Skip to content

Added MSRPC protocol #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kasem545 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added MSRPC protocol #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
271d42d
Added instructions for execution
kasem545 Jan 23, 2026
e28d0d5
Rewrite and condense RPC protocol documentation
kasem545 Jan 24, 2026
fe1d338
Update RPC enumeration and group management docs
kasem545 Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
144 changes: 144 additions & 0 deletions rpc-protocol/enumeration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Enumeration Operations

## Enumerate Domain Users
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-users

SMB 192.168.1.100 445 DC01 [+] Found 25 domain user(s)
SMB 192.168.1.100 445 DC01 RID Username BadPW PW Last Set PW Can Change Description
SMB 192.168.1.100 445 DC01 500 Administrator 0 2021-08-31 00:51:58 2021-09-01 03:51:58 Built-in account for administering...
SMB 192.168.1.100 445 DC01 501 Guest 0 Never Never Built-in account for guest access...
SMB 192.168.1.100 445 DC01 502 krbtgt 0 2021-08-30 15:23:18 2021-08-31 15:23:18 Key Distribution Center Service...
```



## Enumerate Groups
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-groups

SMB 192.168.1.100 445 DC01 [+] Domain Groups (15)
SMB 192.168.1.100 445 DC01 RID Group Members Description
SMB 192.168.1.100 445 DC01 512 Domain Admins 3 Designated administrators of the domain
SMB 192.168.1.100 445 DC01 513 Domain Users 45 All domain users
SMB 192.168.1.100 445 DC01 514 Domain Guests 0 All domain guests

SMB 192.168.1.100 445 DC01 [+] Builtin/Local Groups (20)
SMB 192.168.1.100 445 DC01 RID Group Members Description
SMB 192.168.1.100 445 DC01 544 Administrators 4 Administrators have complete and unrestricted access
SMB 192.168.1.100 445 DC01 545 Users 2 Users are prevented from making accidental changes
SMB 192.168.1.100 445 DC01 546 Guests 1 Guests have the same access as members of the Users group
```



## Query User Information
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-user Administrator

SMB 192.168.1.100 445 DC01 User Name: Administrator
SMB 192.168.1.100 445 DC01 Full Name:
SMB 192.168.1.100 445 DC01 Home Directory:
SMB 192.168.1.100 445 DC01 Description: Built-in account for administering the computer/domain
SMB 192.168.1.100 445 DC01 User RID: 0x1f4
SMB 192.168.1.100 445 DC01 Primary Group RID: 0x201
SMB 192.168.1.100 445 DC01 Account Flags: 0x210
```

## Query User Groups
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-user-groups Administrator

SMB 192.168.1.100 445 DC01 [+] Groups for user Administrator (3 groups)
SMB 192.168.1.100 445 DC01 RID ATTR Name
SMB 192.168.1.100 445 DC01 -------- ------ ------------------------------
SMB 192.168.1.100 445 DC01 512 7 Domain Admins
SMB 192.168.1.100 445 DC01 513 7 Domain Users
SMB 192.168.1.100 445 DC01 520 7 Group Policy Creator Owners
```

## Query Group Information
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-group "Domain Admins"

SMB 192.168.1.100 445 DC01 [+] Group: Domain Admins
SMB 192.168.1.100 445 DC01 Description: Designated administrators of the domain
SMB 192.168.1.100 445 DC01 Attributes: 7
SMB 192.168.1.100 445 DC01 Member Count: 3
SMB 192.168.1.100 445 DC01 Members: Administrator, IT-Admin, backup
```

## Query Domain Information
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-dom-info

SMB 192.168.1.100 445 DC01 Domain: CONTOSO
SMB 192.168.1.100 445 DC01 Server: DC01
SMB 192.168.1.100 445 DC01 Comment: Primary Domain Controller
SMB 192.168.1.100 445 DC01 Domain SID: S-1-5-21-1234567890-1234567890-1234567890
```

