rpcclient
Execute MS-RPC commands on remote Windows hosts
TLDR
Connect to a remote host
$ rpcclient -U domain\username%password ip_address
Connect without password$ rpcclient -U username -W domain -N ip_address
Connect with password hash$ rpcclient -U domain\username --pw-nt-hash ip_address
Execute shell commands$ rpcclient -U domain\username%password -c "command1;command2" ip_address
Display domain users (interactive)$ rpcclient $> enumdomusers
Display user information (interactive)$ rpcclient $> queryuser username
Enumerate domain groups (interactive)$ rpcclient $> enumdomgroups
Look up SID by name (interactive)$ rpcclient $> lookupnames username
Get server info (interactive)$ rpcclient $> srvinfo
Create a domain user (interactive)$ rpcclient $> createdomuser username
SYNOPSIS
rpcclient [options] server
DESCRIPTION
rpcclient is an MS-RPC client tool from the Samba suite. It allows executing RPC commands against Windows systems and Samba servers for user management, enumeration, and administration.Interactive mode provides a shell for executing RPC commands like enumdomusers, queryuser, and createdomuser.
PARAMETERS
-U, --user user
Username for authentication (domain\user%password format)-W, --workgroup domain
Workgroup or domain name-N, --no-pass
Connect without password--pw-nt-hash
Password is an NT hash-c, --command commands
Execute semicolon-separated commands-A, --authentication-file file
Read credentials from file (username, password, domain)-k, --kerberos
Use Kerberos authentication-I, --dest-ip ip
Specify destination IP address
CAVEATS
Requires proper credentials for most operations. Some commands require administrator privileges on the target system.
HISTORY
Part of Samba suite, providing Windows interoperability tools for Unix systems.
SEE ALSO
smbclient(1), net(8), enum4linux(1), nmap(1)
