rpcclient Cheatsheet

Tool for executing MS-RPC functions on Windows systems.

Basic Syntax

rpcclient [options] <server>

Connection Options

Option	Description	Example
`-U USER`	Username	`rpcclient -U admin 10.10.10.10`
`-W DOMAIN`	Domain/Workgroup	`rpcclient -U admin -W MYDOMAIN 10.10.10.10`
`-N`	No password (null session)	`rpcclient -U '' -N 10.10.10.10`
`-c CMD`	Execute command and exit	`rpcclient -U admin -c 'enumdomusers' 10.10.10.10`
`--pw-nt-hash`	Use NT hash for auth	`rpcclient -U admin --pw-nt-hash 10.10.10.10`

Connection Examples

Null Session

rpcclient -U '' -N 10.10.10.10

With Credentials

rpcclient -U 'admin%Password123' 10.10.10.10

Domain Account

rpcclient -U 'DOMAIN\admin%Password123' 10.10.10.10

Server Information Commands

Command	Description
`srvinfo`	Server information
`querydispinfo`	List users with descriptions
`querydominfo`	Domain information
`netshareenum`	Enumerate shares
`netshareenumall`	Enumerate all shares

User Enumeration Commands

Command	Description
`enumdomusers`	Enumerate domain users
`enumdomgroups`	Enumerate domain groups
`queryuser <RID>`	Query user by RID
`queryusergroups <RID>`	Query user’s groups
`lookupnames <name>`	Look up SID for name
`lookupsids <SID>`	Look up name for SID

Group Commands

Command	Description
`enumdomgroups`	List domain groups
`querygroup <RID>`	Query group by RID
`querygroupmem <RID>`	Query group members
`enumalsgroups builtin`	Enumerate builtin groups
`enumalsgroups domain`	Enumerate domain local groups

Password Policy Commands

Command	Description
`getdompwinfo`	Get domain password info
`getusrdompwinfo <RID>`	Get user password info

Privilege Operations (Requires Admin)

Command	Description
`createdomuser <user>`	Create domain user
`deletedomuser <user>`	Delete domain user
`setuserinfo2 <user> 23 <pass>`	Change user password
`chgpasswd <user> <oldpass> <newpass>`	Change password

Common Examples

Enumerate All Users

rpcclient -U '' -N 10.10.10.10 -c 'enumdomusers'

Output format: user:[username] rid:[0xRID]

Get User Details

rpcclient -U '' -N 10.10.10.10 -c 'queryuser 0x1f4'

Note: 0x1f4 = 500 = Administrator RID

Enumerate Groups

rpcclient -U '' -N 10.10.10.10 -c 'enumdomgroups'

Get Password Policy

rpcclient -U '' -N 10.10.10.10 -c 'getdompwinfo'

RID Cycling (User Enumeration)

for i in $(seq 500 1100); do
  rpcclient -U '' -N 10.10.10.10 -c "queryuser 0x$(printf '%x' $i)" 2>/dev/null | grep "User Name"
done

Create User (Admin Required)

rpcclient -U 'admin%Password123' 10.10.10.10 -c 'createdomuser newuser'
rpcclient -U 'admin%Password123' 10.10.10.10 -c 'setuserinfo2 newuser 23 NewPass123!'

Change User Password

rpcclient -U 'admin%Password123' 10.10.10.10 -c 'chgpasswd username oldpass newpass'

Common RIDs

RID (Hex)	RID (Dec)	Account
0x1f4	500	Administrator
0x1f5	501	Guest
0x1f6	502	krbtgt
0x200	512	Domain Admins
0x201	513	Domain Users
0x202	514	Domain Guests

Keyboard shortcuts

notebook