RPC (111/135)
Enum RPC services
List registered RPC services — Find NFS, mountd, etc
rpcinfo -p $IP
Example Output
rpcinfo -p 10.10.10.5
program vers proto port
100000 4 tcp 111 portmapper
100003 3 tcp 2049 nfs
100005 3 tcp 34567 mountd
(NFS available! Check showmount)
rpcclient null session
Anonymous RPC connection — Enum users, groups, shares
rpcclient -U '' -N $IP
Example Output
rpcclient -U '' -N 10.10.10.5
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[svc_backup] rid:[0x451]
Enum domain users (rpcclient)
After connecting — Full user list
rpcclient $> enumdomusers
Example Output
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[john.smith] rid:[0x451]
user:[svc_sql] rid:[0x452]
user:[admin.backup] rid:[0x453]
Enum domain groups
Group membership — Find admin groups
rpcclient $> enumdomgroups
Example Output
rpcclient $> enumdomgroups
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[IT-Support] rid:[0x450]
rpcclient $> querygroupmem 0x200
rid:[0x1f4] (Administrator)
rid:[0x451] (john.smith is DA!)
User info
Detailed user info — Account details
rpcclient $> queryuser <rid>
Example Output
rpcclient $> queryuser 0x451
User Name: john.smith
Full Name: John Smith
Description: IT Admin
Logon Time: Mon, 24 Feb 2026