MSRPC (Microsoft Remote Procedure Call) Pentesting

It is also known as a function call or a subroutine call. Default ports are 135, 593.

Enumeration

nmap --script msrpc-enum -p 135 <target-ip>

RPC Endpoints

To enumerate RPC endpoints, use impacket-rpcdump.

impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR'

MS-EFSRPC: It might be vulnerable to PetitPotam.
MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare.

Metasploit

msfconsole
msf> use auxiliary/scanner/dcerpc/endpoint_mapper
msf> use auxiliary/scanner/dcerpc/hidden
msf> use auxiliary/scanner/dcerpc/management
msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

Connect

# Anonymous logon
rpcclient -N -U "" <target-ip>
rpcclient -N -U "" -p 593 <target-ip>
rpcclient -N -U "" dc.example.local

# Specify username
# -W: Workgroup
# -N: No password
rpcclient -U username <target-ip>
rpcclient -W WORKGROUP -U username <target-ip>
rpcclient -U username -N <target-ip>

# -k: Kerberos authentication
rpcclient -k <target-ip>

Commands

# Server info
rpcclient $> srvinfo

# Enumerate domains
rpcclient $> enumdomains
# Enumerate domain users
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups

# Domain info
rpcclient $> querydominfo

# Current username
rpcclient $> getusername

# If the current user has permission to change another user password, we can change another user password.
rpcclient $> setuserinfo2 <another_user> 23 <new_password>

PreviousWindows Print Spooler Service NextRDP (Remote Desktop Protocol) Pentesting

Last updated 1 month ago

hashtagMSRPC (Microsoft Remote Procedure Call) Pentesting

hashtagEnumeration

hashtagRPC Endpoints

hashtagMetasploit

hashtagConnect

hashtagCommands

MSRPC (Microsoft Remote Procedure Call) Pentesting

Enumeration

RPC Endpoints

Metasploit

Connect

Commands