<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Rpcclient on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</title><link>https://hackita.it/tags/rpcclient/</link><description>Recent content in Rpcclient on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</description><generator>Hugo</generator><language>it</language><lastBuildDate>Sat, 25 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://hackita.it/tags/rpcclient/index.xml" rel="self" type="application/rss+xml"/><item><title>Porta 135 RPC Windows: Null Session, WMI Exec e Lateral Movement AD</title><link>https://hackita.it/articoli/porta-135-rpc/</link><pubDate>Sat, 25 Apr 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/porta-135-rpc/</guid><description>&lt;p&gt;La porta 135 espone &lt;strong&gt;Microsoft RPC&lt;/strong&gt; (Remote Procedure Call) — il servizio Windows fondamentale che coordina comunicazione inter-process tra sistemi, operante come endpoint mapper per servizi DCOM, WMI, DCOM e decine di Windows APIs remote. RPC su TCP porta 135 agisce come &amp;ldquo;directory service&amp;rdquo; simile a RPCbind Unix (porta 111), mappando UUID servizi a porte dinamiche high-range (49152-65535), permettendo applicazioni Windows di invocare procedure remote senza conoscere porte specifiche. In penetration testing Active Directory, la porta 135 è &lt;strong&gt;gateway critico multi-vettore&lt;/strong&gt;: enumeration massiva domain controllers/workstations, null session exploitation pre-SMB, WMI lateral movement, DCOM exploitation (CVE-2017-8464, MS03-026), e information disclosure via RPC endpoint mapping. Ogni Windows host con porta 135 aperta espone &lt;strong&gt;decine di servizi RPC&lt;/strong&gt; potentially vulnerable — da null session enumeration a remote code execution via DCOM.&lt;/p&gt;</description></item><item><title>Rpcclient: attacco e enum SMB su Active Directory</title><link>https://hackita.it/articoli/rpcclient/</link><pubDate>Fri, 23 Jan 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/rpcclient/</guid><description>&lt;h1
 id="rpcclient-attacco-e-enum-smb-su-active-directory" class="group/anchor-heading"&gt;
 Rpcclient: attacco e enum SMB su Active Directory
 &lt;a href="#rpcclient-attacco-e-enum-smb-su-active-directory" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;p&gt;Se hai la 445 aperta ma l’enumerazione “classica” ti dà poco, &lt;code&gt;rpcclient&lt;/code&gt; ti fa tirare fuori utenti, gruppi, SID e policy in modo chirurgico (sempre in lab/CTF/VM autorizzate).&lt;/p&gt;
&lt;h2
 id="intro" class="group/anchor-heading"&gt;
 Intro
 &lt;a href="#intro" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h2&gt;&lt;p&gt;&lt;code&gt;rpcclient&lt;/code&gt; è un client MS-RPC/DCE-RPC della suite Samba che ti permette di interrogare servizi Windows/AD (SAMR, LSA, SRVSVC) passando spesso da SMB (named pipes).&lt;/p&gt;
&lt;p&gt;In un workflow offensivo da lab è utile quando vuoi trasformare “porta 445 aperta” in intelligence di dominio: utenti, gruppi, membership, SID/RID, policy password, share enumerate via RPC.&lt;/p&gt;</description></item></channel></rss>