impacket-rpcdump

enumerates RPC endpoints on a target system

TLDR

Dump RPC endpoints

$ impacket-rpcdump [target]

Dump with authentication

$ impacket-rpcdump [domain]/[user]:[password]@[target]

Specify port

$ impacket-rpcdump -port [135] [target]

SYNOPSIS

impacket-rpcdump [options] target

impacket-rpcdump queries the Microsoft RPC endpoint mapper (port 135 by default) and prints every registered endpoint, its UUID, and the bindings (named pipes, TCP/UDP ports) it speaks. It is the Python/Impacket equivalent of Microsoft's classic rpcdump.exe and is commonly used to enumerate exposed Active Directory services during authorized engagements.When credentials are supplied (clear-text password, NTLM hash, or Kerberos ticket), additional services that require authentication may appear in the listing; an unauthenticated dump usually returns only the small set of endpoints reachable anonymously.

PARAMETERS

-port PORT

RPC endpoint port (default 135).

-target-ip IP

Override the IP used for the connection (useful when the target is given as a hostname).

-hashes LMHASH:NTHASH

Authenticate via Pass-the-Hash instead of supplying a password.

-no-pass

Don't prompt for a password (use -hashes or -k alone).

-k

Use Kerberos authentication. Credentials are read from ccache (set by kinit).

-aesKey HEX

AES key for Kerberos authentication.

-dc-ip IP

IP of the domain controller for Kerberos.

-debug

Print verbose protocol-level output.

CAVEATS

For authorized testing only. Some services restrict anonymous endpoint enumeration on modern Windows builds (e.g., RestrictRemoteSAM), so empty output does not mean no services are running.