RPC

Enumeration

List Network Interfaces

https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/airbus-cyber-security.com

Use this script:

#!/usr/bin/python

import sys, getopt

from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter

def main(argv):

    try:
        opts, args = getopt.getopt(argv,"ht:",["target="])
    except getopt.GetoptError:
        print ('IOXIDResolver.py -t <target>')
        sys.exit(2)

    target_ip = ""

    for opt, arg in opts:
        if opt == '-h':
            print ('IOXIDResolver.py -t <target>')
            sys.exit()
        elif opt in ("-t", "--target"):
            target_ip = arg

    if target_ip == '':
            print ('IOXIDResolver.py -t <target>')
            sys.exit()

    authLevel = RPC_C_AUTHN_LEVEL_NONE

    stringBinding = r'ncacn_ip_tcp:%s' % target_ip
    rpctransport = transport.DCERPCTransportFactory(stringBinding)

    portmap = rpctransport.get_dce_rpc()
    portmap.set_auth_level(authLevel)
    portmap.connect()

    objExporter = IObjectExporter(portmap)
    bindings = objExporter.ServerAlive2()

    print ("[*] Retrieving network interface of " + target_ip)

    #NetworkAddr = bindings[0]['aNetworkAddr']
    for binding in bindings:
        NetworkAddr = binding['aNetworkAddr']
        print ("Address: " + NetworkAddr)

if __name__ == "__main__":
   main(sys.argv[1:])

Run the following command:

IOXIDResolver.py -t TARGET_IP_HERE

Example:

└─$ python3 exploit/ioxidresolver.py -t cascade.htb  
[*] Retrieving network interface of cascade.htb
Address: CASC-DC1
Address: 10.10.10.182
Address: dead:beef::90c2:d9a5:3998:f429

Once you have the ipv6 address, you can run nmap against it (htb example). This might give you more open ports than running it against ipv4.

Domain Users and Groups

These commands should be run from an rpcclient prompt.

Enumerate domain users:

enumdomusers

Enumerate domain groups:

enumdomgroups

Query Group Information and Group Membership (you'll get the RIDs from the previous enumdomgroups command):

querygroup GROUP_RID querygroupmem GROUP_RID

Query Specific User Information (including computers) by RID.

queryuser USER_RID

Password Policy

Get the domain password policy, and get the password policy for a certain user:

Password Spraying

Password Spraying & Other Fun with RPCCLIENT - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

Null Session

If null sessions are allowed, then you can connect using rpcclient like this:

rpcclient -U "" -N IP_ADDRESS_HERE