MSRPC
MSRPC usually uses ports 135, 593
What is MSRPC?
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer’s network. MSRPC was originally derived from open source software but has been developed further and copyrighted by Microsoft.
Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP and UDP port 135, via SMB with a null or authenticated session (TCP 139 and 445), and as a web service listening on TCP port 593.
MSRPC working on only:
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2003 with SP1
- Windows Server 2003 with SP2
1
2
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
How does MSRPC work?
The MSRPC process begins on the client side, with the client application calling a local stub procedure instead of code implementing the procedure. The client stub code retrieves the required parameters from the client address space and delivers them to the client runtime library, which then translates the parameters into a standard Network Data Representation format to transmit to the server.
The client stub then calls functions in the RPC client runtime library to send the request and parameters to the server. If the server is located remotely, the runtime library specifies an appropriate transport protocol and engine and passes the RPC to the network stack for transport to the server. For more details, please check this link.
Pentesting MSRPC
 Shodan search query : |
|---|
port:135,593,445 |
Banner Grabbing
1
2
nmap -sV -p135 10.10.x.x
nmap -p135 --script=msrpc-enum 10.10.x.x
Some Useful RPC Enumeration Tools and Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
##########################################
enum4linux
##########################################
# Verbose mode
enum4linux -v 192.168.x.x
# Do everything
enum4linux -a 192.168.x.x
# List users
enum4linux -U 192.168.x.x
# If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u administrator -p password -U 192.168.x.x
# Get username from the defaut RID range (500-550, 1000-1050)
enum4linux -r 192.168.x.x
# Get username using a custom RID range
enum4linux -R 600-660 192.168.x.x
# List groups
enum4linux -G 192.168.x.x
# List shares
enum4linux -S 192.168.x.x
# Perform a dictionary attack, if the server doesn't let you retrieve a share list
enum4linux -s shares.txt 192.168.x.x
# Pulls OS information using smbclient, this can pull the service pack version on some versions of Windows
enum4linux -o target-ip
# Pull information about printers known to the remove device.
enum4linux -i target-ip
# enum4linux-ng is a rewrite of the official tool (python3)
# adding some features like colors and parsing
https://github.com/cddmp/enum4linux-ng
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
##########################################
rpcclient
##########################################
# Anonymous connection (-N=no pass)
rpcclient -U "" -N 192.168.x.x
# Connection with user
rpcclient -U "user" 192.168.x.x
# Get information about the DC
srvinfo
# Get information about objects such as groups(enum*)
enumdomains
enumdomgroups
enumalsgroups builtin
# Try to get domain password policy
getdompwinfo
# Try to enumerate different truste domains
dsr_enumtrustdom
# Get username for a defined user ?
getusername
# Query user, group etc informations
queryuser RID
querygroupmem519
queryaliasmem builtin 0x220
# Query info policy
lsaquery
# Convert SID to names
lookupsids SID
#Different tool RPCinfo
rpcinfo –p 192.168.x.x
Identifying Exposed RPC Services
You can query the RPC locator service and individual RPC endpoints to catalog interesting services running over TCP, UDP, HTTP, and SMB (via named pipes). Each IFID value gathered through this process denotes an RPC service (e.g., 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc is the Messenger interface).
Todd Sabin’s rpcdump and ifids Windows utilities query both the RPC locator and specific RPC endpoints to list IFID values. The rpcdump syntax is as follows:
1
python3 /usr/share/doc/python3-impacket/examples/rpcdump.py 192.168.x.x
You can access the RPC locator service by using four protocol sequences:
- ncacn_ip_tcp and ncadg_ip_udp (TCP and UDP port 135)
- ncacn_np (the \pipe\epmapper named pipe via SMB)
- ncacn_http (RPC over HTTP via TCP port 80, 593, and others)
1
2
3
4
msf6 > use auxiliary/scanner/dcerpc/endpoint_mapper
msf6 > use auxiliary/scanner/dcerpc/hidden
msf6 > use auxiliary/scanner/dcerpc/management
msf6 > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
Note that from the mentioned options all except of
tcp_dcerpc_auditorcan only be executed against msrpc in port 135.
Notable RPC interfaces
| IFID value | Named pipe | Description |
|---|---|---|
| 12345778-1234-abcd-ef00-0123456789ab | \pipe\lsarpc | LSA interface, used to enumerate users |
| 3919286a-b10c-11d0-9ba8-00c04fd92ef5 | \pipe\lsarpc | LSA Directory Services (DS) interface, used to enumerate domains and trust relationships |
| 12345778-1234-abcd-ef00-0123456789ac | \pipe\samr | LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy Oreilly library |
| 1ff70682-0a51-30e8-076d-740be8cee98b | \pipe\atsvc | Task scheduler, used to remotely execute commands |
| 338cd001-2244-31f1-aaaa-900038001003 | \pipe\winreg | Remote registry service, used to access the system registry |
| 367abb81-9844-35f1-ad32-98f038001003 | \pipe\svcctl | Service control manager and server services, used to remotely start and stop services and execute commands |
| 4b324fc8-1670-01d3-1278-5a47bf6ee188 | \pipe\srvsvc | Service control manager and server services, used to remotely start and stop services and execute commands |
| 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 | \pipe\epmapper | DCOM interface, supporting WMI |
Identifying IP addresses
Using https://github.com/mubix/IOXIDResolver, comes from Airbus research is possible to abuse the ServerAlive2 method inside the IOXIDResolver interface.
This method has been used to get interface information as IPv6 address from the HTB box APT. See here for 0xdf APT writeup, it includes an alternative method using rpcmap.py from Impacket with stringbinding (see above).
Comments powered by Disqus.