RPC

rpcclient -U '' -N 10.10.10.169  
enumdomusers
enumdomgroups

Some bash kungfu can be used to cleanup the users output: cat raw | awk -F [ '{print $2}' | awk -F] '{print $1}' > users.txt

queryuser joe
queryuser 0x451    
querygroup 0x44f        <-- Must use the RID for querying the group
querygroupmem 0x44f     <-- Shows what user is in the group(by rid)
querydispinfo        <-- Displays comments made on accounts

PreviousAS-REP RoastingNextPassback Attack

Last updated