRetrieve group information
querydominfoRetrieve domain information
enumdomusersEnumerate domain users
enumdomgroupsEnumerate domain groups
createdomuserCreate a domain user
deletedomuserDelete a domain user
lookupnamesLSARPCLook up usernames to SIDa values
lookupsidsLook up SIDs to usernames (RIDb cycling)
lsaaddacctrightsAdd rights to a user account
lsaremoveacctrightsRemove rights from a user account
dsroledominfoLSARPC-DSGet primary domain information
dsenumdomtrustsEnumerate trusted domains within an AD forest

To understand better how the tools samrdump and rpcdump works you should read Pentesting MSRPC.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks