DanMcInerney
commented
6 years ago I've been thinking about implementing this since I read that article too. It's a good idea, it's just that the RID cycling and reverse bruteforce is by far the most complex part of this script so it's going to take a lot of effort to replace the current system. I haven't actually seen rpcclient catch a false negative yet in my testing environments either so at the moment this isn't worth the time I'll have to spend on it. But it is definitely an improvement I might look into the future.
Per the research by SensePost here:
https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/
"I found that when I used rpcclient against known vulnerable systems, that it would often produce error messages and fail to enumerate user information. In a penetration test scenario, this behaviour could make one believe that the remote system does not allow one to access the IPC$ share and execute RPC calls, while it could be possible."
"By default, rpcclient first opens the LSARPC pipe and then requests the remote system to execute the LsaOpenPolicy and LsaQueryInformationPolicy functions. If an anonymous user is not allowed to execute these function, rpcclient exits. Most RPC calls however don’t require the information provided by these functions. In our test for example, the smb-enum-users script could still execute QueryDisplayInfo, and enumerate user information, without access to these functions."
It seems that relying on rcpcclient could produce a false negative.