135,593 - Pentesting MS-RPC
MS-RPC (Microsoft Remote Procedure Call) is a protocol that allows requesting service from a program on another computer without having to understand the details of that computer's network. An MS-RPC service can be accessed through different transport protocols.
There are many interesting named pipes that allow various operations from NULL sessions context, to local administrative context.
|IFID value||Named pipe||Description|
|12345778-1234-abcd-ef00-0123456789ab|| ||LSA interface, used to enumerate users|
|3919286a-b10c-11d0-9ba8-00c04fd92ef5|| ||LSA Directory Services (DS) interface, used to enumerate domains and trust relationships|
|12345778-1234-abcd-ef00-0123456789ac|| ||LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy, enumerate domain users, groups and more through the local SAM database (only works pre Win 10 Anniversary|
|1ff70682-0a51-30e8-076d-740be8cee98b|| ||Task scheduler, used to remotely create scheduled tasks to execute commands (used by Impacket's atexec.py|
|338cd001-2244-31f1-aaaa-900038001003|| ||Remote registry service, used to access the system registry|
|367abb81-9844-35f1-ad32-98f038001003|| ||Service control manager and server services, used to remotely start and stop services and execute commands, remotely create scheduled tasks to execute commands (used by Impacket's psexec.py and smbexec.py|
|4b324fc8-1670-01d3-1278-5a47bf6ee188|| ||Service control manager and server services, used to remotely start and stop services and execute commands|
|4d9f4ab8-7d1c-11cf-861e-0020af6e7c57|| ||DCOM interface, supporting WMI, used by DCOM (Distributed Component Object Model), itself used by WMI (Windows Management Instrumentation), itself abused by attackers for command execution (used by Impacket's wmiexec.py). DCOM is also used by MMC (Microsoft Management Console), itslef abused by attackers for command execution (Impacket's dcomexec.py )|
- psexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py
- smbexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
- atexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
- wmiexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
- dcomexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
Find exposed services
The epmapper (MS-RPC EndPoint Mapper) maps services to ports. It uses port 135/TCP and/or port 593/TCP (for RPC over HTTP). Through epmapper, tools like Impacket's rpcdump.py
- rpcdump.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/rpcdump.py
NULL sessions are unauthenticated SMB sessions that allow attackers to operate RPC calls through SMB named pipes without being authenticated first. This allows for many recon techniques like the enumeration of domain and local information (users, groups, RIDs, SIDs, policies, etc.).
Recon through interesting named pipes
The Samba utility named rpcclient can be used to operate recon through MS-RPC services behind SMB named pipes. It offers multiple useful commands.
| ||get domain name and SID (Security IDentifier)|
| ||list local groups, returns RIDs (Relative IDs)|
| ||list local group members, returns SIDs|
| ||resolve SID to name|
| ||resolve name to SID|
| ||list users, equivalent to |
| ||list groups equivalent to |
| ||obtain info on a user, equivalent to |
| ||obtain group members, equivalent to |
| ||get password policy|
RID Cycling is a method that allows attackers to enumerate domain objects by bruteforcing or guessing RIDs and SIDs, based on the fact that RIDs are sequential.
The Python script ridenum can be used to operate that recon technique, with a Null session or with an authenticated one.
- ridenum - https://github.com/trustedsec/ridenum