rpcclient

MS-RPC client tool (part of the samba suite). More information: https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html.

• Connect to a remote host:

rpcclient --user {{domain}}\{{username}}%{{password}} {{ip}}

• Connect to a remote host on a domain without a password:

rpcclient --user {{username}} --workgroup {{domain}} --no-pass {{ip}}

• Connect to a remote host, passing the password hash:

rpcclient --user {{domain}}\{{username}} --pw-nt-hash {{ip}}

• Execute shell commands on a remote host:

rpcclient --user {{domain}}\{{username}}%{{password}} --command {{semicolon_separated_commands}} {{ip}}

• Display domain users:

rpcclient $> enumdomusers

• Display privileges:

rpcclient $> enumprivs

• Display information about a specific user:

rpcclient $> queryuser {{username|rid}}

• Create a new user in the domain:

rpcclient $> createdomuser {{username}}