rpcclient

Connect to a remote host

$ rpcclient [[-U|--user]] [domain]\[username]%[password] [ip]

$ rpcclient [[-U|--user]] [username] [[-W|--workgroup]] [domain] [[-N|--no-pass]] [ip]

$ rpcclient [[-U|--user]] [domain]\[username] --pw-nt-hash [ip]

$ rpcclient [[-U|--user]] [domain]\[username]%[password] [[-c|--command]] [semicolon_separated_commands] [ip]

$ rpcclient $> enumdomusers

$ rpcclient $> enumprivs

$ rpcclient $> queryuser [username|rid]

$ rpcclient $> createdomuser [username]

rpcclient [options] server

-S server
    Specifies the target server's name or IP address. This is a mandatory argument specifying the RPC server to connect to.

-U username[%password]
    Sets the username and optionally the password for authentication. If the password is not provided here, rpcclient will prompt for it securely.

-W domain
    Specifies the Windows domain or workgroup to authenticate against. This is often necessary when connecting to a server that is part of a domain.

-c command
    Executes a single RPC command specified by command and then exits. This option is particularly useful for scripting automated tasks.

-I filename
    Reads RPC commands from the specified filename, executing them sequentially. Each non-empty line in the file is treated as a separate command.

-d debuglevel
    Sets the debug level for output. Higher levels (e.g., 10) provide more verbose debugging information, useful for troubleshooting connection or command issues.

-k
    Uses Kerberos authentication instead of NTLM. This requires a valid Kerberos ticket to be available in the credential cache (e.g., obtained via kinit).

-N
    Causes rpcclient to never ask for a password. This is typically used in conjunction with other authentication methods like Kerberos or when the password is provided directly in the -U option.

-P
    Specifies that an empty password should be used for authentication. This is generally not recommended for security reasons unless strictly necessary in a controlled environment.

-p port
    Connects to the specified port on the server instead of the default RPC ports (typically 135 for endpoint mapper or 445 for direct SMB).

-V
    Prints the rpcclient version number and exits, providing information about the Samba suite it belongs to.

rpcclient is a command-line utility within the Samba suite that allows Linux administrators to perform administrative tasks on Windows NT/2000 servers (or Samba domain controllers) using Microsoft Remote Procedure Call (MSRPC). It provides an interactive prompt where users can execute various MSRPC functions, enabling actions such as querying user and group information, managing services, enumerating shares, or debugging RPC-related issues.

It is a powerful tool for low-level interaction with Windows services, often used for auditing, scripting administrative tasks, or investigating network issues that require direct MSRPC communication to a remote host.

Using rpcclient requires a solid understanding of MSRPC protocols and the specific Windows services you intend to interact with. Improper use can lead to unintended configuration changes, service disruptions, or security vulnerabilities on the target server.

Authentication can be complex, involving NTLM or Kerberos, and proper setup of the Samba client, along with correct network configuration (e.g., DNS resolution, firewall rules), is crucial for successful connections.

Many administrative operations performed through rpcclient require elevated privileges on the target Windows server. Always ensure you have the necessary permissions before attempting actions that modify system state.

When rpcclient is run without the -c option, it enters an interactive shell. Within this shell, a wide array of RPC-specific commands are available. These include commands to query user and group information (e.g., queryuser, enumdomgroups), manage services (e.g., startservice, stopservice), enumerate shares (netshareenum), retrieve server information (srvinfo), and many others depending on the MSRPC interface being targeted.
Users can type 'help' at the rpcclient prompt to see a list of available commands and their basic usage.

When specifying credentials, it's generally advised against including passwords directly on the command line (e.g., -Uusername%password). Such passwords can be visible in system process listings (e.g., output of ps aux) or command history, posing a security risk. For better security, omit the password from the command line and allow rpcclient to prompt for it securely, or utilize Kerberos authentication (-k) if your environment supports it.

rpcclient is an integral component of the Samba project, an open-source software suite that provides seamless file and print services interoperability between Unix/Linux and Windows machines. It was developed to extend Samba's capabilities, allowing administrators to interact with Windows MSRPC services directly from Unix-like systems, mimicking functionality typically found in native Windows administration tools.

Its development has evolved alongside Windows RPC protocols and Samba's increasing role as a robust domain member and controller, providing a crucial command-line interface for complex network administration and debugging tasks.

smbclient(1), net(8), nmblookup(1), samba(7), wbinfo(1)