Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
421 views7 pages

MSRPC Pentesting Best Practices

Uploaded by

kocherla Manohar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
421 views7 pages

MSRPC Pentesting Best Practices

Uploaded by

kocherla Manohar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

MSRPC Pentesting Best Practices

6–8 minutes

MSRPC
MSRPC usually uses ports 135, 593

What is MSRPC?
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a
protocol that uses the client-server model in order to allow one program to request service
from a program on another computer without having to understand the details of that
computer’s network. MSRPC was originally derived from open source software but has been
developed further and copyrighted by Microsoft.

Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP
and UDP port 135, via SMB with a null or authenticated session (TCP 139 and 445), and as a
web service listening on TCP port 593.

MSRPC working on only:

 Windows Server 2003


 Windows Server 2003 R2
 Windows Server 2003 with SP1
 Windows Server 2003 with SP2

1 PORT STATE SERVICE VERSION


2 135/tcp open msrpc Microsoft Windows RPC

How does MSRPC work?


The MSRPC process begins on the client side, with the client application calling a local stub
procedure instead of code implementing the procedure. The client stub code retrieves the
required parameters from the client address space and delivers them to the client runtime
library, which then translates the parameters into a standard Network Data Representation
format to transmit to the server.

The client stub then calls functions in the RPC client runtime library to send the request and
parameters to the server. If the server is located remotely, the runtime library specifies an
appropriate transport protocol and engine and passes the RPC to the network stack for
transport to the server. For more details, please check this link.
Pentesting MSRPC
Shodan search query :
port:135,593,445
1 nmap -sV -p135 10.10.x.x
2 nmap -p135 --script=msrpc-enum 10.10.x.x

1 ##########################################
2 enum4linux
3 ##########################################
4 # Verbose mode
5 enum4linux -v 192.168.x.x
6
7 # Do everything
8 enum4linux -a 192.168.x.x
9
10 # List users
11 enum4linux -U 192.168.x.x
12
# If you've managed to obtain credentials, you can pull a full list of
13 users regardless of the RestrictAnonymous option
14 enum4linux -u administrator -p password -U 192.168.x.x
15
16 # Get username from the defaut RID range (500-550, 1000-1050)
17 enum4linux -r 192.168.x.x
18
19 # Get username using a custom RID range
20 enum4linux -R 600-660 192.168.x.x
21
22 # List groups
23 enum4linux -G 192.168.x.x
24
25 # List shares
26 enum4linux -S 192.168.x.x
27
28 # Perform a dictionary attack, if the server doesn't let you retrieve a
29 share list
30 enum4linux -s shares.txt 192.168.x.x
31
32 # Pulls OS information using smbclient, this can pull the service pack
33 version on some versions of Windows
34 enum4linux -o target-ip
35
36 # Pull information about printers known to the remove device.
37 enum4linux -i target-ip
38 # enum4linux-ng is a rewrite of the official tool (python3)
# adding some features like colors and parsing
https://github.com/cddmp/enum4linux-ng

1 ##########################################
2 rpcclient
3 ##########################################
4 # Anonymous connection (-N=no pass)
5 rpcclient -U "" -N 192.168.x.x
6
7 # Connection with user
8 rpcclient -U "user" 192.168.x.x
9
10 # Get information about the DC
11 srvinfo
12
13 # Get information about objects such as groups(enum*)
14 enumdomains
15 enumdomgroups
16 enumalsgroups builtin
17
18 # Try to get domain password policy
19 getdompwinfo
20
21 # Try to enumerate different truste domains
22 dsr_enumtrustdom
23
24 # Get username for a defined user ?
25 getusername
26
27 # Query user, group etc informations
28 queryuser RID
29 querygroupmem519
30 queryaliasmem builtin 0x220
31
32 # Query info policy
33 lsaquery
34
35 # Convert SID to names
36 lookupsids SID
37
38 #Different tool RPCinfo
39 rpcinfo –p 192.168.x.x

Identifying Exposed RPC Services


You can query the RPC locator service and individual RPC endpoints to catalog interesting
services running over TCP, UDP, HTTP, and SMB (via named pipes). Each IFID value
gathered through this process denotes an RPC service (e.g., 5a7b91f8-ff00-11d0-a9b2-
00c04fb6e6fc is the Messenger interface).
Todd Sabin’s rpcdump and ifids Windows utilities query both the RPC locator and specific
RPC endpoints to list IFID values. The rpcdump syntax is as follows:

1 python3 /usr/share/doc/python3-impacket/examples/rpcdump.py 192.168.x.x

You can access the RPC locator service by using four protocol sequences:

 ncacn_ip_tcp and ncadg_ip_udp (TCP and UDP port 135)


 ncacn_np (the \pipe\epmapper named pipe via SMB)
 ncacn_http (RPC over HTTP via TCP port 80, 593, and others)

1 msf6 > use auxiliary/scanner/dcerpc/endpoint_mapper


2 msf6 > use auxiliary/scanner/dcerpc/hidden
3 msf6 > use auxiliary/scanner/dcerpc/management
4 msf6 > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

Note that from the mentioned options all except of tcp_dcerpc_auditor can only be
executed against msrpc in port 135.

Notable RPC interfaces


IFID value Named pipe Description
12345778-1234-abcd- \pipe\lsarpc LSA interface, used to enumerate users
IFID value Named pipe Description
ef00-0123456789ab
3919286a-b10c-11d0- LSA Directory Services (DS) interface, used to
\pipe\lsarpc
9ba8-00c04fd92ef5 enumerate domains and trust relationships
LSA SAMR interface, used to access public SAM
12345778-1234-abcd- database elements (e.g., usernames) and brute-force
\pipe\samr
ef00-0123456789ac user passwords regardless of account lockout policy
Oreilly library
1ff70682-0a51-30e8-
\pipe\atsvc Task scheduler, used to remotely execute commands
076d-740be8cee98b
338cd001-2244-31f1- Remote registry service, used to access the system
\pipe\winreg
aaaa-900038001003 registry
Service control manager and server services, used to
367abb81-9844-35f1-
\pipe\svcctl remotely start and stop services and execute
ad32-98f038001003
commands
Service control manager and server services, used to
4b324fc8-1670-01d3-
\pipe\srvsvc remotely start and stop services and execute
1278-5a47bf6ee188
commands
4d9f4ab8-7d1c-11cf-
\pipe\epmapper DCOM interface, supporting WMI
861e-0020af6e7c57

Identifying IP addresses
Using https://github.com/mubix/IOXIDResolver, comes from Airbus research is possible to
abuse the ServerAlive2 method inside the IOXIDResolver interface.

This method has been used to get interface information as IPv6 address from the HTB box
APT. See here for 0xdf APT writeup, it includes an alternative method using rpcmap.py from
Impacket with stringbinding (see above).

You might also like