To extract further information about that user or in case during the other enumeration the attacker comes into the touch of the SID of a user, then they cause to use the lookupsids command to get more information about that particular user. proxychains nmap -sTV -n -PN -p 80,22 target-ip -vv. ---- ----------- First one - two Cobalt Strike sessions: PID 260 - beacon injected into dllhost process. To enumerate a particular user from rpcclient, the queryuser command must be used. -S, --signing=on|off|required Set the client signing state result was NT_STATUS_NONE_MAPPED This problem is solved using lookupnames whereupon providing username the SID of that particular user can be extracted with ease. rpcclient - Help - Penetration Test Resource Page getdompwinfo Retrieve domain password info schannelsign Force RPC pipe connections to be signed (not sealed) with 'schannel' (NETSEC). guest S-1-5-21-1835020781-2383529660-3657267081-1063 (Local Group: 4) On other systems, youll find services and applications using port 139. smbclient (null session) enum4linux. This information includes the Group Name, Description, Attributes, and the number of members in that group. May need to run a second time for success. The next command that can be used is enumalsgroups. rpcclient $> enumprivs Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. Try "help" to get a list of possible commands. The next command that can be used via rpcclient is querydominfo. It contains contents from other blogs for my quick reference, * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan), masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports, ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'), nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A, (performs full scan instead of syn-scan to prevent getting flagged by firewalls), From Apache Version to finding Ubuntu version -> ubuntu httpd versions, : Private key that is used for login. Replication READ ONLY If this information does not appear in other used tools, you can: # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. RPC is built on Microsofts COM and DCOM technologies. Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging, https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html, https://github.com/SecureAuthCorp/impacket/tree/master/examples, https://www.cobaltstrike.com/help-socks-proxy-pivoting, https://www.youtube.com/watch?v=l8nkXCOYQC4&index=19&list=WL&t=7s, code execution on a target system and the beacon is calling back to the team server, PID 260 - beacon injected into dllhost process.