├── README.md ├── rpcfiend.sh └── rpcfiend_authenticated.sh /README.md: -------------------------------------------------------------------------------- 1 | # rpcfiend 2 | Use rpc null sessions to retrieve machine list, domain admin list, domain controllers 3 | 4 | usage: ./rpcfiend.sh 192.168.1.1 5 | 6 | ``` 7 | [~] # ./rpcfiend.sh acme-dc01.acmecomputercompany.com 8 | +++++++++ DOMAIN ADMINS +++++++++ 9 | administrator 10 | superuser 11 | backupadmin 12 | +++++++++ DOMAIN CONTROLLERS +++++++++ 13 | acme-dc01 14 | acme-dc02 15 | +++++++++ DOMAIN MACHINES +++++++++ 16 | acme-laptop1 17 | acme-laptop2 18 | acme-laptop3 19 | acme-laptop4 20 | backupserver 21 | 22 | ``` 23 | 24 | ## added in authenticated version 25 | usage: ./rpcfiend.sh 192.168.1.1 username 26 | ``` 27 | [~] # ./rpcfiend_authenticated.sh acme-dc01.acmecomputercompany.com username 28 | Please enter your password: 29 | 30 | +++++++++ DOMAIN ADMINS +++++++++ 31 | administrator 32 | superuser 33 | backupadmin 34 | +++++++++ DOMAIN CONTROLLERS +++++++++ 35 | acme-dc01 36 | acme-dc02 37 | +++++++++ DOMAIN MACHINES +++++++++ 38 | acme-laptop1 39 | acme-laptop2 40 | acme-laptop3 41 | acme-laptop4 42 | backupserver 43 | ``` 44 | -------------------------------------------------------------------------------- /rpcfiend.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # a simple tool to pull down info via rpc null session with rpcclient 3 | # 2020.05.19 @nyxgeek - TrustedSec 4 | 5 | # usage: ./rpcfiend.sh 192.168.1.1 6 | 7 | if [ $# -eq 0 ]; then 8 | echo "No parameters supplied." 9 | echo "Usage: ./rpcfiend.sh 192.168.1.1" 10 | exit 1 11 | fi 12 | 13 | HOST=$1 14 | 15 | ##### get domain admins ###### 16 | function get_domain_admins(){ 17 | 18 | DA_RID_ARRAY=`rpcclient -U '' -N $HOST -c "querygroupmem 0x200" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 19 | DA_ARRAY=`rpcclient -U '' -N $HOST -c "samlookuprids domain $DA_RID_ARRAY"` 20 | 21 | echo "+++++++++ DOMAIN ADMINS +++++++++" 22 | for ((i = 0; i < ${#DA_ARRAY[@]}; i++)); do 23 | echo "${DA_ARRAY[$i]}" | cut -d' ' -f3 | tee -a rpcfiend_domain_admins.txt 24 | done 25 | 26 | } 27 | 28 | ##### get domain controllers ###### 29 | function get_domain_controllers(){ 30 | DC_RID_ARRAY=`rpcclient -U '' -N $HOST -c "querygroupmem 0x204" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 31 | DC_ARRAY=`rpcclient -U '' -N $HOST -c "samlookuprids domain $DC_RID_ARRAY"` 32 | 33 | echo "+++++++++ DOMAIN CONTROLLERS +++++++++" 34 | for ((i = 0; i < ${#DC_ARRAY[@]}; i++)); do 35 | echo "${DC_ARRAY[$i]}" | cut -d' ' -f3 | tee -a rpcfiend_domain_controllers.txt 36 | done 37 | 38 | } 39 | 40 | ##### get domain machines ###### 41 | function get_domain_machines(){ 42 | DM_RIDS=`rpcclient -U '' -N $HOST -c "querygroupmem 0x203" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 43 | DM_RID_ARRAY=($DM_RIDS) 44 | 45 | echo "The array contains ${#DM_RID_ARRAY[@]} items" 46 | echo "+++++++++ DOMAIN MACHINES +++++++++" 47 | 48 | #let's use a maxsize of 500 items per query bc too much will result in rpcclient error 49 | maxarraycount=${#DM_RID_ARRAY[@]} 50 | arraystart=0 51 | arrayend=500 52 | arraycount=500 53 | while [ $arrayend -lt $maxarraycount ]; do 54 | echo "Testing from $arraystart to $arrayend" 55 | temparray=(${DM_RID_ARRAY[@]:$arraystart:$arraycount}) 56 | 57 | #flatten the array into a string 58 | tempstring=`echo "${temparray[@]}"` 59 | rpcclient -U '' -N $HOST -c "samlookuprids domain $tempstring" | cut -d ' ' -f3 | tee -a rpcfiend_domain_machines.txt 60 | arraystart=$(( $arraystart + $arraycount )) 61 | arrayend=$(( $arrayend + $arraycount )) 62 | #echo "Arraystart is now $arraystart and Arrayend is now $arrayend" 63 | done 64 | 65 | } 66 | 67 | get_domain_admins 68 | get_domain_controllers 69 | get_domain_machines 70 | 71 | echo "Results can be found in rpcfiend_domain_*.txt" 72 | -------------------------------------------------------------------------------- /rpcfiend_authenticated.