impacket-rpcmap

View documentation for the original command

$ tldr rpcmap.py

impacket-rpcmap [ options ] [ domain/ ] username [ :password ] @target | target

Common options include network and authentication parameters:
-p <PORT>, -hashes <LMHASH:NTHASH>, -k, -rpc-protocol <PROTOCOL>

To list all options: impacket-rpcmap -h

target
    The target host's IP address or hostname. Can also be formatted as [domain/]username[:password]@target for direct authentication.

-h, --help
    Shows the help message and exits.

-debug
    Turns debug output on, providing more detailed information about the execution.

-ts
    Adds a timestamp to every logging output line.

-td
    Adds a timestamp and date to every logging output line.

-v
    Enables verbose output.

-p <PORT>
    Specifies the target SMB port (default: 445). Useful if SMB is listening on a non-standard port.

-username <USERNAME>
    The username to authenticate with on the target system.

-password <PASSWORD>
    The password to authenticate with. If not provided and authentication is needed, the tool may prompt for it.

-domain <DOMAIN>
    The domain to authenticate with. Relevant for Active Directory environments.

-hashes <LMHASH:NTHASH>
    Provides NTLM hashes for authentication in the format LMHASH:NTHASH.

-aesKey <hexkey>
    Specifies the AES key to use for Kerberos authentication.

-k
    Activates Kerberos authentication for the connection.

-no-pass
    Prevents the tool from asking for a password, useful when using Kerberos (-k) or other non-password authentication.

-dc-ip <DC_IP>
    Specifies the IP address of the Domain Controller to be used for authentication.

-kdcHost <KDCHOST>
    Specifies the KDC (Key Distribution Center) host for Kerberos authentication. Can be an IP address or hostname.

-rpc-protocol {ncacn_np,ncacn_ip_tcp,ncacn_http}
    Defines the RPC protocol to use for communication (default: ncacn_ip_tcp). Other options include ncacn_np (Named Pipes) and ncacn_http (RPC over HTTP).

-rpc-port <RPC_PORT>
    Specifies a particular RPC port to connect to for endpoint mapping (default: 135).

-rpc-max-connections <RPC_MAX_CONNECTIONS>
    Sets the maximum number of concurrent RPC connections to use (default: 10).

impacket-rpcmap is a powerful Python-based utility, part of the Impacket framework, designed for enumerating Remote Procedure Call (RPC) endpoints on a target Windows host. It functions by querying the Endpoint Mapper service (typically on port 135 or 445 for SMB) to discover what RPC interfaces and associated port numbers are listening.

This enumeration is critical for network security assessments and penetration testing, as it helps identify active services like LSARPC, SAMR, WMI, and various DCOM services. By mapping these endpoints, security professionals can gain insight into the target's attack surface, understand the services running, and identify potential vulnerabilities or misconfigurations. The tool supports various authentication methods, including plaintext passwords, NTLM hashes, and Kerberos, making it versatile for both internal network assessments and external engagements where credentials might be available.

impacket-rpcmap requires the Python Impacket library to be installed. Accurate results often depend on network connectivity to the target's RPC ports (e.g., 135, 445). Firewalls on the target or network can impede the discovery process. Some RPC endpoints might require valid authentication credentials to be fully enumerated.

To map RPC endpoints on a target host without authentication, simply provide the target IP or hostname:

impacket-rpcmap 192.168.1.100

To map RPC endpoints on a target requiring authentication using a username and password:

impacket-rpcmap -username myuser -password 'MyP@ssw0rd' 192.168.1.100

To map RPC endpoints against a domain controller using Kerberos authentication:

impacket-rpcmap -k -no-pass 'DOMAIN/user@dc.example.com'

To specify a different RPC protocol, for instance, RPC over HTTP:

impacket-rpcmap -rpc-protocol ncacn_http 192.168.1.100

impacket-rpcmap is part of the Impacket framework, a collection of Python classes for working with network protocols. Impacket was developed by SecureAuth (formerly Core Security) to provide programmatical access to network protocols, primarily SMB, MSRPC, and DCE/RPC, commonly used in Windows environments. It has become an indispensable toolkit for penetration testers, security researchers, and developers, continually evolving to support new protocols and attack techniques. rpcmap specifically addresses the need for efficient RPC endpoint enumeration, a foundational step in many Windows-based security assessments.

nmap(1), rpcclient(1), enum4linux(1), impacket-smbclient(1)