impacket-rpcdump 命令

常用示例

说明

impacket-rpcdump queries the Microsoft RPC endpoint mapper (port 135 by default) and prints every registered endpoint, its UUID, and the bindings (named pipes, TCP/UDP ports) it speaks. It is the Python/Impacket equivalent of Microsoft's classic rpcdump.exe and is commonly used to enumerate exposed Active Directory services during authorized engagements. When credentials are supplied (clear-text password, NTLM hash, or Kerberos ticket), additional services that require authentication may appear in the listing; an unauthenticated dump usually returns only the small set of endpoints reachable anonymously.

参数

-port _PORT_

RPC endpoint port (default _135_).

-target-ip _IP_

Override the IP used for the connection (useful when the target is given as a hostname).

-hashes _LMHASH:NTHASH_

Authenticate via Pass-the-Hash instead of supplying a password.

-no-pass

Don't prompt for a password (use -hashes or -k alone).

-k

Use Kerberos authentication. Credentials are read from ccache (set by kinit).

-aesKey _HEX_

AES key for Kerberos authentication.

-dc-ip _IP_

IP of the domain controller for Kerberos.

-debug

Print verbose protocol-level output.