LinuxCommandLibrary

impacket-rpcdump

Enumerate RPC endpoints on a remote host

TLDR

View documentation for the original command

$ tldr rpcdump.py
copy

SYNOPSIS

impacket-rpcdump [-h] [-debug DEBUG] [-target-ip ip] [-port PORT] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey AESKEY] [-target-hostname TARGET_HOSTNAME] target

PARAMETERS

-h, --help
    Show help message and exit

-debug DEBUG
    Debug level (0-3, higher is more verbose)

-target-ip ip
    IP address of target (overrides hostname resolution)

-port PORT
    TCP port for Endpoint Mapper (default 135)

-hashes LMHASH:NTHASH
    NTLM hash (LMHASH is optional, colon-separated)

-no-pass
    Don't prompt for password (use hash or empty)

-k, --kerberos
    Use Kerberos authentication (needs valid ticket)

-aesKey AESKEY
    AES key for Kerberos (hex string)

-target-hostname TARGET_HOSTNAME
    Target hostname for Kerberos SPN (overrides target name)

DESCRIPTION

impacket-rpcdump is a tool from the Impacket suite, a collection of Python libraries and scripts for network protocol manipulation. It connects to a remote Windows system's RPC Endpoint Mapper (typically port 135) via DCERPC to enumerate and dump all registered RPC server endpoints. This reveals interface UUIDs, protocol sequences, endpoint bindings, and annotations for services like SMB, WMI, and LSASS.

Primarily used in penetration testing and red teaming for reconnaissance, it helps identify exploitable RPC interfaces without authentication in some cases, though credentials often enhance access. Output lists UUIDs (e.g., for MS-RPRN printing), versions, and transfer syntaxes, aiding in lateral movement planning.

Requires Impacket installation via pip or git clone. Supports NTLM/ Kerberos auth, hashes, and tickets. Not for production; security research only.

CAVEATS

Requires network access to port 135; firewalls may block. Anonymous dumps limited on modern Windows (Win10+). Use with valid creds for full results. Not stealthy—generates logs on target. Python 3+ and Impacket required; potential for incomplete dumps on patched systems.

EXAMPLE USAGE

impacket-rpcdump DOMAIN/user:pass@target-ip
impacket-rpcdump -hashes :nthash@target
impacket-rpcdump -k -no-pass@target (with ccache)

OUTPUT SAMPLE

Interface uuid: 12345678-1234-abcd-ef00-0123456789ab ('MS-RPRN')
Binding 0: ncacn_np:\\target[\pipe\spoolss]

HISTORY

Part of Impacket, originally developed by SecureAuth in 2012 for pentesting. Actively maintained by Fortra's Core Security team post-2020 acquisition. Evolved with SMBv3, Kerberos support in versions 0.9+.

SEE ALSO

rpcclient(1), rpcinfo(8), impacket-secretsdump

Copied to clipboard