impacket-rpcmap

View documentation for the original command

$ tldr rpcmap.py

impacket-rpcmap [options] target

-port
    Port to connect to on the target (default: 135)

-protocol
    Protocol to use (default: tcp). Options: tcp, udp, netbios

-pipe
    Named pipe to use for the EPM (default: epmapper, lsarpc)

-debug
    Enable debug output

-ts
    Adds timestamp to every line

-dc-ip
    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

target
    [[domain/]username[:password]@]

impacket-rpcmap is a Python script leveraging the Impacket library designed to query the RPC Endpoint Mapper service running on a target machine. It enumerates registered RPC services, displaying information such as the protocol sequence (e.g., ncacn_ip_tcp), endpoint, UUID, and annotation string associated with each service. This tool is valuable for reconnaissance during penetration testing and security assessments to identify potential attack vectors and exposed services.

By default, the script attempts to bind to the `epmapper` named pipe. If this fails, it will try the `lsarpc` pipe, which is often accessible when the `epmapper` pipe is blocked or filtered. Understanding the RPC services available on a host can help attackers discover vulnerable applications or misconfigured systems. The output allows for the identification of specific protocols and endpoints to target for further exploitation.

Example 1: Query the RPC Endpoint Mapper on a host using the default settings:
impacket-rpcmap 192.168.1.100
Example 2: Query the RPC Endpoint Mapper on a host specifying a username and password:
impacket-rpcmap domain/user:password@192.168.1.100
Example 3: Query a RPC Endpoint Mapper via ncacn_np using a specified named pipe, in this case lsarpc:
impacket-rpcmap -pipe lsarpc 192.168.1.100

nmap(1)