MSRPC (Microsoft Remote Procedure Call) Pentesting
Last modified: 2023-08-26
Windows
It is also known as a function call or a subroutine call. Default ports are 135, 593.
Enumeration
nmap --script msrpc-enum -p 135 <target-ip>
# rpcdump for dumping RPC endpoints
impacket-rpcdump -port 135 <target-ip>
# Find the Print System Remote Prototol or the Print System Asynchronous Remote Protocol
impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-RPRN|MS-PAR'
If we found MS-RPRN or MS-PAR, we might be able to exploit with PrintNightmare.
Metasploit
msfconsole
msf> use auxiliary/scanner/dcerpc/endpoint_mapper
msf> use auxiliary/scanner/dcerpc/hidden
msf> use auxiliary/scanner/dcerpc/management
msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
Investigation
rpcinfo reports RPC information. If you don’t have it, install ‘rpcbind’ first to use the rpcinfo.
sudo apt install rpcbind
Run the following command.
rpcinfo -p <target-ip>
# NFS only
rpcinfo -p <target-ip> | grep nfs
Connect
# Anonymous logon
rpcclient -N -U "" <target-ip>
rpcclient -N -U "" -p 593 <target-ip>
rpcclient -N -U "" dc.example.local
# Specify username
# -W: Workgroup
# -N: No password
rpcclient -U username <target-ip>
rpcclient -W WORKGROUP -U username <target-ip>
rpcclient -U username -N <target-ip>
# -k: Kerberos
rpcclient -k <target-ip>
Commands
# Server info
rpcclient $> srvinfo
# Enumerate domains
rpcclient $> enumdomains
# Enumerate domain users
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups
# Domain info
rpcclient $> querydominfo
# Current username
rpcclient $> getusername