This interactive tool acts as a user-friendly interface for RPCClient, a command-line client used to interact with the RPC (Remote Procedure Call) service on Windows systems. Through this tool, you can connect to a remote server and execute predefined commands to enumerate users, groups, domains, and system configurations in an organized manner.
Important
It is necessary to have RPCClient installed on the system for the tool to function properly.
The use of RPCClient can be a bit overwhelming, which is why I decided to create this tool. It consolidates the most commonly used commands when enumerating the RPC protocol, and through an interactive prompt, you can execute different commands via RPC. The tool essentially uses rpcclient to return the results, however, thanks to the intuitive commands in rpciv, you avoid having to memorize numerous commands. It even improves efficiency, as it automates many series of commands that we would normally need to execute to obtain the same results.
The main purpose that led me to create this tool was to learn how to use rpcclient more professionally. At the moment, it includes some of its main functions, but it will be updated over time with additional commands that may be useful.
The only requirement to use this tool is to have rpcclient installed.
sudo apt install smbclient -y && rpcclient --versionInstallation steps:
-
Clone this repository:
git clone https://github.com/h3g0c1v/rpciv
-
Access the directory:
cd rpciv -
Run the tool:
./rpciv.sh -h
Once all the previous steps are completed, we should see the tool's help panel.
To display the main help panel of the tool, we will run it with -h.
./rpciv.sh -hTo connect to the RPC service, we will need to specify:
-
To perform a null session, we will use
-n:./rpciv.sh -n
-
In case of having credentials, we will specify the username (
-u) and the password (-p):./rpciv.sh -u USERNAME -p PASSWORD
If we connect with a null session, the prompt will show that we are logged in as ANONYMOUS LOGON:
When we connect as a user, we will see the username in our prompt:
When we are connected to the tool, we can see the help panel with the help command.
In this way, you can list all the available commands in the tool. These commands are designed to be very intuitive and easy to remember.
Of course, typical commands like clear to clear the screen and exit to exit the program exist and can be used.
With whoami, we will list the name of the user we are logged in as.
The type of prompt shown is configurable, and you can choose from the available options with list prompts.
Each one is identified by a number seen on the left side of each prompt. If we want to change it, we simply specify the corresponding number with prompt.
To execute the enumdomusers command, this tool has show users or s u to list the available users in the domain.
And if we want to list the groups like enumdomgroups, we have show groups or s g.
To see the descriptions of users, we can list them with show users description or s u d. This command only shows users that have a description, so those without one will not be displayed.
Similarly, we can do the same with groups using show groups description or s g d.
To see the members of a specific group, we will run show group members or s g m followed by the desired group. For example, if we want to see the members of the Domain Admins group, we would execute the command as follows:
For many types of attacks, it is necessary to know the SID of the user we are targeting, so I added the command show user sid or s u s, where we will specify the username whose SID we want to query.
Sometimes, it's also interesting to know domain information like its name, SID, and trust relationships. For this, we have two commands:
show domain infoors d i--> Lists information like the domain name and its SID.show trusted domainsors t d--> Shows the trust relationships configured for the domain.
An example of executing both commands could be as follows:
In this case, we can see that the domain is HTB, its corresponding SID, and that it has no trust relationships.
Note
If there had been any trust relationship with another domain, it would have been displayed.
I am excited to receive any contributions! If you would like to contribute or share your ideas, feel free to contact me through my LinkedIn.