Back to All Modules

RPC Enumeration

#Overview

Microsoft Remote Procedure Call (MSRPC) runs on TCP port 135 (endpoint mapper) with dynamic high ports for actual services. RPC enumeration via named pipes (notably the SAMR and LSARPC pipes over SMB on port 445) allows enumeration of domain users, groups, and Security Identifiers (SIDs) through techniques such as RID cycling. RPC is one of the oldest and most reliable methods for extracting user lists from Windows/AD environments, especially when LDAP anonymous binds are disabled but SMB null sessions are permitted.

#Prerequisites

  • Tools: rpcclient, Impacket (lookupsid.py, samrdump.py), netexec, enum4linux-ng
  • Access Level: Network access to ports 135 and 445; anonymous SMB session on IPC$
  • Key Insight: RPC enumeration works over named pipes (SMB transport), so port 445 must be reachable.

#Detection & Enumeration

#Null Session RPC Connection

# rpcclient null session connection
rpcclient -U "" -N 10.10.10.161

# If successful, you enter an rpcclient shell:
# rpcclient $> srvinfo          -- server OS and version info
# rpcclient $> enumdomusers     -- list domain users
# rpcclient $> enumdomgroups    -- list domain groups
# rpcclient $> querydominfo     -- domain information
# rpcclient $> lookupnames admin  -- SID lookup for a user
# rpcclient $> lsaenumsid       -- enumerate SIDs
# rpcclient $> getdompwinfo     -- password policy
BASH

#RID Cycling for User Enumeration

RID cycling is one of the most effective techniques for extracting user lists from Windows/AD environments:

# Impacket lookupsid (RID cycling)
impacket-lookupsid anonymous@manager.htb -no-pass

# With known credentials
impacket-lookupsid domain/user:pass@10.10.10.161

# Filter for user accounts only
impacket-lookupsid anonymous@manager.htb -no-pass | grep SidTypeUser

# netexec RID brute-force
netexec smb 10.10.10.161 -u '' -p '' --rid-brute
netexec smb 10.10.10.161 -u user -p pass --rid-brute

# The output shows:
# [*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
# 500: MANAGER\Administrator (SidTypeUser)
# 501: MANAGER\Guest (SidTypeUser)
# 1113: MANAGER\Zhong (SidTypeUser)
# 1114: MANAGER\Cheng (SidTypeUser)
# ...etc
BASH

How RID cycling works:

  1. The Domain SID (Security Identifier) is obtained via the LSARPC named pipe.
  2. The Relative Identifier (RID), the last component of a SID, starts at 500 (Administrator) and increments.
  3. Each RID is appended to the Domain SID and queried for the associated account name.
  4. Valid RIDs return user or group names; invalid RIDs are skipped.

#MSRPC Endpoint Enumeration

# nmap RPC service enumeration
nmap --script msrpc-enum -p 135 10.10.10.161

# rpcdump from Impacket
impacket-rpcdump @10.10.10.161
impacket-rpcdump 10.10.10.161 -port 135
BASH

#SAMR Enumeration with Impacket

# Direct SAMR user enumeration (port 445/SMB pipe)
impacket-samrdump 10.10.10.161
impacket-samrdump anonymous:@10.10.10.161

# With credentials
impacket-samrdump domain/user:pass@10.10.10.161
BASH

#Comprehensive RPC via enum4linux-ng

# enum4linux-ng includes RID cycling via RPC
enum4linux-ng 10.10.10.161 -A
enum4linux-ng 10.10.10.161 -U  # Users via RPC
BASH

#Additional rpcclient Commands

# Additional rpcclient commands
rpcclient -U "" 10.10.10.10 -c 'queryuser 0x1f4'       # Detailed user info by RID (0x1f4 = 500 = Administrator)
rpcclient -U "" 10.10.10.10 -c 'enumprivs'              # Enumerate available privileges
rpcclient -U "" 10.10.10.10 -c 'getuserdomgroups 0x1f4' # User's domain groups by RID
rpcclient -U "" 10.10.10.10 -c 'lookupnames administrator'  # Resolve name to SID
rpcclient -U "" 10.10.10.10 -c 'lsaquery'               # Domain policy info, domain SID
rpcclient -U "" 10.10.10.10 -c 'enumalsgroups domain'    # Domain alias groups (local groups)

