# MSRPC (Microsoft Remote Procedure Call) Pentesting
## MSRPC (Microsoft Remote Procedure Call) Pentesting
It is also known as a function call or a subroutine call. Default ports are 135, 593.
### Enumeration
```
nmap --script msrpc-enum -p 135
```
#### RPC Endpoints
To enumerate RPC endpoints, use `impacket-rpcdump`.
```
impacket-rpcdump -port 135 | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR'
```
* **MS-EFSRPC**: It might be vulnerable to **PetitPotam**.
* **MS-RPRN**, **MS-PAR**: It might be vulnerable to **PrintNightmare**.
#### Metasploit
```
msfconsole
msf> use auxiliary/scanner/dcerpc/endpoint_mapper
msf> use auxiliary/scanner/dcerpc/hidden
msf> use auxiliary/scanner/dcerpc/management
msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
```
### Connect
```
# Anonymous logon
rpcclient -N -U ""
rpcclient -N -U "" -p 593
rpcclient -N -U "" dc.example.local
# Specify username
# -W: Workgroup
# -N: No password
rpcclient -U username
rpcclient -W WORKGROUP -U username
rpcclient -U username -N
# -k: Kerberos authentication
rpcclient -k
```
#### Commands
```
# Server info
rpcclient $> srvinfo
# Enumerate domains
rpcclient $> enumdomains
# Enumerate domain users
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups
# Domain info
rpcclient $> querydominfo
# Current username
rpcclient $> getusername
# If the current user has permission to change another user password, we can change another user password.
rpcclient $> setuserinfo2 23
```