Skip to content
1337skills 1337skills

Rpcclient

Rpcclient is part of the Samba suite and provides command-line access to Windows RPC services. Essential for Windows domain enumeration and exploitation.

Basic Usage

CommandDescription
rpcclient -U '' targetConnect with null credentials
rpcclient -U 'user%pass' targetConnect with username/password
rpcclient -U 'DOMAIN\user%pass' targetConnect with domain credentials
rpcclient -U 'user' --password=pass targetConnect with explicit password flag
rpcclient -c 'command' targetExecute single command and exit

Enumeration Commands

User and Group Enumeration

rpcclient -U 'user%pass' target

# List all users
enumdomusers

# List all groups
enumdomgroups

# Get user info
queryuser 500
queryuser rid

# Get group members
querygroupmem 512

# Get group info
querygroup 512

# Enumerate domain password policy
getdompwinfo

# List user groups
queryusergroups 500

# Get user groups for RID
queryusergroups <rid>

Domain Controller Enumeration

# Query DC info
querydominfo

# List domain aliases (groups)
enumdomalias

# Get alias members
queryaliasmem builtin 0x220

# Query primary domain info
dsrolegetprimarydomaininfo

Share and Printer Enumeration

# Enumerate network shares
netshareenum

# Get share info
netsharegetinfo sharename

# Enumerate printers
enumprinters

# Get printer data
getprinterdata

# List print jobs
enumjobs

User Account Enumeration

# Query specific user
queryuser username

# Get user info by RID
lookupnames username

# Lookup multiple names
lookupnames 'DOMAIN\Administrator'

# Get user info
queryuserinfo rid

# Get user groups
queryusergroups rid

# List all users
enumdomusers

# Get user account info
getuserdom2

Privilege Enumeration

# List user privileges
enumpriv

# Get privilege info
lookupprivname SePrintOperatorPrivilege

# Get privilege display name
lookuprights

# Enumerate privileges by handle
enumtrusteddom

Advanced Operations

Query Domain Trusts

rpcclient -U 'user%pass' dc_target

# Enumerate domain trusts
enumtrusteddom

# List trusted domains
querydominfo

Password Policy Attacks

# Get password policy
getdompwinfo

# Get account lockout policy
sampasswd

# Query pw history length
querydispinfo

Registry Enumeration

# Query registry value
getreg

# List registry keys
enum

# Enumerate registry keys
querydispinfo

# Query registry data
reggetversion

Connection Options

# Force SMB2
rpcclient -m SMB2 target

# Force SMB3
rpcclient -m SMB3 target

# Set timeout
rpcclient -t 30 target

# Enable debug output
rpcclient -d3 target

# Use specific authentication
rpcclient -U 'user%password' -W DOMAIN target

# Kerberos auth
rpcclient --krb5 target

# NTLM hash (pass the hash)
rpcclient --pw-nt-hash target

Example Workflows

Complete Domain Enumeration

rpcclient -U 'user%pass' target

# Step 1: Get domain info
querydominfo

# Step 2: Enumerate users
enumdomusers

# Step 3: Query admin user
queryuser 500

# Step 4: List groups
enumdomgroups

# Step 5: Query domain admins
querygroupmem 512

# Step 6: Check password policy
getdompwinfo

User RID Brute Force

for i in {500..520}; do
  rpcclient -U '' target -c "queryuser $i" 2>/dev/null | grep -i "User Name"
done

Null Session Exploitation

# Check for null sessions
rpcclient -U '' target

# Enumerate if null session available
enumdomusers
enumdomgroups
querydominfo

Common RIDs

  • 500: Administrator
  • 501: Guest
  • 512: Domain Admins
  • 513: Domain Users
  • 514: Domain Guests
  • 515: Domain Computers
  • 516: Domain Controllers
  • 517: Cert Publishers
  • 520: Group Policy Creator Owners
  • 544: Administrators (builtin)

Exit and Help

# Exit rpcclient
exit
quit

# Show help
help

# List all commands
?

# Show specific command help
help enumdomusers
help queryuser

Troubleshooting

# Connection timeout
rpcclient -t 60 target

# Authentication failed
rpcclient -U 'DOMAIN\user%pass' target

# SMB version issues
rpcclient -m SMB3 -U 'user%pass' target

# Enable verbose logging
rpcclient -d5 -U 'user%pass' target

Last updated: March 2026