impacket-rpcdump

View documentation for the original command

$ tldr rpcdump.py

impacket-rpcdump [options] target

-h, --help
    Show help message and exit.

-target-ip
    Set target IP address (useful when target resolves to multiple IPs).

-port
    Destination port to connect to (default 135).

-debug
    Turn DEBUG output ON.

-ts
    Adds timestamp to every line.

-use-ldap
    Use LDAP to resolve hostname (only for Kerberos authentication).

-dc-ip
    IP Address of the domain controller. If omitted it will use the domain part (if any) from the account specified.

-domain
    Domain to use for Kerberos authentication. If omitted, the domain will be determined from the target computer name.

-hashes
    NTLM hashes, format is LM:NT. IMPORTANT: If LM hash is disabled, use ':' instead of 'noLMhash'.

-no-pass
    Don't ask for password (useful for Kerberos authentication).

-k
    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME environment variable). If no credentials are supplied, it will try to use machine account.

-aesKey
    AES key to use for Kerberos authentication (128 or 256 bits).

-account
    Specifies the account name. DOMAIN\user or user@domain.com format (required for Kerberos authentication).

-password
    Specifies the password for the account (required for NTLM authentication).

-protocol
    The protocol to use when connecting to the target host (ncacn_ip_tcp, ncacn_np, etc.). Defaults to ncacn_ip_tcp.

The impacket-rpcdump tool is a part of the Impacket library and is designed to enumerate RPC (Remote Procedure Call) endpoints registered on a target host.
It connects to the RPC endpoint mapper (port 135) and retrieves a list of all registered services, their UUIDs, protocols, and network addresses.
This information is valuable for penetration testing and security auditing to identify potential vulnerabilities and exposed services.
By identifying available RPC services, security professionals can assess the attack surface of a system and investigate potential avenues for exploitation.
The tool provides options to authenticate using various methods, including username/password, Kerberos, and NTLM, allowing it to access RPC services even on secured systems.
It can also specify the target protocol (ncacn_ip_tcp, ncacn_np, etc.).
The output includes details about the endpoint, such as the interface UUID, major and minor version, protocol sequence, network address, and binding string.
This tool is especially useful for assessing Windows systems.

Requires Impacket library to be installed. Authentication may fail if target system requires specific security settings.

The output of impacket-rpcdump lists each RPC endpoint along with its UUID (Universally Unique Identifier), protocol sequence (e.g., ncacn_ip_tcp, ncacn_np), and network address. The UUID identifies the specific RPC service, the protocol sequence indicates the transport mechanism, and the network address specifies where the service is listening.
Understanding these components is crucial for analyzing potential vulnerabilities and planning further attacks.

impacket-rpcdump supports multiple authentication methods, including username/password, NTLM hashes, and Kerberos. Choosing the appropriate authentication method is essential for accessing RPC services on secured systems. Kerberos authentication is generally preferred in domain environments, while username/password or NTLM hashes may be used for local accounts or systems without Kerberos configured.

impacket-rpcdump is part of the Impacket project, a collection of Python classes for working with network protocols. Its development focuses on providing tools for security assessments and network analysis. Originally designed to assist in pentesting Windows environments, this command has become a standard tool for identifying available RPC services and understanding the system's attack surface. It has evolved alongside updates to RPC protocols and authentication methods.

nmap(1)