07 Apr, 2023

Microsoft Firewall Service Real-time Monitoring (MS-FSRVP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

The MS-FSRVP protocol stands for Microsoft Forefront Threat Management Gateway (TMG) Firewall Service Real-time Monitoring Protocol. It is a protocol that enables the Forefront TMG firewall to communicate with the Forefront TMG Firewall Service in real-time, providing real-time monitoring and reporting capabilities to help administrators identify and respond to potential security threats. This protocol is used to ensure the security of networks and data by monitoring traffic and providing alerts when suspicious activity is detected.

MS-FSRVP common ports

TCP port 80 – This port is used for HTTP traffic and is commonly used for web browsing. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 135 – This port is used for the Remote Procedure Call (RPC) protocol, which is a method of communication between processes on different systems. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 443 – This port is used for HTTPS traffic and is commonly used for secure web browsing. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 1745 – This port is used for the Remote Winsock protocol, which is a protocol that allows programs to communicate with network services. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 2869 – This port is used for the Simple Service Discovery Protocol (SSDP), which is a protocol that allows devices to discover each other on a network. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 5357 – This port is used for the Web Services for Devices (WSD) protocol, which is a protocol that allows devices to communicate with each other over a network. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

TCP port 6004 – This port is used for the Remote Procedure Call (RPC) protocol over HTTP, which is a method of communication between processes on different systems over HTTP. It is used by the Forefront TMG Firewall Service to communicate with the Forefront TMG firewall.

Tools for using protocol MS-FSRVP

Manual Tools:

  1. Wireshark: A network protocol analyzer that allows you to capture and analyze network traffic to troubleshoot issues and detect anomalies.

  2. Fiddler: A web debugging proxy tool that captures HTTP and HTTPS traffic, allowing you to inspect and modify incoming and outgoing data.

  3. Netcat: A command-line utility that can be used as a TCP/IP server or client, allowing you to establish network connections and send/receive data.

  4. Telnet: A protocol used to remotely access computers over a network, allowing you to test connectivity and communication with MS-FSRVP.

  5. Putty: A free and open-source terminal emulator that allows you to establish secure shell (SSH) connections to remote servers, including MS-FSRVP.

  6. Nmap: A powerful network exploration and security auditing tool that allows you to scan and map network hosts and services.

  7. Tcpdump: A command-line packet analyzer that captures and displays network traffic, allowing you to troubleshoot network issues and analyze protocol behavior.

  8. OpenSSL: A robust, full-featured open-source toolkit that implements SSL/TLS protocols, allowing you to test encryption and decryption of SSL/TLS connections.

  9. Metasploit: A powerful penetration testing framework that can be used to test the security of MS-FSRVP and other network services.

  10. Burp Suite: A web application security testing tool that allows you to intercept, analyze, and modify HTTP/S traffic between a browser and the server.

Automated Tools:

  1. Nessus: A vulnerability scanner that can identify security flaws in MS-FSRVP and other network services, providing detailed reports and remediation advice.

  2. OpenVAS: An open-source vulnerability scanner that can detect security vulnerabilities in MS-FSRVP and other network services.

  3. Nikto: A web server scanner that can identify potential security vulnerabilities in MS-FSRVP and other web servers.

  4. OWASP ZAP: An open-source web application security testing tool that can be used to scan and test MS-FSRVP and other web services.

  5. Hydra: A password cracking tool that can be used to test the strength of user passwords on MS-FSRVP and other network services.

  6. THC-Hydra: A parallelized login cracker that can be used to brute-force authentication credentials on MS-FSRVP and other network services.

  7. Wfuzz: A web application fuzzer that can be used to test the security of MS-FSRVP and other web services by fuzzing the HTTP protocol.

  8. sqlmap: A powerful SQL injection testing tool that can detect and exploit vulnerabilities in MS-FSRVP and other web applications.

  9. Selenium: An open-source web application testing tool that can automate browser actions and perform functional and regression testing on MS-FSRVP and other web applications.

  10. Robot Framework: An open-source test automation framework that supports keyword-driven testing and can be used to automate functional and acceptance testing on MS-FSRVP and other applications.

Browser Plugins:

  1. Wappalyzer: A browser extension that can identify the technologies used by a website, including web servers, content management systems, and programming languages.

  2. Web Developer: A browser extension that provides a wide range of tools for web developers, including inspection of HTML/CSS/JS, performance analysis,

Useful information

– MS-FSRVP is a Microsoft protocol that was introduced with Windows Server 2008.

– MS-FSRVP allows backup applications to create and manage shadow copies of remote file shares on file servers.

– The protocol uses Remote Procedure Call (RPC) and is built on top of the Distributed Component Object Model (DCOM) protocol.

– MS-FSRVP supports both synchronous and asynchronous backup operations.

– The protocol allows backup applications to perform granular backups of specific files and folders within a file share.

– MS-FSRVP provides a means to coordinate the creation of shadow copies of remote file shares between the backup application and the file server.

– The protocol supports incremental backups, allowing backup applications to only backup files that have changed since the last backup.

– MS-FSRVP provides a mechanism for backup applications to query the file server to determine the availability of shadow copies for a particular file share.

