RPC
Enumeration
List Network Interfaces
Use this script:
#!/usr/bin/python
import sys, getopt
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter
def main(argv):
try:
opts, args = getopt.getopt(argv,"ht:",["target="])
except getopt.GetoptError:
print ('IOXIDResolver.py -t <target>')
sys.exit(2)
target_ip = ""
for opt, arg in opts:
if opt == '-h':
print ('IOXIDResolver.py -t <target>')
sys.exit()
elif opt in ("-t", "--target"):
target_ip = arg
if target_ip == '':
print ('IOXIDResolver.py -t <target>')
sys.exit()
authLevel = RPC_C_AUTHN_LEVEL_NONE
stringBinding = r'ncacn_ip_tcp:%s' % target_ip
rpctransport = transport.DCERPCTransportFactory(stringBinding)
portmap = rpctransport.get_dce_rpc()
portmap.set_auth_level(authLevel)
portmap.connect()
objExporter = IObjectExporter(portmap)
bindings = objExporter.ServerAlive2()
print ("[*] Retrieving network interface of " + target_ip)
#NetworkAddr = bindings[0]['aNetworkAddr']
for binding in bindings:
NetworkAddr = binding['aNetworkAddr']
print ("Address: " + NetworkAddr)
if __name__ == "__main__":
main(sys.argv[1:])
Run the following command:
IOXIDResolver.py -t TARGET_IP_HERE
Example:
└─$ python3 exploit/ioxidresolver.py -t cascade.htb
[*] Retrieving network interface of cascade.htb
Address: CASC-DC1
Address: 10.10.10.182
Address: dead:beef::90c2:d9a5:3998:f429
Once you have the ipv6 address, you can run nmap against it (htb example). This might give you more open ports than running it against ipv4.
Domain Users and Groups
These commands should be run from an rpcclient prompt.
Enumerate domain users:
enumdomusers
Enumerate domain groups:
enumdomgroups
Query Group Information and Group Membership (you'll get the RIDs from the previous enumdomgroups command):
querygroup GROUP_RID querygroupmem GROUP_RID
Query Specific User Information (including computers) by RID.
queryuser USER_RID
Password Policy
Get the domain password policy, and get the password policy for a certain user:
Password Spraying
Null Session
If null sessions are allowed, then you can connect using rpcclient like this:
rpcclient -U "" -N IP_ADDRESS_HERE
Last updated
Was this helpful?