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # a simple tool to pull down info via rpc null session with rpcclient 3 | # 2020.05.19 @nyxgeek - TrustedSec 4 | # 2022.12.14 Update: quick and dirty update to add auth. It will prompt for password. See below: 5 | 6 | # usage: ./rpcfiend.sh 192.168.1.1 7 | 8 | if [ $# -eq 0 ]; then 9 | echo "No parameters supplied." 10 | echo "Usage: ./rpcfiend.sh 192.168.1.1 username" 11 | exit 1 12 | fi 13 | 14 | HOST=$1 15 | username=$2 16 | 17 | echo -n "Enter password:" 18 | read 19 | password=$REPLY 20 | 21 | echo "Host: $HOST" 22 | echo "User: $username" 23 | #echo "Pass: $password" 24 | 25 | TEST=`rpcclient -U "${username}%${password}" $HOST -c "getdompwinfo;exit"` 26 | response_code=$? 27 | 28 | echo $TEST 29 | echo "Result was: $response_code" 30 | 31 | if [ $response_code == 0 ]; then 32 | echo "Successful test of credentials... proceeding." 33 | else 34 | echo "Creds didn't work, calling it off." 35 | exit 36 | fi 37 | 38 | 39 | ##### get domain admins ###### 40 | function get_domain_admins(){ 41 | 42 | DA_RID_ARRAY=`rpcclient -U "${username}%${password}" $HOST -c "querygroupmem 0x200" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 43 | DA_ARRAY=`rpcclient -U "${username}%${password}" $HOST -c "samlookuprids domain $DA_RID_ARRAY"` 44 | 45 | echo "+++++++++ DOMAIN ADMINS +++++++++" 46 | for ((i = 0; i < ${#DA_ARRAY[@]}; i++)); do 47 | echo "${DA_ARRAY[$i]}" | cut -d' ' -f3 | tee -a rpcfiend_domain_admins.txt 48 | done 49 | 50 | } 51 | 52 | ##### get domain controllers ###### 53 | function get_domain_controllers(){ 54 | DC_RID_ARRAY=`rpcclient -U "${username}%${password}" $HOST -c "querygroupmem 0x204" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 55 | DC_ARRAY=`rpcclient -U "${username}%${password}" $HOST -c "samlookuprids domain $DC_RID_ARRAY"` 56 | 57 | echo "+++++++++ DOMAIN CONTROLLERS +++++++++" 58 | for ((i = 0; i < ${#DC_ARRAY[@]}; i++)); do 59 | echo "${DC_ARRAY[$i]}" | cut -d' ' -f3 | tee -a rpcfiend_domain_controllers.txt 60 | done 61 | 62 | } 63 | 64 | ##### get domain machines ###### 65 | function get_domain_machines(){ 66 | DM_RIDS=`rpcclient -U "${username}%${password}" $HOST -c "querygroupmem 0x203" | sed 's/rid:\[//g' | tr -d ']' | sed 's/attr:\[0x7//g'` 67 | DM_RID_ARRAY=($DM_RIDS) 68 | 69 | echo "The array contains ${#DM_RID_ARRAY[@]} items" 70 | echo "+++++++++ DOMAIN MACHINES +++++++++" 71 | 72 | #let's use a maxsize of 500 items per query bc too much will result in rpcclient error 73 | maxarraycount=${#DM_RID_ARRAY[@]} 74 | arraystart=0 75 | arrayend=500 76 | arraycount=500 77 | while [ $arrayend -lt $maxarraycount ]; do 78 | echo "Testing from $arraystart to $arrayend" 79 | temparray=(${DM_RID_ARRAY[@]:$arraystart:$arraycount}) 80 | 81 | #flatten the array into a string 82 | tempstring=`echo "${temparray[@]}"` 83 | rpcclient -U "${username}%${password}" $HOST -c "samlookuprids domain $tempstring" | cut -d ' ' -f3 | tee -a rpcfiend_domain_machines.txt 84 | arraystart=$(( $arraystart + $arraycount )) 85 | arrayend=$(( $arrayend + $arraycount )) 86 | #echo "Arraystart is now $arraystart and Arrayend is now $arrayend" 87 | done 88 | 89 | } 90 | 91 | get_domain_admins 92 | get_domain_controllers 93 | get_domain_machines 94 | 95 | echo "Results can be found in rpcfiend_domain_*.txt" 96 | --------------------------------------------------------------------------------