― Med Amine Khelifi
Hacking in 5 minutes with Remote Procedure Call and Active Directory enumeration
Before we start going deeper,let me introduce you what is RPC(Remote Procedure call)?, based on Microsoft documentation:
Moment I encounter window server machine that available RPC service, I try to fully utilize the enumeration of service by using rpcclient.
what is rpcclient? it is tool for executing client side MS-RPC functions.
rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-I destinationIP] {server}
rpcclient support many command options to execute MS-RPC function,these command can be placed under several categories,LSARPC,LSARPC-DS,REG,SRVSVC,SAMR,SPOOLSS,NETLOGON,FSRVP
LSARPC is really a set of calls, transmitted with RPC, to a system called the “Local Security Authority”. This used in the Microsoft/Windows world to perform management tasks on domain security policies from a remote machine. The protocol is described in MS-LSAD. The transport medium is RPC, a part of the “Server Message Block” protocol (MS-SMB…
