server
rpc::server can be used to start an RPC server. It has the following command line arguments:
  • /stop: terminates the RPC connection
  • /guid: the guid for the RPC endpoint (opsec safe)
  • /noreg: to not register the RPC binding
  • /secure: only secure connections are accepted
  • /altservice: alter the rpc service name (opsec safe)
  • /negotiate: the default authentication mechanism GSS_NEGOTIATE (9).
  • /ntlm: use NTLM authentication WINNT (10).
  • /kerberos: use Kerberos authentication GSS_KERBEROS (16).
  • /authuser: the user for authentication
  • /authdomain: the domain of the authuser
  • /authpassword: the authuser's password
1
mimikatz # privilege::debug
2
Privilege '20' OK
Copied!
1
mimikatz # token::elevate
2
Token Id : 0
3
User name :
4
SID name : NT AUTHORITY\SYSTEM
5
​
6
752 {0;000003e7} 0 D 44299 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary
7
-> Impersonated !
8
* Process Token : {0;002cfce0} 4 F 118309013 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (13g,24p) Primary
9
* Thread Token : {0;000003e7} 0 D 118617400 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Delegation)
Copied!
Without authentication
With authentication
An RPC server can be started without an authentication requirement.
1
mimikatz # rpc::server
2
[rpc] ProtSeq : ncacn_ip_tcp
3
[rpc] Endpoint : (null)
4
[rpc] Service : (null)
5
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
6
Map Reg.: yes
7
Security: Allow no auth
8
​
9
mimikatz # > BindString[0]: ncacn_ip_tcp:DC[61057]
10
> RPC bind registered
11
> RPC Server is waiting!
Copied!
An RPC server can be started with an authentication requirement.
1
mimikatz # rpc::server /secure /authuser:m3g9tr0n /authdomain:hacklab.local /authpassword:Super_SecretPass!
2
[rpc] ProtSeq : ncacn_ip_tcp
3
[rpc] Endpoint : (null)
4
[rpc] Service : (null)
5
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
6
Map Reg.: yes
7
Security: Secure only
8
​
9
mimikatz # > BindString[0]: ncacn_ip_tcp:DC[61057]
10
> RPC bind registered
11
> RPC Server is waiting!
12
​
13
mimikatz # ** Security Callback! **
14
> ServerPrincName:
15
> AuthnLevel : 6 - PKT_PRIVACY
16
> AuthnSvc : 10 - WINNT
17
> AuthzSvc : 0
Copied!
Last modified 6mo ago
Copy link