rpcclient
Execute commands on Windows machines via SMB
TLDR
Connect to a remote host
Connect to a remote host on a domain without a password
Connect to a remote host, passing the password hash
Execute shell commands on a remote host
Display domain users
Display privileges
Display information about a specific user
Create a new user in the domain
SYNOPSIS
rpcclient [options] server
PARAMETERS
-A authfile
Specifies the authentication file containing username and password.
-c command string
Executes the specified command string.
-d debuglevel
Sets the debug level (0-10).
-l logfile
Specifies the log file.
-N
Suppresses the password prompt.
-p port
Specifies the port number.
-s smb.conf
Specifies the location of the smb.conf file.
-U username[%password]
Specifies the username and optional password.
-W workgroup
Specifies the workgroup name.
-i
Specifies the network interface.
-P
Use plaintext authentication. Not recommended for security reasons.
DESCRIPTION
rpcclient is a command-line utility in Linux used to execute commands on remote Windows systems via the Server Message Block (SMB) protocol. It acts as an SMB client, allowing you to connect to a Samba server or a Windows machine and perform administrative tasks like retrieving information about users, groups, services, and shares. It also can execute remote commands. rpcclient is often used for testing Samba configurations, troubleshooting SMB issues, and automating administrative tasks that would otherwise require using GUI tools on a Windows system.
Its functionality extends to tasks such as printing, managing sessions, and even running arbitrary commands on the target machine, provided the appropriate permissions are granted.
It's a valuable tool for system administrators managing mixed environments of Linux and Windows machines. It requires knowledge of the SMB protocol and Windows administration.
CAVEATS
Using rpcclient requires appropriate permissions on the target system. Executing arbitrary commands can be a security risk if not properly controlled. The -P option should be avoided in production environments due to its security implications.
COMMAND EXAMPLES
rpcclient -U "user%password" server: Authenticates to the server with the specified username and password.
rpcclient -c 'enumdomusers' server: Enumerates the users on the domain.
rpcclient -c 'shutdown' server: Shuts down the remote server (requires appropriate permissions).
AUTHENTICATION
rpcclient supports different authentication methods. It is possible to use username/password combination directly on the command line, or use an authentication file. Using plaintext authentication (-P) is discouraged.
HISTORY
rpcclient is part of the Samba suite, which originated in the early 1990s. Andrew Tridgell created Samba to allow Linux systems to integrate seamlessly with Windows networks using the SMB protocol.
Over the years, rpcclient has evolved alongside Samba to support new SMB versions and Windows features. It became an essential tool for system administrators managing mixed Linux/Windows environments and for testing Samba server configurations.