Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Connect
rpcclient -U '' -N TARGET # Null session
rpcclient -U 'user%password' TARGET # With creds
rpcclient -U 'DOMAIN/user%password' TARGET # Domain creds
Domain Info
rpcclient $> querydominfo
rpcclient $> getdompwinfo # Password policy
rpcclient $> enumdomains
User Enumeration
rpcclient $> enumdomusers
rpcclient $> queryuser 0x1f4 # Query by RID
rpcclient $> queryuser administrator
rpcclient $> getusrdompwinfo 0x1f4 # User password info
Group Enumeration
rpcclient $> enumdomgroups
rpcclient $> querygroup 0x200 # Domain Admins
rpcclient $> querygroupmem 0x200 # Group members
rpcclient $> queryusergroups 0x1f4 # User's groups
RID Cycling
Enumerate users by brute-forcing RIDs.
rpcclient $> lookupnames administrator
rpcclient $> lookupsids S-1-5-21-DOMAIN-500
Automated
for i in $(seq 500 1100); do rpcclient -U '' -N TARGET -c "queryuser 0x$(printf '%x' $i)" 2>/dev/null | grep "User Name"; done
With CrackMapExec
crackmapexec smb TARGET -u '' -p '' --rid-brute
crackmapexec smb TARGET -u 'guest' -p '' --rid-brute
Share Enumeration
rpcclient $> netshareenum
rpcclient $> netshareenumall
rpcclient $> netsharegetinfo SHARE_NAME
SID Lookups
rpcclient $> lsaenumsid
rpcclient $> lookupsids S-1-5-21-...
rpcclient $> lookupnames "Domain Admins"
Printer Enumeration
rpcclient $> enumprinters
One-Liners (Non-Interactive)
rpcclient -U '' -N TARGET -c "enumdomusers"
rpcclient -U '' -N TARGET -c "enumdomgroups"
rpcclient -U 'user%pass' TARGET -c "querygroupmem 0x200"
Quick Reference
| Task | Command |
|---|
| Null session | rpcclient -U '' -N TARGET |
| Users | enumdomusers |
| Groups | enumdomgroups |
| Domain Admins | querygroupmem 0x200 |
| RID brute | crackmapexec smb TARGET --rid-brute |
| Password policy | getdompwinfo |