MS-RPC - ports 135-593

$ msfconsole
msf > use auxiliary/scanner/dcerpc/endpoint_mapper
msf auxiliary(scanner/dcerpc/endpoint_mapper) > set RHOST <target IP>
msf auxiliary(scanner/dcerpc/endpoint_mapper) > run

$ msfconsole
msf > use auxiliary/scanner/dcerpc/hidden
msf auxiliary(scanner/dcerpc/hidden) > set RHOST <target IP>
msf auxiliary(scanner/dcerpc/hidden) > run

$ msfconsole
msf > use auxiliary/scanner/dcerpc/management
msf auxiliary(scanner/dcerpc/management) > set RHOST <target IP>
msf auxiliary(scanner/dcerpc/management) > run

$ msfconsole
msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
msf auxiliary(scanner/dcerpc/tcp_dcerpc_auditor) > set RHOST <target IP>
msf auxiliary(scanner/dcerpc/tcp_dcerpc_auditor) > run

$ rpcclient -U <Domaine>/<Username> <target IP>
Enter <Domaine>\<Username>'s password: <password>
rpcclient $>

rpcclient $> srv info   #informations serveur
platform_id: ...
os_version: ...
server_type: ...

rpcclient $> querydominfo    #informations domaine sur le serveur
domain: ...
Total users: ...
Total groups: ...
server Role: ...
...
...

rpcclient $> enumdomusers    #Enumeration des utilisateurs
user:[Administrateur] rid:[...]
user: ...
...

rpcclient $> enumdomgroups    #Enumeration des groupes
group: ... rid: ...
...
...

rpcclient $> enumprivs    #Enumeration des privilèges
found ... privileges
...
...

rpcclient $> getdompwinfo    #informations sur la politique de mdp
min_password_length: ...
password_properties: ...

rpcclient $> getusrdompwinfo <user_rid>    #getdompwinfo ciblé pour un utilisateur speécifique
min_password_length: ...
password_properties: ...

rpcclient $> lsaenumsid    #Enumeration des SID
found ... SIDs
...
...

rpcclient $> enumalsgroups builtin
rpcclient $> enumalsgroups domain    #Enumeration des alias de groupes dans le domaine
group:[Administrators] rid:[...]
...
...

rpcclient $> netshareenum    #Enumeration des partages réseaux
netname: ...
    remark: ...
    path: ...
    password: ...
netname: ...
...
...

rpcclient $> enumdomains    #Enumeration des domaines
name: [...] idx:[...]
...
...

rpcclient $> lsaquery
Domain Name: ...
Domain SID: ...

rpcclient $> dsroledominfo    #Informations Directory Service
Machine Role = ...
Directory Service is running | is not running

rpcclient $> lsaquerysecobj    #Visualisation des autoraisations, privilèges etc

rpcclient $> queryuser <nom d'utilisateur>
User Name: ...
Full Name: ...
Description: ...
Comment: ...
Password last set time: ...
...
...

rpcclient $> enumdispinfo    #enumdomuser détaillé
index: ... acb: ... Account: ... Name: ... Desc: ...
...
...

rpcclient $> querygroup <nom du groupe>
Group Name: ...
Description: ...
...
...

rpcclient $> netshareenumall    #Enumeration totale des partages réseaux
netname: ...
    remark: ...
    path: ...
    password: ...
netname: ...
...
...

rpcclient $> netsharegetinfo <partage>    #détails sur un partage spécifique
Permissions: ...
SID: ...
Owner SID: ...
Group SID: ...
...
...

rpcclient $> lookupdomain <domaine>    #détails sur un domaine
Domain Name: <domaine> Domain SID: ...

rpcclient $> samlookupnames domain <user>    #SAM d'un utilisateur spécifique
name <user>: <SAM>

rpcclient $> lookupsids <SID>    #A qui appartient ce SID
<SID> <user>

rpcclient $> createdomuser <user>
rpcclient $> setuserinfo2 <user> 24 <password>
rpcclient $> enumdomusers
...
...
...
user:[<user>] rid:[...]

rpcclient $> lookupnames <user>    #Vérifier si l'utilisateur créé a un SID
<user> <SID>

rpcclient $> deletedomuser <user>
rpcclient $> enumdomusers
...
...

rpcclient $> chpasswd <user> <password> <new password>

rpcclient $> lookupnames <user>
<user> <SID>
rpcclient $> lsacreateaccount <SID>

rpcclient $> createdomgroup <nom du groupe>
rpcclient $> enumdomgroups
...
...
group:[<nom du groupe>] rid:[...]

rpcclient $> deletedomgroup <nom du groupe>
rpcclient $> enumdomgroups
...
...