Enumeration with rpcclient

RID and SID

Relative identifiers (RID) and Security Identifiers (SID) are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.

  • SIDs server as unique identifiers for domains, ensuring that each domain is distinguishable

  • RIDs are appended to the SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls

For instance, a user named pepe might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (0x457) and decimal (1111) formats. This results in a complete and unique identifier for pepe within the domain like: S-1-5-21-1074507654-1937615267-42093643874-1111.

Using rpcclient

The rpcclientuntility from Samba is utilized for interacting with RPC endpoints through named pipes.

Connect with rpcclient

rpcclient -U '' <target_ip> # Connect as null user
rpcclient <target_ip> # anonymous logon

Server Information

  • To obtain Server information: srvinfo command can be used

Enumeration of Users

  • Users can be listed using querydispinfoand enumdomusers

  • Details of a user can be listed by using: queryuser <0xrid>

  • Groups of a user: queryusergroups <0xrid>

  • Retrieve user SID: lookupnames <username>

  • Aliases of users: queryuseraliases [buildin|domain] <sid>

Enumeration of Groups

  • Groups by: enumdomgroups

  • Details of a group with: querygroup <0xrid>

  • Members of a group through: querygroupmem <0xrid>

Enumeration of Alias Groups

  • Alias groups by: enumalsgroups <builtin|domain>

  • Members of an alias group with: queryaliasmem builtin|domain <0xrid>

Enumeration of Domains

  • Domains using: enumdomains

  • A domain's SID is retrieved through: lsaquery

  • Domain information is obtained by: querydominfo

Enumeration of Shares

  • All available shares by: netshareenumall

  • Information about a specific share is fetched with: netsharegetinfo <share>

Additional Operations with SIDs

  • SIDs by name using: lookupnames <username>

  • More SIDs through: lsaenumsid

  • RID cycling to check more SIDs is performed by: lookupsids <sid>

Previous139, 445 - SMBNextBrute Force Attack with Netexec

Last updated