# Alternative: netexec for user enumeration (faster than rpcclient for RID cycling)
nxc smb <target> -u '' -p '' --users

# impacket smbserver.py for SMB relay/NTLM capture
impacket-smbserver share /tmp/share -smb2support
# Creates an SMB server to capture NTLM hashes from connecting clients
BASH

#Common Pitfalls

  • Modern Windows systems restrict anonymous RPC access more aggressively than older versions. If anonymous RID cycling fails, it does not mean the technique is invalid -- it may require credentials.
  • Port 135 (endpoint mapper) must be accessible, but the actual RPC services often use dynamic ports. Ensure port 445 (SMB) is also open, as named pipe RPC goes over SMB.
  • Impacket's lookupsid uses the ncacn_np transport (named pipes over SMB). If SMB is blocked but RPC on port 135 is open, different transport bindings may be needed.
  • RID ranges differ between domains. User RIDs typically start at 1000 in modern domains but can vary. The Administrator (500) and Guest (501) are almost always present.

#OPSEC Considerations

  • RID cycling generates sequential SID lookup requests. This pattern is easily detected by any EDR monitoring named pipe activity. The sequential nature (500, 501, 502...) is unmistakable.
  • rpcclient null session connections access the SAMR and LSARPC pipes over SMB and are logged in Windows Security Event Log with Event ID 4662 (Directory Service Access).
  • Each successful RID lookup against a Domain Controller is an LDAP query that triggers Event ID 4662. A rapid burst of these events is a clear IOC.
  • MSRPC enumeration is a well-known reconnaissance technique and most modern EDR products (CrowdStrike, Defender for Identity, SentinelOne) have dedicated detections for RID cycling and SAMR enumeration.
  • Defender for Identity specifically alerts on "Suspected identity theft (pass-the-hash)" and "Reconnaissance using directory services queries" which includes SAMR-based enumeration.
  • If stealth is critical, prefer credential-based LDAP queries over anonymous RPC enumeration. LDAP queries blend in better with normal AD traffic (though still logged).
  • Consider rate-limiting RPC queries to avoid triggering threshold-based alerts. Most detection rules fire on rapid sequential access.

#Post-Exploitation Value

  • RID cycling produces a complete domain user list, which enables password spraying, targeted phishing, and credential brute-force attacks.
  • The Administrator user (RID 500) and built-in groups are always discovered, confirming the domain structure.
  • User lists are required input for ASREPRoasting (users with Kerberos pre-auth disabled) and Kerberoasting (users with SPNs).
  • RID cycling can also reveal disabled accounts, service accounts, and accounts with stale passwords that may be easier targets.

#Cross-References

#Tool References

ToolDescriptionLink
rpcclientSamba RPC client for null session enumerationBuilt into Samba suite
Impacket (lookupsid, samrdump)Python RPC/SAMR enumeration toolshttps://github.com/fortra/impacket
netexec (nxc)Multi-protocol with RID brute-force modulehttps://github.com/Pennyw0rth/NetExec
enum4linux-ngSMB/RPC enumeration wrapperhttps://github.com/cddmp/enum4linux-ng
rpcdumpRPC endpoint dumper (Impacket)Part of Impacket

#Source Machines

  • Manager (Medium, AD/Windows) -- Classic example: lookupsid via anonymous RPC enumerates 8 domain users (Zhong, Cheng, Ryan, Raven, JinWoo, ChinHae, Operator, Administrator); password spray discovers operator:operator
  • Forest (Easy, AD) -- RPC available but enumeration was via LDAP anonymous bind instead (LDAP provided richer info)
  • Support (Easy, Windows) -- RPC used indirectly via PowerView/PowerMad for domain operations