RPC (111/135)

Enum RPC services

List registered RPC services — Find NFS, mountd, etc

rpcinfo -p $IP
Example Output
rpcinfo -p 10.10.10.5
program vers proto  port
100000    4   tcp    111  portmapper
100003    3   tcp   2049  nfs
100005    3   tcp  34567  mountd
(NFS available! Check showmount)

rpcclient null session

Anonymous RPC connection — Enum users, groups, shares

rpcclient -U '' -N $IP
Example Output
rpcclient -U '' -N 10.10.10.5
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[svc_backup] rid:[0x451]

Enum domain users (rpcclient)

After connecting — Full user list

rpcclient $> enumdomusers
Example Output
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[john.smith] rid:[0x451]
user:[svc_sql] rid:[0x452]
user:[admin.backup] rid:[0x453]

Enum domain groups

Group membership — Find admin groups

rpcclient $> enumdomgroups
Example Output
rpcclient $> enumdomgroups
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[IT-Support] rid:[0x450]

rpcclient $> querygroupmem 0x200
rid:[0x1f4] (Administrator)
rid:[0x451] (john.smith is DA!)

User info

Detailed user info — Account details

rpcclient $> queryuser <rid>
Example Output
rpcclient $> queryuser 0x451
  User Name: john.smith
  Full Name: John Smith
  Description: IT Admin
  Logon Time: Mon, 24 Feb 2026