# Commands ```bash rpcclient -U "" <IP> ``` # Query | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo <share>` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser <RID>` | Provides information about a specific user. | # User Enumeration & Group Info ```bash rpcclient gt; enumdomusers user:[wook] rid:[0x3e8] rpcclient gt; queryuser 0x3e8 rpcclient gt; querygroup 0x201 ``` # Brute Forcing User RIDs ```bash for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` # Brute Forcing User RIDs with [[samrdump.py]] ```bash samrdump.py <IP> ```