## Query Password Policy
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-pass-pol

SMB 192.168.1.100 445 DC01 Min Password Length: 7
SMB 192.168.1.100 445 DC01 Password History: 24
SMB 192.168.1.100 445 DC01 Maximum Password Age: 42 days
SMB 192.168.1.100 445 DC01 Password Complexity: Enabled
```

## Enumerate Domain Trusts
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-trusts

SMB 192.168.1.100 445 DC01 [+] Found 2 domain trust(s)
SMB 192.168.1.100 445 DC01 CHILD.CONTOSO.LOCAL (external, forest: CHILD.CONTOSO.LOCAL)
SMB 192.168.1.100 445 DC01 PARTNER.COM (external, forest: PARTNER.COM)
```

## Enumerate Shares
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-shares

SMB 192.168.1.100 445 DC01 [+] Found 6 share(s)
SMB 192.168.1.100 445 DC01 Share Type Perms Remark Path
SMB 192.168.1.100 445 DC01 ----------------------------------------------------------------------------------------------------
SMB 192.168.1.100 445 DC01 ADMIN$ Disk READ,WRITE Remote Admin C:\Windows
SMB 192.168.1.100 445 DC01 C$ Disk READ,WRITE Default share C:\
SMB 192.168.1.100 445 DC01 IPC$ IPC Remote IPC
SMB 192.168.1.100 445 DC01 NETLOGON Disk READ Logon server share C:\Windows\SYSVOL\sysvol\contoso.local\SCRIPTS
SMB 192.168.1.100 445 DC01 SYSVOL Disk READ Logon server share C:\Windows\SYSVOL\sysvol
```



## Enumerate Sessions
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-sessions

SMB 192.168.1.100 445 DC01 [+] Found 5 session(s)
SMB 192.168.1.100 445 DC01 user:Administrator from:192.168.1.50 time:2h15m idle:5m
SMB 192.168.1.100 445 DC01 user:jdoe from:192.168.1.120 time:4h idle:30m
```

## Enumerate Server Info
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-server-info

SMB 192.168.1.100 445 DC01 Server Information:
SMB 192.168.1.100 445 DC01 Server Name: DC01
SMB 192.168.1.100 445 DC01 Server Domain: CONTOSO
SMB 192.168.1.100 445 DC01 Server OS: Windows Server 2019 Standard
SMB 192.168.1.100 445 DC01 Server OS Build: 17763
```

## RID Brute Force
```bash
nxc smb 192.168.1.100 -u username -p password --rid-brute 1000

SMB 192.168.1.100 445 DC01 [+] Found 35 accounts via RID cycling:
SMB 192.168.1.100 445 DC01 500: Administrator (Built-in account for administering the computer/domain)
SMB 192.168.1.100 445 DC01 501: Guest (Built-in account for guest access to the computer/domain)
SMB 192.168.1.100 445 DC01 502: krbtgt (Key Distribution Center Service Account)
```
72 changes: 72 additions & 0 deletions rpc-protocol/group-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Group Management

## Create Group
```bash
nxc smb 192.168.1.100 -u admin -p password --create-group "IT Support"

SMB 192.168.1.100 445 DC01 [*] Creating group (createdomgroup IT Support)
SMB 192.168.1.100 445 DC01 [+] Created group IT Support with RID 0x450
```

## Delete Group
```bash
nxc smb 192.168.1.100 -u admin -p password --delete-group "Old Team"

SMB 192.168.1.100 445 DC01 [*] Deleting group (deletedomgroup Old Team)
SMB 192.168.1.100 445 DC01 [+] Deleted group Old Team
```

## Add User to Group
```bash
nxc smb 192.168.1.100 -u admin -p password --add-to-group "john.doe:IT Support"

SMB 192.168.1.100 445 DC01 [*] Adding john.doe to group IT Support
SMB 192.168.1.100 445 DC01 [+] Added john.doe to IT Support
```

## Remove User from Group
```bash
nxc smb 192.168.1.100 -u admin -p password --remove-from-group "john.doe:IT Support"

