135, 593 - Pentesting MSRPC

Reading time: 10 minutes

Basic Information

Protokali ya Microsoft Remote Procedure Call (MSRPC), mfano wa mteja-server unaowezesha programu kuomba huduma kutoka kwa programu iliyoko kwenye kompyuta nyingine bila kuelewa maelezo ya mtandao, ilitokana awali na programu za chanzo wazi na baadaye kuendelezwa na kupewa hakimiliki na Microsoft.

Mchoro wa mwisho wa RPC unaweza kufikiwa kupitia bandari ya TCP na UDP 135, SMB kwenye TCP 139 na 445 (ikiwa na kikao kisicho na thamani au kilichothibitishwa), na kama huduma ya wavuti kwenye bandari ya TCP 593.

135/tcp   open     msrpc         Microsoft Windows RPC

Jinsi MSRPC inavyofanya kazi?

Iliyanzishwa na programu ya mteja, mchakato wa MSRPC unahusisha kuita utaratibu wa stub wa ndani ambao kisha unashirikiana na maktaba ya wakati wa mteja ili kuandaa na kupeleka ombi kwa seva. Hii inajumuisha kubadilisha vigezo kuwa katika muundo wa kawaida wa Uwakilishi wa Takwimu za Mtandao. Chaguo la itifaki ya usafirishaji linatolewa na maktaba ya wakati wa ikiwa seva iko mbali, kuhakikisha kuwa RPC inatumwa kupitia safu ya mtandao.

Kutambua Huduma za RPC Zilizofichuliwa

Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja mmoja. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazoonyeshwa na thamani za IFID, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:

D:\rpctools> rpcdump [-p port] <IP>
**IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:<IP>[1028]

Upatikanaji wa huduma ya RPC locator umewezeshwa kupitia protokali maalum: ncacn_ip_tcp na ncadg_ip_udp kwa upatikanaji kupitia bandari 135, ncacn_np kwa muunganisho wa SMB, na ncacn_http kwa mawasiliano ya RPC ya mtandao. Amri zifuatazo zinaonyesha matumizi ya moduli za Metasploit kukagua na kuingiliana na huduma za MSRPC, hasa zikizingatia bandari 135:

use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
rpcdump.py <IP> -p 135

All options except tcp_dcerpc_auditor are specifically designed for targeting MSRPC on port 135.

Notable RPC interfaces

• IFID: 12345778-1234-abcd-ef00-0123456789ab
• Named Pipe: \pipe\lsarpc
• Description: Kiolesura ya LSA, inayotumika kuorodhesha watumiaji.
• IFID: 3919286a-b10c-11d0-9ba8-00c04fd92ef5
• Named Pipe: \pipe\lsarpc
• Description: Kiolesura cha LSA Directory Services (DS), inayotumika kuorodhesha maeneo na uhusiano wa kuaminiana.
• IFID: 12345778-1234-abcd-ef00-0123456789ac
• Named Pipe: \pipe\samr
• Description: Kiolesura cha LSA SAMR, inayotumika kupata vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
• IFID: 1ff70682-0a51-30e8-076d-740be8cee98b
• Named Pipe: \pipe\atsvc
• Description: Mpangaji wa kazi, inayotumika kutekeleza amri kwa mbali.
• IFID: 338cd001-2244-31f1-aaaa-900038001003
• Named Pipe: \pipe\winreg
• Description: Huduma ya rejista ya mbali, inayotumika kupata na kubadilisha rejista ya mfumo.
• IFID: 367abb81-9844-35f1-ad32-98f038001003
• Named Pipe: \pipe\svcctl
• Description: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
• IFID: 4b324fc8-1670-01d3-1278-5a47bf6ee188
• Named Pipe: \pipe\srvsvc
• Description: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
• IFID: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
• Named Pipe: \pipe\epmapper
• Description: Kiolesura cha DCOM, inayotumika kwa kujaribu nywila na ukusanyaji wa taarifa kupitia WM.

Identifying IP addresses

Using https://github.com/mubix/IOXIDResolver, comes from Airbus research is possible to abuse the ServerAlive2 method inside the IOXIDResolver interface.

