impacket-rpcmap
Scan for listening DCE/RPC interfaces on a target
TLDR
SYNOPSIS
impacket-rpcmap [-h] [-port PORT] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey KEY] target
DESCRIPTION
impacket-rpcmap scans for listening DCE/RPC interfaces on a target system. It can query the RPC endpoint mapper (typically on port 135) or probe specific ports directly using various RPC transports (ncacniptcp, ncacnnp, ncacnhttp).
The tool connects to the endpoint mapper (typically on port 135) and retrieves the list of registered RPC interfaces, including their UUIDs, versions, and binding information.
PARAMETERS
-port PORT
Target port to query (default: 135)-hashes LMHASH:NTHASH
Use NTLM hashes for authentication instead of password-no-pass
Don't ask for password-k
Use Kerberos authentication from ccache file-aesKey KEY
AES key to use for Kerberos authentication-brute-opnums
Brute-force operation numbers for each discovered interface-brute-uuids
Brute-force UUIDs to find hidden interfaces-auth-level LEVEL
Authentication level (1-6, default: 6/PKT_PRIVACY)
CAVEATS
The endpoint mapper may restrict information based on authentication level. Some RPC services may not register with the endpoint mapper. Firewall rules may block access to RPC ports.
HISTORY
Part of the Impacket library by SecureAuth. RPC enumeration is a fundamental reconnaissance technique for Windows environments, revealing available attack surfaces.
SEE ALSO
rpcclient(1), impacket-getnpusers(1), impacket-getadusers(1), nmap(1)