SMB 192.168.1.100 445 DC01 [*] Removing john.doe from group IT Support
SMB 192.168.1.100 445 DC01 [+] Removed john.doe from IT Support
```

## Enumerate Groups
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-groups

SMB 192.168.1.100 445 DC01 [+] Domain Groups (15)
SMB 192.168.1.100 445 DC01 RID Group Members Description
SMB 192.168.1.100 445 DC01 512 Domain Admins 3 Designated administrators of the domain
SMB 192.168.1.100 445 DC01 513 Domain Users 45 All domain users
SMB 192.168.1.100 445 DC01 514 Domain Guests 0 All domain guests

SMB 192.168.1.100 445 DC01 [+] Builtin/Local Groups (20)
SMB 192.168.1.100 445 DC01 RID Group Members Description
SMB 192.168.1.100 445 DC01 544 Administrators 4 Administrators have complete and unrestricted access
SMB 192.168.1.100 445 DC01 545 Users 2 Users are prevented from making accidental changes
SMB 192.168.1.100 445 DC01 546 Guests 1 Guests have the same access as members of the Users group
```

## Query Group Information
```bash
# Query domain group
nxc smb 192.168.1.100 -u username -p password --rpc-group "Domain Admins"

SMB 192.168.1.100 445 DC01 [+] Group: Domain Admins
SMB 192.168.1.100 445 DC01 Description: Designated administrators of the domain
SMB 192.168.1.100 445 DC01 Attributes: 7
SMB 192.168.1.100 445 DC01 Member Count: 3
SMB 192.168.1.100 445 DC01 Members: Administrator, IT-Admin, backup

# Query builtin/local group
nxc smb 192.168.1.100 -u username -p password --rpc-group "Administrators"

SMB 192.168.1.100 445 DC01 [+] Group: Administrators
SMB 192.168.1.100 445 DC01 Description: Administrators have complete and unrestricted access to the computer/domain
SMB 192.168.1.100 445 DC01 Attributes: 0
SMB 192.168.1.100 445 DC01 Member Count: 4
SMB 192.168.1.100 445 DC01 Members: Domain Admins, Administrator, Administrator, SYSTEM
```

67 changes: 67 additions & 0 deletions rpc-protocol/lookups.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Lookup Operations

## Lookup Names to SIDs
```bash
nxc smb 192.168.1.100 -u username -p password --lookup-names "Administrator,Guest"

SMB 192.168.1.100 445 DC01 Administrator -> S-1-5-21-xxx-500 (User)
SMB 192.168.1.100 445 DC01 Guest -> S-1-5-21-xxx-501 (User)
```

## LSA Lookup Names
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-lookup-names "Administrator,Everyone"

SMB 192.168.1.100 445 DC01 Administrator -> CONTOSO\Administrator S-1-5-21-xxx-500 (User)
SMB 192.168.1.100 445 DC01 Everyone -> Everyone S-1-1-0 (WellKnown)
```

## LSA Lookup SIDs
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-lookup-sids "S-1-5-21-xxx-500,S-1-1-0"

SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500 -> CONTOSO\Administrator (User)
SMB 192.168.1.100 445 DC01 S-1-1-0 -> Everyone (WellKnown)
```

## Lookup Domain SID
```bash
nxc smb 192.168.1.100 -u username -p password --lookup-domain CONTOSO

SMB 192.168.1.100 445 DC01 Domain CONTOSO -> SID S-1-5-21-1234567890-1234567890-1234567890
```

## SAM Lookup (Domain)
```bash
nxc smb 192.168.1.100 -u username -p password --sam-lookup domain "Administrator,Domain Admins"

SMB 192.168.1.100 445 DC01 Administrator S-1-5-21-xxx-500 (User: 1)
SMB 192.168.1.100 445 DC01 Domain Admins S-1-5-21-xxx-512 (Group: 2)
```

## SAM Lookup (Builtin)
```bash
nxc smb 192.168.1.100 -u username -p password --sam-lookup builtin "Administrators,Users"

SMB 192.168.1.100 445 DC01 Administrators S-1-5-32-544 (Alias: 4)
SMB 192.168.1.100 445 DC01 Users S-1-5-32-545 (Alias: 4)
```

