#Null session
rpcclient -U "" <IP> -N
rpcclient -U <Username> <IP> -c "enumdomusers"
rpcclient -p <target>
#Use cached TGT
rpcclient -k <Target-DC>
#Authenticated Enumeration:
#Enumerate accessible machines with creds using below script:
cat ips.txt | while readline
> do
echo $line && rpcclient -U "domain\user%Pass" -c "enumdomusers;quit"
$line
> done
#Server info
srvinfo
enumprivs
#Enumerate user/group using RID
queryusergroups <RID>
querygroup <RID>
queryuser 500
#Groups
enumalsgroups domain
enumalsgroups builtin
#Identify SID
lookupnames <username/groupname>
#Enum description
querydispinfo
#Password Policy
getdompwinfo
#Change password for a user
rpcclient -U blackfield/support 10.10.10.192
#setuserinfo2 username level password
setuserinfo <user> 23 <pass>