RPC-Client

tool for executing client side MS-RPC functions

Examples

Connect to a remote host:

rpcclient --user domain\username%password ip

Connect to a remote host on a domain without a password:

rpcclient --user username --workgroup domain --no-pass ip

Connect to a remote host, passing the password hash:

rpcclient --user domain\username --pw-nt-hash ip

Execute shell commands on a remote host:

rpcclient --user domain\username%password --command semicolon_separated_commands ip

Display domain users:

rpcclient $> enumdomusers

Display privileges:

rpcclient $> enumprivs

Display information about a specific user:

rpcclient $> queryuser username|rid

Create a new user in the domain:

rpcclient [-c|--command=Commands] [-I|--dest-ip=IP] [-p|--port=PORT] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] {BINDING-STRING|HOST} Description

This tool is part of the samba(7) suite.

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation. Options

-c|--command=

-I|--dest-ip IP-address

-p|--port port

-?|--help

--usage

-d|--debuglevel=DEBUGLEVEL

--debug-stdout

--configfile=

--option==

-l|--log-basename=logdirectory

--leak-report

--leak-report-full

-V|--version

-R|--name-resolve=NAME-RESOLVE-ORDER

-O|--socket-options=SOCKETOPTIONS

-m|--max-protocol=MAXPROTOCOL

-n|--netbiosname=NETBIOSNAME

--netbios-scope=SCOPE

-W|--workgroup=WORKGROUP

-r|--realm=REALM

-U|--user=[DOMAIN]USERNAME[%PASSWORD]

-N|--no-pass

--password

--pw-nt-hash

-A|--authentication-file=filename

-P|--machine-pass

--simple-bind-dn=DN

--use-kerberos=desired|required|off

--use-krb5-ccache=CCACHE

--use-winbind-ccache

--client-protection=sign|encrypt|off

Commands

=============================================================================

*Lsarpc

lsaquery

lookupsids

lookupsids3

lookupsids_level

lookupnames

lookupnames4

lookupnames_level

enumtrust

enumprivs

getdispname

lsaenumsid

lsacreateaccount

lsaenumprivsaccount

lsaenumacctrights

lsaaddpriv

lsadelpriv

lsaaddacctrights

lsaremoveacctrights

lsalookupprivvalue

lsaquerysecobj

lsaquerytrustdominfo

lsaquerytrustdominfobyname

lsaquerytrustdominfobysid

lsasettrustdominfo

getusername

createsecret

deletesecret

querysecret

setsecret

retrieveprivatedata

storeprivatedata

createtrustdom

deletetrustdom

Lsarpc-Ds

dsroledominfo

DFS

dfsversion

dfsadd

dfsremove

dfsgetinfo

dfsenum

dfsenumex

Shutdown

shutdowninit

shutdownabort

SRVSVC

srvinfo

netshareenum

netshareenumall

netsharegetinfo

netsharesetinfo

netsharesetdfsflags

netfileenum

netremotetod

netnamevalidate

netfilegetsec

netsessdel

netsessenum

netdiskenum

netconnenum

netshareadd

netsharedel

Samr

queryuser

querygroup

queryusergroups

queryuseraliases

querygroupmem

queryaliasmem

queryaliasinfo

deletealias

querydispinfo

querydispinfo2

querydispinfo3

querydominfo

enumdomusers

enumdomgroups

enumalsgroups

enumdomains

createdomuser

createdomgroup

createdomalias

samlookupnames

samlookuprids

deletedomgroup

deletedomuser

samquerysecobj

getdompwinfo

getusrdompwinfo

lookupdomain

chgpasswd

chgpasswd2

chgpasswd3

chgpasswd4

getdispinfoidx

setuserinfo

setuserinfo2

Spoolss

adddriver []

addprinter

deldriver

deldriverex [architecture] [version] [flags]

enumdata

enumdataex

enumkey

enumjobs

getjob

setjob

enumports [level]

enumdrivers [level]

enumprinters [level]

getdata <valuename;>

getdataex

getdriver

getdriverdir

getdriverpackagepath

getprinter

openprinter

openprinter_ex

setdriver

getprintprocdir

addform

setform

getform

deleteform

enumforms

setprinter

setprinterdata

setprintername

rffpcnex

printercmp

enumprocs

enumprocdatatypes

enummonitors

createprinteric

playgdiscriptonprinteric

getcoreprinterdrivers

enumpermachineconnections

addpermachineconnection

delpermachineconnection

Netlogon

logonctrl2

getanydcname

getdcname

dsr_getdcname

dsr_getdcnameex

dsr_getdcnameex2

dsr_getsitename

dsr_getforesttrustinfo

logonctrl

samlogon

change_trust_pw

gettrustrid

dsr_enumtrustdom

dsenumdomtrusts

deregisterdnsrecords

netrenumtrusteddomains

netrenumtrusteddomainsex

getdcsitecoverage

capabilities

logongetdomaininfo

FSRVP

fss_is_path_sup

fss_get_sup_version

fss_create_expose

fss_delete

fss_has_shadow_copy

fss_get_mapping

fss_recovery_complete

Clusapi

clusapi_open_cluster

clusapi_get_cluster_name

clusapi_get_cluster_version

clusapi_get_quorum_resource

clusapi_create_enum

clusapi_create_enumex

clusapi_open_resource

clusapi_online_resource

clusapi_offline_resource

clusapi_get_resource_state

clusapi_get_cluster_version2

clusapi_pause_node

clusapi_resume_node

Drsuapi

dscracknames

dsgetdcinfo

dsgetncchanges

dswriteaccountspn

Echo

echoaddone

echodata

sinkdata

sourcedata

Epmapper

epmmap

epmlookup

Eventlog

eventlog_readlog

eventlog_numrecord

eventlog_oldestrecord

eventlog_reportevent

eventlog_reporteventsource

eventlog_registerevsource

eventlog_backuplog

eventlog_loginfo

IRemoteWinspool

winspool_AsyncOpenPrinter

winspool_AsyncCorePrinterDriverInstalled

NTSVCS

ntsvcs_getversion

ntsvcs_validatedevinst

ntsvcs_hwprofflags

ntsvcs_hwprofinfo

ntsvcs_getdevregprop

ntsvcs_getdevlistsize

ntsvcs_getdevlist

MDSSVC

fetch_properties

fetch_attributes

Winreg

winreg_enumkey

querymultiplevalues

querymultiplevalues2

Witness

GetInterfaceList

Register

UnRegister

AsyncNotify

RegisterEx

WKSSVC

wkssvc_wkstagetinfo

wkssvc_getjoininformation

wkssvc_messagebuffersend

wkssvc_enumeratecomputernames

wkssvc_enumerateusers

General Options

help

?

debuglevel

debug

list

exit

quit

sign

seal

packet

schannel

schannelsign

timeout

transport

none

PreviousAD Enum&AttackNextmimikatz

Last updated