LinuxCommandLibrary

impacket-rpcmap

Enumerate RPC endpoints on target systems

TLDR

View documentation for the original command

$ tldr rpcmap.py
copy

SYNOPSIS

impacket-rpcmap [options] <target>
where target is [[domain/]username[:password]@]<targetName or address>

PARAMETERS

-h, --help
    Show help message and exit

--rpc-only
    Use RPC-only transport (no SMB)

-debug
    Turn DEBUG output ON

-U USERNAME, --user USERNAME
    Username[:password] for authentication

-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
    NTLM hashes in LMHASH:NTHASH format

-no-pass
    Don't ask for password (for -U or -H)

-k, --kerberos
    Use Kerberos authentication from ccache

--aesKey AESKEY
    AES key for Kerberos AES session

--target-ip IPSTR
    IP address of target (overrides resolution)

--target-host HOSTNAME
    Target NetBIOS hostname

DESCRIPTION

Impacket-rpcmap is a powerful tool from the Impacket suite, a collection of Python libraries for network protocol implementation, primarily used in penetration testing and red teaming. It connects to the Windows RPC Endpoint Mapper service (portmap) on TCP port 135 to enumerate all registered RPC interfaces on a target host.

The tool queries the endpoint mapper database and retrieves detailed information about each RPC service, including UUIDs, human-readable annotations (if available), protocol sequences (TCP/UDP/ncacn_np), endpoint addresses (ports or named pipes), and interface versions. This mapping is crucial for identifying exposed RPC services that may be vulnerable to exploitation, such as those used by LSASS, SAMR, or SRVSVC.

Authentication can be performed using NTLM (username/password or hashes), Kerberos, or even null sessions on permissive targets. Output is formatted in a table for easy reading, showing service names, UUIDs, and bindings. It's often a precursor to dumping RPC interfaces with impacket-rpcdump or executing remote commands via specific RPC pipes.

Ideal for Active Directory environments, it helps map attack surfaces without requiring administrative privileges in some cases.

CAVEATS

Requires TCP/135 access to Endpoint Mapper; null sessions may fail on patched systems; Kerberos needs valid tickets; output depends on target OS (works best on Windows); not for ONC RPC (use rpcinfo).

EXAMPLE

impacket-rpcmap -U user:pass@192.168.1.100
or
impacket-rpcmap -H :aabbcc...@target

OUTPUT SAMPLE

Displays table with columns: Pid, UUID, Annotation, ProtocolSequence, Endpoint
e.g., MS-SAMR for user enumeration.

HISTORY

Part of Impacket, originally developed by SecureAuth Corporation around 2010 for pentesting; maintained by Fortra's Core Security; evolved with SMB/RPC improvements in versions 0.9+.

SEE ALSO

impacket-rpcdump, rpcinfo(8), ss(8)

Copied to clipboard