# Commands ```bash rpcclient -U "" -N <IP> ``` # Query | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo <share>` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser <RID>` | Provides information about a specific user. | # User Enumeration & Group Info ```bash rpcclient gt; enumdomusers user:[wook] rid:[0x3e8] rpcclient gt; queryuser 0x3e8 rpcclient gt; querygroup 0x201 ``` # Brute Forcing User RIDs ```bash for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` # Brute Forcing User RIDs with [[samrdump.py]] ```bash samrdump.py <IP> ``` # 비밀번호 변경 ```bash rpcclient //$IP -U domain/user%pwd setuserinfo2 <user> <level> <pwd> setuserinfo2 MOLLY.SMITH 23 'Password123!' ```