RPCclient

RPCclient is a command-line utility for interacting with remote procedure call (RPC) services on a network. It is a part of the Samba suite of tools and is used primarily for accessing and testing RPC interfaces on Windows-based systems.

With rpcclient, users can connect to a remote Windows system and interact with RPC services using a variety of commands. Some of the tasks that can be performed with rpcclient include enumerating users and groups, querying network services, and performing administrative tasks like changing passwords or adding users.

rpcclient --help
man rpcclient

User Enumeration

rpcclient -U "" -N $IP
rpcclient$>
enumdomusers

User Enumeration By RID

rpcclient -U "" -N $IP
rpcclient$>
queryuser 0x457

The built-in Administrator account will always have the RID value Hex 0x1f4, or 500.

SMB NULL Session with rpcclient

rpcclient -U "" -N $IP
rpcclient$> #<- NULL Session