## Query User Group Membership
```bash
nxc smb 192.168.1.100 -u username -p password --rpc-user-groups Administrator

SMB 192.168.1.100 445 DC01 [+] User Administrator is a member of 3 group(s)
SMB 192.168.1.100 445 DC01 [*] rid:[0x200] group:[Domain Admins] attr:[MANDATORY, ENABLED_BY_DEFAULT, ENABLED]
SMB 192.168.1.100 445 DC01 [*] rid:[0x201] group:[Domain Users] attr:[MANDATORY, ENABLED_BY_DEFAULT, ENABLED]
```

## RID Brute Force
```bash
nxc smb 192.168.1.100 -u username -p password --rid-brute 1000

SMB 192.168.1.100 445 DC01 [+] Found 35 accounts via RID cycling:
SMB 192.168.1.100 445 DC01 500: Administrator (Built-in account for administering the computer/domain)
SMB 192.168.1.100 445 DC01 501: Guest (Built-in account for guest access to the computer/domain)
SMB 192.168.1.100 445 DC01 502: krbtgt (Key Distribution Center Service Account)
```
71 changes: 71 additions & 0 deletions rpc-protocol/lsa-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# LSA Operations

## LSA Query
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-query

SMB 192.168.1.100 445 DC01 Domain Name: CONTOSO
SMB 192.168.1.100 445 DC01 Domain SID: S-1-5-21-1234567890-1234567890-1234567890
```

## Enumerate LSA SIDs
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-sids

SMB 192.168.1.100 445 DC01 [+] Found 15 SID(s)
SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500
SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-512
SMB 192.168.1.100 445 DC01 S-1-5-32-544
SMB 192.168.1.100 445 DC01 S-1-1-0
```

## Enumerate Privileges
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-privs

SMB 192.168.1.100 445 DC01 [+] Found 35 privilege(s)
SMB 192.168.1.100 445 DC01 SeCreateTokenPrivilege (0x2)
SMB 192.168.1.100 445 DC01 SeAssignPrimaryTokenPrivilege (0x3)
SMB 192.168.1.100 445 DC01 SeDebugPrivilege (0x14)
```

## Account Rights (Privileges)
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-rights S-1-5-32-544

SMB 192.168.1.100 445 DC01 [+] Rights for S-1-5-32-544:
SMB 192.168.1.100 445 DC01 SeBackupPrivilege
SMB 192.168.1.100 445 DC01 SeRestorePrivilege
SMB 192.168.1.100 445 DC01 SeShutdownPrivilege
```

## Lookup SIDs to Names
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-lookup-sids "S-1-5-21-xxx-500,S-1-5-21-xxx-512,S-1-1-0"

SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500 -> CONTOSO\Administrator (User)
SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-512 -> CONTOSO\Domain Admins (Group)
SMB 192.168.1.100 445 DC01 S-1-1-0 -> Everyone (WellKnown)
```

## Create LSA Account
```bash
nxc smb 192.168.1.100 -u admin -p password --lsa-create-account S-1-5-21-xxx-1001

SMB 192.168.1.100 445 DC01 [+] Created LSA account for S-1-5-21-xxx-1001
```

## Query LSA Security
```bash
nxc smb 192.168.1.100 -u username -p password --lsa-query-security

SMB 192.168.1.100 445 DC01 revision: 1
SMB 192.168.1.100 445 DC01 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
SMB 192.168.1.100 445 DC01 DACL
SMB 192.168.1.100 445 DC01 ACL Num ACEs: 9 revision: 2
SMB 192.168.1.100 445 DC01 ---
SMB 192.168.1.100 445 DC01 ACE
SMB 192.168.1.100 445 DC01 type: ACCESS ALLOWED (0) flags: 0x00
SMB 192.168.1.100 445 DC01 Permissions: 0xf1fff: WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS
SMB 192.168.1.100 445 DC01 SID: S-1-5-32-544
```
Loading