MSRPC - Port 135, 539
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! π
Follow us on:
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π
The Microsoft Remote Procedure Call (MSRPC) protocol is a powerful client-server model enabling one system to request services from another over a network, forming the backbone of many Windows-based network services. Initially derived from open-source software, it was later developed and patented by Microsoft. Exposing MSRPC services, especially on Port 135 (RPC) and Port 593 (RPC over HTTP), creates significant vulnerabilities that penetration testers can exploit for remote code execution, privilege escalation, and lateral movement.
MSRPC allows a program to request a service from a program located on another computer in a network, abstracting the underlying network protocols and allowing cross-platform communication. MSRPC is accessed via various ports, the most common being Port 135 (TCP/UDP) for RPC services, Port 593 (TCP) for RPC over HTTP, and Ports 139/445 (SMB) for SMB-based RPC.
Key Details:
Port 135 (TCP/UDP): The RPC endpoint mapper listens on this port, which acts as the entry point for locating other RPC services on a system.
Port 593 (TCP): Used for RPC over HTTP, enabling RPC traffic to bypass network firewalls and proxies.
Ports 139/445 (TCP): These ports are primarily used by SMB for MSRPC communication.
The process begins when a client application initiates the request for an RPC service. Here's how it works:
Client Stub: The client invokes a local procedure call (stub).
Runtime Library: The stub works with the client runtime library to convert the parameters into a standardized format (Network Data Representation).
Communication: If the server is remote, the runtime library determines the transport protocol (e.g., TCP, HTTP) and sends the request over the network.
The communication is usually secured via authentication mechanisms like NTLM or Kerberos, though these can be bypassed or exploited if misconfigured.
Exposing RPC services over the network can be an attack vector if not properly secured. Identifying exposed RPC services is the first step in a pentesting assessment. You can use several tools to discover these services across different ports.
Tools for Scanning RPC Services:
Nmap:
Metasploit:
rpcdump:
Example output from rpcdump:
The rpcdump utility will show Interface Identifiers (IFID) like the LSA and SAMR interfaces, which can be exploited for user enumeration, password cracking, and privilege escalation.
Common RPC Interfaces:
IFID: 12345778-1234-abcd-ef00-0123456789ab: LSA Interface (used for enumerating users).
IFID: 3919286a-b10c-11d0-9ba8-00c04fd92ef5: LSA Directory Services (enumerates domains).
IFID: 12345778-1234-abcd-ef00-0123456789ac: SAMR Interface (used for password brute-forcing).
Once you've identified the target system with valid credentials, itβs time to exploit the RPC service for Remote Code Execution (RCE). Common vulnerabilities like MS08-067 (RCE through NetAPI) allow attackers to execute code remotely.
Exploitation Techniques:
Metasploit: Exploits such as MS08-067 can be used to execute arbitrary code on vulnerable machines.
Impacket Framework: Tools like dcomexec.py can execute commands remotely once you have valid credentials.
Port 593 is used for RPC over HTTP, which encapsulates RPC traffic in HTTP requests, allowing it to bypass firewalls and proxies that may block traditional RPC traffic on Port 135. Identifying and exploiting this port requires special tools and techniques.
rpcdump: Can be used to identify services running on Port 593.
Metasploit and Impacket:
Learn & practice
Become VeryLazyTech ! π
β Twitter .
πΎ Github .
π Medium .
πΊ YouTube .
π© Telegram .
π΅οΈββοΈ My Site .
Visit our for e-books and courses. π