RPC Pentest Checklist
2022-7-5 15:43:0 Author: www.hackingdream.net(查看原文) 阅读量:70 收藏

#nmap Scan for RPC
nmap -sC -sV 10.10.10.10 -p111 -Pn
> output
PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100021  1,3,4      35032/tcp6  nlockmgr
|   100021  1,3,4      42746/tcp   nlockmgr
|   100021  1,3,4      49158/udp6  nlockmgr
|   100021  1,3,4      57136/udp   nlockmgr
|   100024  1          38411/udp   status
|   100024  1          39295/udp6  status
|   100024  1          44074/tcp6  status
|_  100024  1          56308/tcp   status
#List the ports using RPC
rpcinfo 10.10.10.10
> Output would look something like below
    100024    1    udp       0.0.0.0.150.11         status     29
    100024    1    tcp       0.0.0.0.219.244        status     29
    100024    1    udp6      ::.153.127             status     29
    100024    1    tcp6      ::.172.42              status     29

#list accessible RPC service endpoints
rpcinfo -p 10.10.10.10

Refer to this doc for exploitation

Domain Enumeration with RPcclient

#Enum using Null Session rpcclient -U "" 10.10.10.10

#Login as a user

rpcclient -U USERNAME //10.10.10.10
#Find Users in the domain rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10 #Find Domian Info rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10 #Find Groups and their Alias rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10 #Find more info using Alias and note SIDs rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10 #Find more info using SIDs rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105 #Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'

Enum using RPCClient
rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass

enumdomusers #Enumerate Domain Users enumprivs        #Enum Privilegesenumprinters    
#Enum Printers srvinfo         #Server info enumalsgroups domain    #List the domain groups enumalsgroups builtin    #list builtin groups queryuser 500        #find Admin users lookupnames username/groupname    #Find the SID of a user/group


文章来源: https://www.hackingdream.net/2022/07/rpc-pentest-checklist.html
如有侵权请联系:admin#unsafe.sh