hacktricks/network-services-pentesting/135-pentesting-msrpc.md
Juan Martinez a.k.a 3vilC0d3 1b762e358f
Update 135-pentesting-msrpc.md
Topic added "Executing a RCE with valid credentials"
2024-03-13 18:17:24 -05:00

9.1 KiB

135, 593 - Pentesting MSRPC

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

The Microsoft Remote Procedure Call (MSRPC) protocol, a client-server model enabling a program to request a service from a program located on another computer without understanding the network's specifics, was initially derived from open-source software and later developed and copyrighted by Microsoft.

The RPC endpoint mapper can be accessed via TCP and UDP port 135, SMB on TCP 139 and 445 (with a null or authenticated session), and as a web service on TCP port 593.

135/tcp   open     msrpc         Microsoft Windows RPC

How does MSRPC work?

Initiated by the client application, the MSRPC process involves calling a local stub procedure that then interacts with the client runtime library to prepare and transmit the request to the server. This includes converting parameters into a standard Network Data Representation format. The choice of transport protocol is determined by the runtime library if the server is remote, ensuring the RPC is delivered through the network stack.

https://0xffsec.com/handbook/images/msrpc.png

Identifying Exposed RPC Services

Exposure of RPC services across TCP, UDP, HTTP, and SMB can be determined by querying the RPC locator service and individual endpoints. Tools such as rpcdump facilitate the identification of unique RPC services, denoted by IFID values, revealing service details and communication bindings:

D:\rpctools> rpcdump [-p port] <IP>
**IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:<IP>[1028]

Access to the RPC locator service is enabled through specific protocols: ncacn_ip_tcp and ncadg_ip_udp for accessing via port 135, ncacn_np for SMB connections, and ncacn_http for web-based RPC communication. The following commands exemplify the utilization of Metasploit modules to audit and interact with MSRPC services, primarily focusing on port 135:

use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
rpcdump.py <IP> -p 135

All options except tcp_dcerpc_auditor are specifically designed for targeting MSRPC on port 135.

Notable RPC interfaces

  • IFID: 12345778-1234-abcd-ef00-0123456789ab

  • Named Pipe: \pipe\lsarpc

  • Description: LSA interface, used to enumerate users.

  • IFID: 3919286a-b10c-11d0-9ba8-00c04fd92ef5

  • Named Pipe: \pipe\lsarpc

  • Description: LSA Directory Services (DS) interface, used to enumerate domains and trust relationships.

  • IFID: 12345778-1234-abcd-ef00-0123456789ac

  • Named Pipe: \pipe\samr

  • Description: LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy.

  • IFID: 1ff70682-0a51-30e8-076d-740be8cee98b

  • Named Pipe: \pipe\atsvc

  • Description: Task scheduler, used to remotely execute commands.

  • IFID: 338cd001-2244-31f1-aaaa-900038001003

  • Named Pipe: \pipe\winreg

  • Description: Remote registry service, used to access and modify the system registry.

  • IFID: 367abb81-9844-35f1-ad32-98f038001003

  • Named Pipe: \pipe\svcctl

  • Description: Service control manager and server services, used to remotely start and stop services and execute commands.

  • IFID: 4b324fc8-1670-01d3-1278-5a47bf6ee188

  • Named Pipe: \pipe\srvsvc

  • Description: Service control manager and server services, used to remotely start and stop services and execute commands.

  • IFID: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57

  • Named Pipe: \pipe\epmapper

  • Description: DCOM interface, used for brute-force password grinding and information gathering via WM.

Identifying IP addresses

Using https://github.com/mubix/IOXIDResolver, comes from Airbus research is possible to abuse the ServerAlive2 method inside the IOXIDResolver interface.

This method has been used to get interface information as IPv6 address from the HTB box APT. See here for 0xdf APT writeup, it includes an alternative method using rpcmap.py from Impacket with stringbinding (see above).

Executing a RCE with valid credentials

It is possible to execute remote code on a machine, if the credentials of a valid user are available using dcomexec.py from impacket framework.

Remember to try with the different objects available

  • ShellWindows
  • ShellBrowserWindow
  • MMC20

Port 593

The rpcdump.exe from rpctools can interact with this port.

References

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: