Remote Procedure Call (RPC) is a protocol that allows programs to execute procedures on a remote server as if they were local. In the context of domain enumeration, RPC can be leveraged to extract information from Windows-based systems within a network. The enumeration process involves gathering details about users, groups, shares, and other resources within a Windows domain.
NetSession Enumeration:
- By using RPC, attackers can enumerate active sessions on a target machine. This provides information about users who are currently connected to the system.
NetShare Enumeration:
- RPC can be utilized to enumerate shared resources on a system, revealing information about accessible network shares and permissions.
NetLocalGroup Enumeration:
- RPC can be employed to enumerate local groups on a remote machine. This provides insights into the users and groups present on the system.
NetUser Enumeration:
- RPC can be used to enumerate user accounts on a target machine, helping attackers identify potential targets or gain insights into the user landscape.
NetGroup Enumeration:
- RPC allows enumeration of domain groups, providing information about group memberships and relationships within the domain.
How to
1. Having a valid AD username and password, in our case (User: active.htb\SVC_TGS, Password: GPPstillStandingStrong2k18). We will authenticate using rpcclient
- rpcclient -U “SVC_TGS” 10.10.10.100
- GPPstillStandingStrong2k18
2. Enumerate the domain users
- enumdomusers
Note: Focus on the administrator users
3. You can also enumerate the groups, there we may find “admin” group
- enumdomgroups
4. Show the users that belong to a group, we will use the group RID
- querygroupmem 0x200
Note: This will display the RID of the users members of this group, in our case rid:[0x1f4]
5. We can now query for this user (0x1f4)
- queryuser 0x1f4
Note: We can see we got the administrator user as a result
Recommendations:
Authorization and Legitimate Use:
- Ensure that any RPC enumeration activities are authorized and conducted in a legitimate testing or administrative context.
Logging and Monitoring:
- Monitor network logs for unusual RPC-related activities, which could indicate potential enumeration attempts.
Minimize Attack Surface:
- Minimize the attack surface by restricting unnecessary RPC services and securing network configurations.
Regular Audits:
- Conduct regular security audits to identify and remediate vulnerabilities that could be exploited through RPC enumeration.
Keep Systems Updated:
- Regularly update and patch systems to address any vulnerabilities that could be targeted during RPC domain enumeration.