This method has been used to get interface information as IPv6 address from the HTB box APT. See here for 0xdf APT writeup, it includes an alternative method using rpcmap.py from Impacket with stringbinding (see above).

Executing a RCE with valid credentials

It is possible to execute remote code on a machine, if the credentials of a valid user are available using dcomexec.py from impacket framework.

Remember to try with the different objects available

• ShellWindows
• ShellBrowserWindow
• MMC20

Port 593

The rpcdump.exe from rpctools can interact with this port.

Automated Fuzzing of MSRPC Interfaces

MS-RPC interfaces expose a large and often undocumented attack surface. The open-source MS-RPC-Fuzzer PowerShell module builds on James Forshaw’s NtObjectManager to dynamically create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL.

1. Inventory the interfaces

# Import the module (download / git clone first)
Import-Module .\MS-RPC-Fuzzer.psm1

# Parse a single binary
Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output

# Or crawl the whole %SystemRoot%\System32 directory
Get-RpcServerData -OutPath .\output

Get-RpcServerData itachota UUID, toleo, nyuzi za uhusiano (named-pipe / TCP / HTTP) na mifano kamili ya taratibu kwa kila kiolesura inachokutana nayo na kuzihifadhi katika rpcServerData.json.

2. Endesha fuzzer

'.\output\rpcServerData.json' |
Invoke-RpcFuzzer -OutPath .\output `
-MinStrLen 100  -MaxStrLen 1000 `
-MinIntSize 9999 -MaxIntSize 99999

Relevant options:

• -MinStrLen / -MaxStrLen – ukubwa wa anuwai za nyuzi zinazozalishwa
• -MinIntSize / -MaxIntSize – anuwai ya thamani za nambari zilizobadilishwa (inayofaa kwa majaribio ya overflow)
• -Sorted – tekeleza taratibu kwa mpangilio unaoheshimu mategemeo ya vigezo ili matokeo ya wito mmoja yaweze kutumika kama ingizo la wito unaofuata (hii huongeza kwa kiasi kikubwa njia zinazoweza kufikiwa)

The fuzzer implements 2 strategies:

1. Default fuzzer – random primitive values + default instances for complex types
2. Sorted fuzzer – dependency-aware ordering (see docs/Procedure dependency design.md)

Kila wito umeandikwa kwa atomiki kwenye log.txt; baada ya ajali mistari ya mwisho inakuambia mara moja taratibu inayosababisha tatizo. Matokeo ya kila wito pia yanapangwa katika faili tatu za JSON:

• allowed.json – wito umefanikiwa na kurudisha data
• denied.json – seva ilijibu na Access Denied
• error.json – kosa lolote lingine / ajali

3. Visualise with Neo4j

'.\output\allowed.json' |
Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j

Import-DataToNeo4j inabadilisha artefacts za JSON kuwa muundo wa grafu ambapo:

• Seva za RPC, interfaces na taratibu ni vifungo
• Mwingiliano (ALLOWED, DENIED, ERROR) ni uhusiano

Maswali ya Cypher yanaweza kutumika haraka kubaini taratibu hatari au kurudia mfuatano sahihi wa simu zilizotangulia kuanguka.

⚠️ Fuzzer ni destructive: tarajia kuanguka kwa huduma na hata BSODs – daima ikimbie katika snapshot ya VM iliyotengwa.

Uainishaji wa Kiolesura Kiotomatiki & Uundaji wa Mteja wa Kihisia (NtObjectManager)

Mtaalamu wa PowerShell James Forshaw alifunua sehemu nyingi za ndani za Windows RPC ndani ya moduli ya wazi–chanzo NtObjectManager. Kwa kutumia hii unaweza kubadilisha DLL / EXE ya seva yoyote ya RPC kuwa stub ya mteja iliyo na vipengele vyote ndani ya sekunde – hakuna IDL, MIDL au unmarshal wa mikono unahitajika.

