connect
rpc::connect can be used to connect to an RPC endpoint. It has the following command line arguments:
  • /alg: the encryption algorithm to use for the connection. The options are 3DES or RC4. By default it uses 3DES.
  • /remote: the RPC server to connect
  • /noauth: no authentication is required to connect to the remote RPC endpoint
  • /authuser: the user for authentication
  • /authdomain: the domain of the authuser
  • /authpassword: the authuser's password
Without authentication
With authentication
Mimikatz can connect to an RPC server without authentication.
1
mimikatz # rpc::connect /remote:192.168.0.224 /noauth
2
[rpc] Remote : 192.168.0.224
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] Endpoint : (null)
5
[rpc] Service : (null)
6
[rpc] AuthnSvc : NONE (0)
7
[rpc] NULL Sess: no
8
Algorithm: CALG_3DES (00006603)
9
Endpoint resolution is OK
10
mimikatz is bound!
Copied!
Mimikatz can connect to an RPC server requiring authentication, the auth* arguments are needed.
1
mimikatz # rpc::connect /remote:192.168.0.224 /authuser:m3g9tr0n /authdomain:hacklab.local /authpassword:Super_SecretPass!
2
[rpc] Remote : 192.168.0.224
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] Endpoint : (null)
5
[rpc] Service : (null)
6
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
7
[rpc] NULL Sess: no
8
Algorithm: CALG_3DES (00006603)
9
Endpoint resolution is OK
10
mimikatz is bound!
Copied!
To run commands on the remote server through the session initiated with mimikatz, a wildcard (*) should prepend the commands.
1
mimikatz # hostname
2
Win10.hacklab.local (WIN10)
3
4
mimikatz # *hostname
5
DC.hacklab.local (DC)
Copied!
The mimikatz.py from Impacket can also be used to connect to it.
Without authentication
With authentication
Without supplying credentials, mimikatz.py will attempt to start an unauthenticated session.
1
# python3 mimikatz.py 192.168.0.224 1 ⨯
2
Impacket v0.9.24.dev1+20210922.102044.c7bc76f8 - Copyright 2021 SecureAuth Corporation
3
4
5
.#####. mimikatz RPC interface
6
.## ^ ##. "A La Vie, A L' Amour "
7
## / \ ## /* * *
8
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
9
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
10
'#####' Impacket client by Alberto Solino (@agsolino) * * */
11
12
13
Type help for list of commands
14
mimikatz # hostname
15
DC.hacklab.local (DC)
Copied!
If the remote RPC endpoint requires authentication, mimikatz.py will need credentials.
1
# python3 mimikatz.py hacklab.local/m3g9tr0n:[email protected]
2
Impacket v0.9.24.dev1+20210922.102044.c7bc76f8 - Copyright 2021 SecureAuth Corporation
3
4
5
.#####. mimikatz RPC interface
6
.## ^ ##. "A La Vie, A L' Amour "
7
## / \ ## /* * *
8
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
9
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
10
'#####' Impacket client by Alberto Solino (@agsolino) * * */
11
12
13
Type help for list of commands
14
mimikatz # hostname
15
DC.hacklab.local (DC)
Copied!
Last modified 6mo ago
Copy link