rpc

RPC (Remote Procedure Call) enumeration and endpoint discovery. R4t uses null sessions and authenticated RPC to enumerate users, groups, trusts, machines, printers, and endpoint bindings.

Usage

r4t rpc <subcommand> [flags]

Subcommands

`rpc get`

Enumerate AD and host information via RPC protocols.

r4t rpc get <type> [flags]

Each subtype supports the same output flag:

Flag	Short	Description
`--output`	`-o`	Write results to file

Types

Type	Description
`user`	Enumerate user accounts via RPC (SAM / SAMR)
`group`	Enumerate local and domain groups via RPC
`trust`	Enumerate domain trusts via RPC (LSARPC)
`machine`	Enumerate machine accounts via RPC
`printer`	Enumerate printers via MS-RPRN
`desc`	Enumerate user description fields via RPC
`permissions`	Enumerate RPC endpoint permissions

Examples

# Enumerate users via RPC (can work with null session on older systems)
r4t rpc get user

# Enumerate groups
r4t rpc get group

# Enumerate domain trusts via LSARPC
r4t rpc get trust

# Enumerate machine accounts
r4t rpc get machine

# Enumerate printers (also identifies PrinterBug / SpoolSample targets)
r4t rpc get printer

# Get user descriptions
r4t rpc get desc

# Check RPC endpoint permissions
r4t rpc get permissions

# Write results to file
r4t rpc get user --output /tmp/rpc-users.txt

`rpc dump`

Dump all RPC endpoints registered with the endpoint mapper (port 135).

r4t rpc dump

Connects to the target’s endpoint mapper and enumerates all registered RPC interfaces, UUIDs, protocols, and binding strings. Useful for identifying what services are running and what attack surface is exposed.

RPC Storage

RPC findings are stored in the database:

Table	Contents
`rpc_permissions`	Enumerated RPC access rights per endpoint
`rpc_sessions`	Active RPC session tracking

Null Session vs Authenticated

RPC enumeration can work via:

Null session (unauthenticated) — use --anonymous flag. Works against legacy or misconfigured systems.
Authenticated — uses stored or inline credentials via global flags.

# Null session attempt
r4t rpc get user --anonymous

# Authenticated
r4t rpc get user -u jsmith -p 'P@ssword1' -d corp.example.com

commands

​rpc

​Usage

​Subcommands

​rpc get

​Types

​Examples

​rpc dump

​RPC Storage

​Null Session vs Authenticated

rpc