Comment on page
server
rpc::server
can be used to start an RPC server. It has the following command line arguments:/stop
: terminates the RPC connection/guid
: the guid for the RPC endpoint (opsec safe)/noreg
: to not register the RPC binding/secure
: only secure connections are accepted/altservice
: alter the rpc service name (opsec safe)/negotiate
: the default authentication mechanismGSS_NEGOTIATE (9)
./ntlm:
use NTLM authenticationWINNT (10)
./kerberos
: use Kerberos authenticationGSS_KERBEROS (16)
./authuser
: the user for authentication/authdomain
: the domain of the authuser/authpassword
: the authuser's password
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
752 {0;000003e7} 0 D 44299 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary
-> Impersonated !
* Process Token : {0;002cfce0} 4 F 118309013 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (13g,24p) Primary
* Thread Token : {0;000003e7} 0 D 118617400 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Delegation)
Without authentication
With authentication
An RPC server can be started without an authentication requirement.
mimikatz # rpc::server
[rpc] ProtSeq : ncacn_ip_tcp
[rpc] Endpoint : (null)
[rpc] Service : (null)
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Map Reg.: yes
Security: Allow no auth
mimikatz # > BindString[0]: ncacn_ip_tcp:DC[61057]
> RPC bind registered
> RPC Server is waiting!
An RPC server can be started with an authentication requirement.
mimikatz # rpc::server /secure /authuser:m3g9tr0n /authdomain:hacklab.local /authpassword:Super_SecretPass!
[rpc] ProtSeq : ncacn_ip_tcp
[rpc] Endpoint : (null)
[rpc] Service : (null)
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Map Reg.: yes
Security: Secure only
mimikatz # > BindString[0]: ncacn_ip_tcp:DC[61057]
> RPC bind registered
> RPC Server is waiting!
mimikatz # ** Security Callback! **
> ServerPrincName:
> AuthnLevel : 6 - PKT_PRIVACY
> AuthnSvc : 10 - WINNT
> AuthzSvc : 0
Last modified 1yr ago