Remote Procedure Call (RPC) is a protocol that allows programs to execute procedures on a remote server as if they were local. In the context of domain enumeration, RPC can be leveraged to extract information from Windows-based systems within a network. The enumeration process involves gathering details about users, groups, shares, and other resources within a Windows domain.

NetSession Enumeration:

  • By using RPC, attackers can enumerate active sessions on a target machine. This provides information about users who are currently connected to the system.

NetShare Enumeration:

  • RPC can be utilized to enumerate shared resources on a system, revealing information about accessible network shares and permissions.

NetLocalGroup Enumeration:

  • RPC can be employed to enumerate local groups on a remote machine. This provides insights into the users and groups present on the system.

NetUser Enumeration:

  • RPC can be used to enumerate user accounts on a target machine, helping attackers identify potential targets or gain insights into the user landscape.

NetGroup Enumeration:

  • RPC allows enumeration of domain groups, providing information about group memberships and relationships within the domain.

How to

1. Having a valid AD username and password, in our case (User: active.htb\SVC_TGS, Password: GPPstillStandingStrong2k18). We will authenticate using rpcclient

  • rpcclient -U "SVC_TGS"
  • GPPstillStandingStrong2k18

2. Enumerate the domain users

  • enumdomusers

Note: Focus on the administrator users

3. You can also enumerate the groups, there we may find “admin” group

  • enumdomgroups

4. Show the users that belong to a group, we will use the group RID

  • querygroupmem 0x200

Note: This will display the RID of the users members of this group, in our case rid:[0x1f4]

5. We can now query for this user (0x1f4)

  • queryuser 0x1f4

Note: We can see we got the administrator user as a result


Authorization and Legitimate Use:

  • Ensure that any RPC enumeration activities are authorized and conducted in a legitimate testing or administrative context.

Logging and Monitoring:

  • Monitor network logs for unusual RPC-related activities, which could indicate potential enumeration attempts.

Minimize Attack Surface:

  • Minimize the attack surface by restricting unnecessary RPC services and securing network configurations.

Regular Audits:

  • Conduct regular security audits to identify and remediate vulnerabilities that could be exploited through RPC enumeration.

Keep Systems Updated:

  • Regularly update and patch systems to address any vulnerabilities that could be targeted during RPC domain enumeration.