# Install the module once
Install-Module NtObjectManager -Force

# Parse every RPC interface exported by the target binary
$rpcinterfaces = Get-RpcServer "C:\Windows\System32\efssvc.dll"
$rpcinterfaces | Format-Table Name,Uuid,Version,Procedures

# Inspect a single procedure (opnum 0)
$rpcinterfaces[0].Procedures[0] | Format-List *

Matokeo ya kawaida yanaonyesha aina za parameta kama zinavyoonekana katika MIDL (kwa mfano FC_C_WSTRING, FC_LONG, FC_BIND_CONTEXT).

Mara tu unavyojua kiolesura unaweza kuunda mteja wa C# tayari kwa ajili ya kukusanya:

# Reverse the MS-EFSR (EfsRpc*) interface into C#
Format-RpcClient $rpcinterfaces[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs

Ndani ya stub iliyozalishwa utaona mbinu kama:

public int EfsRpcOpenFileRaw(out Marshal.NdrContextHandle ctx, string FileName, int Flags) {
// marshals parameters & calls opnum 0
}

Msaada wa PowerShell Get-RpcClient unaweza kuunda kituo cha mteja kinachoshirikiana ili uweze kuita utaratibu mara moja:

$client = Get-RpcClient $rpcinterfaces[0]
Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
-AuthenticationLevel PacketPrivacy `
-AuthenticationType  WinNT  # NTLM auth

# Invoke the procedure → returns an authenticated context handle
$ctx = New-Object Marshal.NdrContextHandle
$client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)

Uthibitisho (Kerberos / NTLM) na viwango vya usimbaji (PacketIntegrity, PacketPrivacy, …) vinaweza kutolewa moja kwa moja kupitia cmdlet ya Connect-RpcClient – bora kwa kupita Descriptors za Usalama zinazolinda mabomba yenye haki za juu.

Fuzzing ya RPC Inayojulikana kwa Muktadha (MS-RPC-Fuzzer)

Maarifa ya kiolesura cha kudumu ni mazuri, lakini kile unachotaka kwa kweli ni fuzzing inayongozwa na kufunika inayelewa mashughuliko ya muktadha na minyororo tata ya vigezo. Mradi wa wazi wa MS-RPC-Fuzzer unafanya kazi hiyo kiotomatiki:

1. Tambua kila kiolesura/utaratibu unaotolewa na binary lengwa (Get-RpcServer).
2. Tengeneza wateja wa dinamik kwa kila kiolesura (Format-RpcClient).
3. Badilisha vigezo vya ingizo (urefu wa nyuzi pana, mipaka ya nambari, enums) huku ukiheshimu aina ya NDR ya awali.
4. Fuata mashughuliko ya muktadha yanayorejeshwa na simu moja ili kutoa utaratibu wa kufuatilia kiotomatiki.
5. Fanya simu zenye kiasi kikubwa dhidi ya usafirishaji uliochaguliwa (ALPC, TCP, HTTP au bomba lililotajwa).
6. Rekodi hali za kutoka / makosa / muda wa kupita na uagizie faili ya kuagiza Neo4j ili kuonyesha uhusiano wa kiolesura → utaratibu → parameter na makundi ya ajali.

Mfano wa kukimbia (lengo la bomba lililotajwa):

Invoke-MSRPCFuzzer -Pipe "\\.\pipe\efsrpc" -Auth NTLM `
-MinLen 1  -MaxLen 0x400 `
-Iterations 100000 `
-OutDir .\results

A single out-of-bounds write or unexpected exception will be surfaced immediately with the exact opnum + fuzzed payload that triggered it – perfect starting point for a stable proof-of-concept exploit.

⚠️ Huduma nyingi za RPC zinafanya kazi katika michakato inayotumia NT AUTHORITY\SYSTEM. Tatizo lolote la usalama wa kumbukumbu hapa kawaida hubadilishwa kuwa kupandishwa vyeo vya ndani au (wakati inafichuliwa kupitia SMB/135) utendaji wa msimbo wa mbali.

References

• Automating MS-RPC vulnerability research (2025, Incendium.rocks)
• MS-RPC-Fuzzer – context-aware RPC fuzzer
• NtObjectManager PowerShell module
• https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/
• https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/
• https://0xffsec.com/handbook/services/msrpc/
• MS-RPC-Fuzzer (GitHub)