“Human Stupidity, that’s why Hackers always win.”
― Med Amine Khelifi

Hacking in 5 minutes with Remote Procedure Call and Active Directory enumeration

Before we start going deeper,let me introduce you what is RPC(Remote Procedure call)?, based on Microsoft documentation:

link: https://docs.microsoft.com/en-us/windows/win32/rpc/rpc-start-page

Moment I encounter window server machine that available RPC service, I try to fully utilize the enumeration of service by using rpcclient.

what is rpcclient? it is tool for executing client side MS-RPC functions.

rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-I destinationIP] {server}

rpcclient support many command options to execute MS-RPC function,these command can be placed under several categories,LSARPC,LSARPC-DS,REG,SRVSVC,SAMR,SPOOLSS,NETLOGON,FSRVP

LSARPC is really a set of calls, transmitted with RPC, to a system called the “Local Security Authority”. This used in the Microsoft/Windows world to perform management tasks on domain security policies from a remote machine. The protocol is described in MS-LSAD. The transport medium is RPC, a part of the “Server Message Block” protocol (MS-SMB…