RPC Ports
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds
1028/tcp open msrpc Microsoft Windows RPC
1050/tcp open msrpc Microsoft Windows RPC
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
56683/tcp open msrpc Microsoft Windows RPC
56715/tcp open msrpc Microsoft Windows RPC
56730/tcp open msrpc Microsoft Windows RPC
56754/tcp open msrpc Microsoft Windows RPC
57375/tcp open msrpc Microsoft Windows RPC
57405/tcp open msrpc Microsoft Windows RPC
57480/tcp open msrpc Microsoft Windows RPC
57501/tcp open msrpc Microsoft Windows RPC
#nmap Scan for RPC
nmap -sC -sV 10.10.10.10 -p111 -Pn
> output
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100021 1,3,4 35032/tcp6 nlockmgr
| 100021 1,3,4 42746/tcp nlockmgr
| 100021 1,3,4 49158/udp6 nlockmgr
| 100021 1,3,4 57136/udp nlockmgr
| 100024 1 38411/udp status
| 100024 1 39295/udp6 status
| 100024 1 44074/tcp6 status
|_ 100024 1 56308/tcp status
#List the ports using RPC
rpcinfo 10.10.10.10
> Output would look something like below
100024 1 udp 0.0.0.0.150.11 status 29
100024 1 tcp 0.0.0.0.219.244 status 29
100024 1 udp6 ::.153.127 status 29
100024 1 tcp6 ::.172.42 status 29
#list accessible RPC service endpoints
rpcinfo -p 10.10.10.10
Refer to this doc for exploitationDomain Enumeration with RPcclient
#Enum using Null Session
rpcclient -U "" 10.10.10.10
#Login as a user
rpcclient -U USERNAME //10.10.10.10
#Find Users in the domain
rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10
#Find Domian Info
rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10
#Find Groups and their Alias
rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10
#Find more info using Alias and note SIDs
rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10
#Find more info using SIDs
rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105
#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'
Enum using RPCClient
rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass
enumdomusers #Enumerate Domain Users
enumprivs #Enum Privileges
enumprinters #Enum Printers
srvinfo #Server info
enumalsgroups domain #List the domain groups
enumalsgroups builtin #list builtin groups
queryuser 500 #find Admin users
lookupnames username/groupname #Find the SID of a user/group
Dont want to manually check all the commands ? maybe below script will help :P
#save the below commands as a text file and run the below command
querydominfo
enumdomgroups
enumdomusers
querygroupmem 0x201
enumprivs
enumprinters
srvinfo
enumdomgroups
querygroup 0x200
queryuser Administrator
getdompwinfo
getusrdompwinfo 0x1f4
lsaenumsid
lookupnames Administrator
enumalsgroups domain
enumalsgroups builtin
queryuser 500
lsaquery
dsroledominfo
netshareenum
netshareenumall
netsharegetinfo Confidential
querydispinfo
lsalookupprivvalue SeCreateTokenPrivielge
#Run the below command
for command in $(cat commands.txt); do rpcclient -U "%" -c $command 10.10.10.10; done
No comments:
Post a Comment