– The protocol also supports restore operations, allowing backup applications to restore files and folders from shadow copies of remote file shares.

– MS-FSRVP is typically used in conjunction with other backup and restore technologies, such as Volume Shadow Copy Service (VSS) and the Microsoft iSCSI Software Target.

Known banners

RPC Endpoint Mapper listening on port 135. RpcSs ServicePrincipalName: HOST/{hostname} UUID: a8e0653c-2744-4389-a61d-7373df8b2292, Protocol: ncacn_np, Endpoint: \pipe\FssagentRpc: This banner indicates that the RPC Endpoint Mapper is listening on port 135, and that the MS-FSRVP protocol is available on the system.

RPC Endpoint Mapper listening on port 135. RpcSs ServicePrincipalName: HOST/{hostname} UUID: a8e0653c-2744-4389-a61d-7373df8b2292, Protocol: ncacn_ip_tcp, Endpoint: {ip_address}:49152: This banner indicates that the MS-FSRVP protocol is available on the system, and is accessible over TCP/IP on port 49152.

RPC Endpoint Mapper listening on port 135. RpcSs ServicePrincipalName: HOST/{hostname} UUID: a8e0653c-2744-4389-a61d-7373df8b2292, Protocol: ncacn_np, Endpoint: \pipe\FssAgentControl: This banner indicates that the MS-FSRVP protocol is available on the system, and that the FssAgentControl endpoint is available for controlling the service.

RPC Endpoint Mapper listening on port 135. RpcSs ServicePrincipalName: HOST/{hostname} UUID: a8e0653c-2744-4389-a61d-7373df8b2292, Protocol: ncacn_ip_tcp, Endpoint: {ip_address}:49154: This banner indicates that the MS-FSRVP protocol is available on the system, and is accessible over TCP/IP on port 49154.

Books for studies MS-FSRVP

“Windows Internals, Part 2: Covering Windows Server 2008 R2 and Windows 7” by Mark Russinovich, David Solomon, and Alex Ionescu. This book provides an in-depth look at the inner workings of Windows, including coverage of MS-FSRVP and other file system-related protocols.

“Windows Server 2012 Inside Out” by William R. Stanek. This book covers all aspects of Windows Server 2012, including MS-FSRVP and other file server-related topics.

“Windows Server 2016 Bible” by Jeffrey R. Shapiro, Jim Boyce, and John McCabe. This book provides comprehensive coverage of Windows Server 2016, including MS-FSRVP and other file server-related topics.

“Mastering Windows Server 2016” by Jordan Krause. This book covers advanced topics related to Windows Server 2016, including MS-FSRVP and other file server-related protocols.

“Windows Server 2019 Inside Out” by Orin Thomas. This book provides an in-depth look at Windows Server 2019, including coverage of MS-FSRVP and other file server-related protocols.

List of Payload for MS-FSRVP

  • CREATE_SHADOW_COPY_REQUEST – This payload is used to request the creation of a shadow copy of a file share on a remote file server.

  • ADD_VOLUME_TO_SHADOW_COPY_SET_REQUEST – This payload is used to add a volume to a shadow copy set.

  • REMOVE_VOLUME_FROM_SHADOW_COPY_SET_REQUEST – This payload is used to remove a volume from a shadow copy set.

  • QUERY_SHADOW_COPY_SET_REQUEST – This payload is used to query the status of a shadow copy set.

  • EXPOSE_SHADOW_COPY_REQUEST – This payload is used to expose a shadow copy as a read-only file share.

  • RETRIEVE_VERSIONS_REQUEST – This payload is used to retrieve previous versions of files from a shadow copy.

  • DELETE_SHADOW_COPY_REQUEST – This payload is used to delete a shadow copy.

Mitigation

  1. Limit access to the Microsoft Firewall Service Real-time Monitoring feature to only those users who need it. This can be done by using access control lists (ACLs) or group policies to restrict access to the feature.

  2. Monitor the logs generated by the Microsoft Firewall Service Real-time Monitoring feature for any unusual activity or traffic patterns that could indicate a potential security breach. This can be done through the use of security information and event management (SIEM) tools.

  3. Ensure that all software associated with the Microsoft Firewall Service Real-time Monitoring feature is up to date with the latest security patches. This includes both the operating system and any applications that use the feature.

  4. To protect sensitive data transmitted over the network, consider using encryption to ensure that data is not intercepted or manipulated in transit.

  5. Use strong authentication methods such as Kerberos or SSL/TLS to ensure that only authorized users can access the Microsoft Firewall Service Real-time Monitoring feature.

  6. Disable any features of the Microsoft Firewall Service Real-time Monitoring that are not needed to reduce the attack surface.

Conclusion

MS-FSRVP is a protocol used for backup and restore operations on Windows file shares. It is an important component of the Windows file sharing system, and allows administrators to perform backups and restores of files and directories on remote file servers using standard backup tools. While MS-FSRVP is a legitimate protocol, it is important to use it only for its intended purposes and to follow ethical and legal practices when using it. By understanding the role of MS-FSRVP in the Windows file system, administrators and security professionals can ensure the security and integrity of their file sharing operations.

Other Services

Ready to secure?

Let's get in touch