LinuxCommandLibrary

rpcclient

Execute commands on Windows machines via SMB

TLDR

Connect to a remote host

$ rpcclient [[-U|--user]] [domain]\[username]%[password] [ip]
copy

Connect to a remote host on a domain without a password
$ rpcclient [[-U|--user]] [username] [[-W|--workgroup]] [domain] [[-N|--no-pass]] [ip]
copy

Connect to a remote host, passing the password hash
$ rpcclient [[-U|--user]] [domain]\[username] --pw-nt-hash [ip]
copy

Execute shell commands on a remote host
$ rpcclient [[-U|--user]] [domain]\[username]%[password] [[-c|--command]] [semicolon_separated_commands] [ip]
copy

Display domain users
$ rpcclient $> enumdomusers
copy

Display privileges
$ rpcclient $> enumprivs
copy

Display information about a specific user
$ rpcclient $> queryuser [username|rid]
copy

Create a new user in the domain
$ rpcclient $> createdomuser [username]
copy

SYNOPSIS

rpcclient [options] server

PARAMETERS

-A authfile
    Specifies the authentication file containing username and password.

-c command string
    Executes the specified command string.

-d debuglevel
    Sets the debug level (0-10).

-l logfile
    Specifies the log file.

-N
    Suppresses the password prompt.

-p port
    Specifies the port number.

-s smb.conf
    Specifies the location of the smb.conf file.

-U username[%password]
    Specifies the username and optional password.

-W workgroup
    Specifies the workgroup name.

-i
    Specifies the network interface.

-P
    Use plaintext authentication. Not recommended for security reasons.

DESCRIPTION

rpcclient is a command-line utility in Linux used to execute commands on remote Windows systems via the Server Message Block (SMB) protocol. It acts as an SMB client, allowing you to connect to a Samba server or a Windows machine and perform administrative tasks like retrieving information about users, groups, services, and shares. It also can execute remote commands. rpcclient is often used for testing Samba configurations, troubleshooting SMB issues, and automating administrative tasks that would otherwise require using GUI tools on a Windows system.
Its functionality extends to tasks such as printing, managing sessions, and even running arbitrary commands on the target machine, provided the appropriate permissions are granted.
It's a valuable tool for system administrators managing mixed environments of Linux and Windows machines. It requires knowledge of the SMB protocol and Windows administration.

CAVEATS

Using rpcclient requires appropriate permissions on the target system. Executing arbitrary commands can be a security risk if not properly controlled. The -P option should be avoided in production environments due to its security implications.

COMMAND EXAMPLES

rpcclient -U "user%password" server: Authenticates to the server with the specified username and password.
rpcclient -c 'enumdomusers' server: Enumerates the users on the domain.
rpcclient -c 'shutdown' server: Shuts down the remote server (requires appropriate permissions).

AUTHENTICATION

rpcclient supports different authentication methods. It is possible to use username/password combination directly on the command line, or use an authentication file. Using plaintext authentication (-P) is discouraged.

HISTORY

rpcclient is part of the Samba suite, which originated in the early 1990s. Andrew Tridgell created Samba to allow Linux systems to integrate seamlessly with Windows networks using the SMB protocol.
Over the years, rpcclient has evolved alongside Samba to support new SMB versions and Windows features. It became an essential tool for system administrators managing mixed Linux/Windows environments and for testing Samba server configurations.

SEE ALSO

smbclient(1), nmblookup(1), net(8)

Copied to clipboard