How to use the command rpcclient (with examples)

How to use the command rpcclient (with examples)

The rpcclient command is a Microsoft Remote Procedure Call (MS-RPC) client tool that is part of the Samba suite. It allows users to connect to a remote host and perform various tasks such as executing shell commands, displaying domain users, and creating new users in the domain.

Use case 1: Connect to a remote host

Code:

rpcclient --user domain\username%password ip

Motivation: This use case is used to connect to a remote host using a specified username and password. It is useful when you need to access resources on a remote host that requires authentication.

Explanation:

  • --user domain\username: Specifies the domain and username to use for authentication.
  • %password: Specifies the password for the username.
  • ip: Specifies the IP address or hostname of the remote host.

Example output:

rpcclient $>

Use case 2: Connect to a remote host on a domain without a password

Code:

rpcclient --user username --workgroup domain --no-pass ip

Motivation: This use case is used to connect to a remote host on a domain without providing a password. It is useful when you have already authenticated with the domain and want to access resources on the remote host without providing the password again.

Explanation:

  • --user username: Specifies the username to use for authentication.
  • --workgroup domain: Specifies the domain to connect to.
  • --no-pass: Specifies that no password will be provided.
  • ip: Specifies the IP address or hostname of the remote host.

Example output:

rpcclient $>

Use case 3: Connect to a remote host, passing the password hash

Code:

rpcclient --user domain\username --pw-nt-hash ip

Motivation: This use case is used to connect to a remote host using the NT password hash instead of the plaintext password. It is useful for situations where you want to authenticate without exposing the actual password.

Explanation:

  • --user domain\username: Specifies the domain and username to use for authentication.
  • --pw-nt-hash: Specifies that the password hash will be provided instead of the plaintext password.
  • ip: Specifies the IP address or hostname of the remote host.

Example output:

rpcclient $>

Use case 4: Execute shell commands on a remote host

Code:

rpcclient --user domain\username%password --command semicolon_separated_commands ip

Motivation: This use case is used to execute shell commands on a remote host as a specific user. It is useful when you need to perform tasks or run scripts on a remote host without physically accessing it.

Explanation:

  • --user domain\username%password: Specifies the domain, username, and password to use for authentication.
  • --command semicolon_separated_commands: Specifies the shell commands to execute on the remote host. Multiple commands can be separated by semicolons.
  • ip: Specifies the IP address or hostname of the remote host.

Example output:

rpcclient $>

Use case 5: Display domain users

Code:

rpcclient $> enumdomusers

Motivation: This use case is used to display a list of domain users. It is useful when you need to gather information about the users in a domain.

Explanation: None.

Example output:

user1 (User)
user2 (User)
user3 (User)
...

Use case 6: Display privileges

Code:

rpcclient $> enumprivs

Motivation: This use case is used to display a list of privileges available on the remote host. It is useful when you need to determine the level of access or permissions granted to different users or groups.

Explanation: None.

Example output:

SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeAddUsersPrivilege
...

Use case 7: Display information about a specific user

Code:

rpcclient $> queryuser username|rid

Motivation: This use case is used to display information about a specific user in the domain. It is useful when you need to gather detailed information about a user, including their group memberships, privileges, and SID.

Explanation:

  • username|rid: Specifies the username or RID (Relative Identifier) of the user to query.

Example output:

User: user1
Rid : 1001
Comment          :
...

Use case 8: Create a new user in the domain

Code:

rpcclient $> createdomuser username

Motivation: This use case is used to create a new user in the domain. It is useful when you want to add a user to the domain without using a graphical user interface or Active Directory tools.

Explanation:

  • username: Specifies the username for the new user.

Example output:

rpcclient $>

Conclusion:

The rpcclient command is a versatile tool for managing remote hosts in a domain environment. It allows users to perform various tasks such as authentication, executing shell commands, and managing user accounts. By understanding and utilizing the different use cases of the command, users can effectively manage and interact with remote hosts using the MS-RPC protocol.

Tags :

Related Posts

How to use the command 'htpasswd' (with examples)

How to use the command 'htpasswd' (with examples)

The htpasswd command is used to create and manage htpasswd files, which are used to protect web server directories using basic authentication.

Read More
Using Pyrit for WPA/WPA2 Wi-Fi Security Cracking (with examples)

Using Pyrit for WPA/WPA2 Wi-Fi Security Cracking (with examples)

1: Display system cracking speed The Pyrit command pyrit benchmark is used to display the system’s cracking speed.

Read More
How to use the command "kube-capacity" (with examples)

How to use the command "kube-capacity" (with examples)

kube-capacity Motivation for using this example The kube-capacity command is used to provide an overview of resource requests, limits, and utilization in a Kubernetes cluster.

Read More