rpcclient Cheat Sheet
MS-RPC client for SAMR/LSA enumeration and user management via null or authenticated sessions on authorized domains.
Overview
rpcclient talks to Windows RPC endpoints (SAMR, LSA) for user/group enumeration, password policy, and SID lookup—common in authorized AD and legacy Windows testing when SMB signing and RPC allow access.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y rpcclientEssential commands
Null session enumeration
rpcclient -U "" -N 10.10.10.5Authenticated
rpcclient -U 'DOMAIN\user%password' 10.10.10.5Common workflows
Enumerate users and groups —
rpcclient $> enumdomusersrpcclient $> enumdomgroupsrpcclient $> queryuser administratorrpcclient $> querygroup 0x200Password policy —
rpcclient $> getdompwinforpcclient $> lookupnames administratorSID brute / lookup —
rpcclient $> lookupsids S-1-5-21-...-500rpcclient $> lsaenumsidsOne-liner from shell —
rpcclient -U "" -N 10.10.10.5 -c enumdomusersrpcclient -U 'user%pass' 10.10.10.5 -c 'getdompwinfo;enumdomusers'Domain info —
rpcclient $> enumdomainsrpcclient $> querydominforpcclient $> dsgetdcnameFlags reference
-U USER%PASS | Credentials |
|---|---|
-N | No password |
-c CMD | Execute command |
-W WORKGROUP | Workgroup |
-p PORT | RPC port (135) |
-s IP | Target server |
-d DEBUG | Debug level |
Tips
- Null enumdomusers often fails on hardened DCs; try authenticated low-priv domain user.
- Compare with enum4linux-ng, netexec sam, ldapsearch for full AD picture.
- getdompwinfo reveals lockout and complexity—useful for password spray planning (in scope).
- rpcclient is legacy; Impacket (lookupsid.py, samrdump.py) may work when rpcclient is blocked.