impacket-rpcdump

View documentation for the original command

$ tldr rpcdump.py

impacket-rpcdump [-h] [-debug] [-ts] [-silent] [-ip ] [-port ] [-domain ] [-user ] [-password ] [-hashes ] [-aesKey ] [-no-sspi] [-k] [-no-remote-auth] [-dc-ip ] [interfaces ...]

target
    The IP address or hostname of the target system to enumerate.

-h, --help
    Show the command's help message and exit.

-debug
    Turn debug output on, providing more verbose information during execution.

-ts
    Adds timestamp to every log output line.

-silent
    Do not show any output, useful for scripting or automated tasks.

-ip
    IP address of the client's interface to bind to for outgoing connections.

-port
    Specifies the target TCP port to connect to the Endpoint Mapper (default: 135).

-domain
    The domain to authenticate against when providing credentials.

-user
    The username to use for authentication on the target system.

-password
    The password for the specified username.

-hashes
    NTLM hashes (LM hash:NT hash) to use for authentication, bypassing plain password.

-aesKey
    AES key (hex string) to use for Kerberos authentication (RC4/AES128/AES256).

-no-sspi
    Do not use SSPI (Security Support Provider Interface) for authentication; use native Impacket NTLM.

-k
    Use Kerberos authentication. This requires a Kerberos ticket in the default ccache or specifying a domain controller IP.

-no-remote-auth
    Don't perform remote authentication; only local operations (typically used with Kerberos for specific scenarios).

-dc-ip
    IP address of the domain controller to use for Kerberos authentication.

interfaces ...
    Optional. Specifies one or more specific RPC interface UUIDs to dump, rather than all found interfaces.

impacket-rpcdump is a Python-based tool from the Impacket library designed to enumerate the Remote Procedure Call (RPC) interfaces and methods exposed by a target system, typically Microsoft Windows servers. It connects to the target's Endpoint Mapper (EPM) service, usually on TCP port 135, to query for registered RPC services.

This allows a network reconnaissance specialist or penetration tester to discover potentially vulnerable services, gather information about the target's operating system and installed applications, and identify paths for further interaction or exploitation. The tool supports various authentication methods, including anonymous, username/password, and NTLM hashes, making it versatile for different network environments. It can also be used to target specific RPC interfaces if desired, providing detailed information about their UUIDs, version numbers, and the methods they expose.

• Requires Python and the Impacket library to be installed on the executing machine.
• Primarily designed for Microsoft Windows targets; functionality and output may vary or be non-applicable for other operating systems.
• Requires network connectivity to the target's RPC Endpoint Mapper service (typically TCP port 135) and potentially other dynamically assigned RPC ports.
• Firewall rules on the target system or network infrastructure can block RPC communication, preventing successful enumeration.
• Some RPC services may require authenticated access. Providing appropriate credentials (username/password, NTLM hashes, or Kerberos tickets) is necessary in such cases.
• The output can be verbose, requiring familiarity with RPC interface UUIDs and Windows services to interpret effectively.

impacket-rpcdump is a valuable reconnaissance tool for penetration testers. By enumerating RPC interfaces, it helps identify services that might be vulnerable, misconfigured, or simply provide useful information about the target's role and installed software. For example, discovering the 'Remote Registry' or 'Service Control Manager' interfaces indicates potential avenues for further interaction or exploitation, revealing a richer attack surface.

The command primarily interacts with the RPC Endpoint Mapper (EPM) service, typically listening on TCP port 135. The EPM acts as a dynamic directory for RPC services, allowing clients to query for the specific dynamic port numbers on which particular RPC interfaces are listening. After querying the EPM, impacket-rpcdump might then connect to these dynamic ports to dump more detailed information about the found interfaces and their exposed methods.

The Impacket library was created by Core Security Technologies (now Fortra) and later open-sourced. It is a comprehensive collection of Python classes for programmatic interaction with network protocols, primarily focusing on Windows-specific protocols such as SMB, MSRPC, DCE/RPC, and Kerberos. rpcdump.py, which impacket-rpcdump invokes, has been a foundational component of this toolkit for many years. It has evolved with new protocol features and security research to aid in network penetration testing, security auditing, and forensics. Its development is community-driven and ongoing, adapting to changes in operating systems and security landscapes.

impacket-psexec(1), impacket-smbclient(1), impacket-secretsdump(1), nmap(1), rpcinfo(8)