07 Apr, 2023

Microsoft Remote Procedure Call (MS-RPC)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

The MS-RPC (Microsoft Remote Procedure Call) protocol is a proprietary protocol developed by Microsoft for communication between software applications running on different devices in a networked environment.
MS-RPC based on DCE/RPC. Often works with SMB, so this data can be useful while attacking SMB.

MS-RPC common ports

Port 135: This is the well-known port used by MS-RPC endpoint mapper service to provide mapping to dynamic ports used by other services.

Dynamic ports: MS-RPC services use dynamic ports, which means that the ports are allocated by the endpoint mapper service on an as-needed basis. The range of dynamic ports used by MS-RPC is 49152 to 65535.

Some of the common MS-RPC services and their associated ports are:

Remote Procedure Call (RPC) Service: Port 135

Distributed File System (DFS): Port 445

Print Spooler Service: Port 135, 139, 445

Active Directory: Port 389, 636 (for SSL)

Windows Management Instrumentation (WMI): Port 135, dynamic ports

Remote Desktop Protocol (RDP): Port 3389

Standard  commands from unauthorised

rpcclient 46.163.74.38

Recon or Non Standard command

rpcinfo -p 46.163.74.38 (Detect what RPC’s are running)

nmap -sV <target> (rpcinfo called)

Null session connection

rpcclient -U “” 46.163.74.38 <enter without input>

Connection with enumeration

https://github.com/SecureAuthCorp/impacket/blob/master/examples/rpcdump.py (not tested)

Enumerating RPC interfaces by using rpcdump – rpcdump 46.163.74.38 -v

nmap <target> –script=msrpc-enum

enum4linux.pl -a 46.163.74.38

OR

rpcclient -U “” 46.163.74.38 –command=<command>

Commands: enumprivs, srvinfo, netshareenumall, netsharegetinfo <netname from netshareenumall>, netfileenum, netsessenum, netdiskenum, netconnenum, enumdomusers, enumdomgroups, enumdomains, enumtrust

https://github.com/p33kab00/dcerpc-pipe-scan

Tools for using protocol MS-RPC

Manual Tools:

  • RPCPing: A Microsoft tool used for testing RPC connectivity and identifying problems. It sends an RPC packet to the target server and waits for a response.

  • PortQry: Another Microsoft tool that can be used to check if specific RPC services are listening on a specific port on a target system.

  • RPCDump: A tool used to capture and analyze network traffic between an RPC client and server. It can help identify issues with RPC calls and can be used for troubleshooting.

  • RPCCrack: A tool used to brute force passwords for RPC services. It can be used for testing the security of RPC services by attempting to crack passwords.

  • RPCEcho: A tool that sends a basic RPC message to a target server and checks for a response. It can be used to test RPC connectivity and identify issues.

  • WinRPC Checker: A tool used to check the configuration of RPC services on a target system. It can be used to verify that RPC services are properly configured and secured.

  • Impacket: A Python library used for crafting and sending packets on the network. It can be used to create custom RPC packets for testing purposes.

  • Metasploit Framework: A popular penetration testing tool that includes modules for testing RPC services. It can be used to test for vulnerabilities and exploit them if found.

Automated Tools:

  • Nmap: A popular network scanning tool that includes RPC scanning capabilities. It can be used to identify RPC services and their associated ports on a target system.

  • OpenVAS: An open-source vulnerability scanning tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Qualys: A cloud-based vulnerability scanning tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Nessus: Another popular vulnerability scanning tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Retina CS: A vulnerability scanning tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Rapid7: A vulnerability management tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Burp Suite: A popular web application testing tool that includes modules for testing RPC services. It can be used to test the security of RPC services running on web applications.

  • ZAP: Another popular web application testing tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services running on web applications.

  • Acunetix: A web application testing tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services running on web applications.

  • AppSpider: A web application testing tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services running on web applications.

  • Nexpose: A vulnerability scanning tool that includes modules for testing RPC services. It can be used to identify vulnerabilities in RPC services and provide recommendations for remediation.

  • Core Impact: A commercial penetration testing tool that includes modules for testing RPC services. It can be used to test for vulnerabilities and exploit them if found.

All known CVE for MS-RPC

• CVE-2017-10608: Any Juniper Networks SRX series device with one or more ALGs enabled may experience a flowd crash when traffic is processed by the Sun/MS-RPC ALGs. This vulnerability in the Sun/MS-RPC ALG services component of Junos OS allows an attacker to cause a repeated denial of service against the target. Repeated traffic in a cluster may cause repeated flip-flop failure operations or full failure to the flowd daemon halting traffic on all nodes. Only IPv6 traffic is affected by this issue. IPv4 traffic is unaffected. This issues is not seen with to-host traffic. This issue has no relation with HA services themselves, only the ALG service. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55 on SRX; 12.1X47 prior to 12.1X47-D45 on SRX; 12.3X48 prior to 12.3X48-D32, 12.3X48-D35 on SRX; 15.1X49 prior to 15.1X49-D60 on SRX. 

• CVE-2007-4044: ** REJECT ** The MS-RPC functionality in smbd in Samba 3 on SUSE Linux before 20070720 does not include “one character in the shell escape handling.” NOTE: this issue was originally characterized as a shell metacharacter issue due to an incomplete fix for CVE-2007-2447, which was interpreted by CVE to be security relevant. However, SUSE and Red Hat have disputed the problem, stating that the only impact is that scripts will not be executed if they have a “c” in their name, but even this limitation might not exist. This does not have security implications, so should not be included in CVE. 

• CVE-2007-2447: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the “username map script” smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. 

• CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names). 

Useful information

– MS-RPC (Microsoft Remote Procedure Call) is a protocol used by Windows operating systems to allow programs to make requests and receive responses from other programs over a network.

– MS-RPC uses a client-server architecture, where a client program sends a request to a server program, which processes the request and sends a response back to the client.

– MS-RPC supports a wide range of services, including file and printer sharing, remote registry access, and remote procedure call services for various Windows services.

– MS-RPC uses port 135 by default, but can also use dynamic ports above 1024.

– MS-RPC uses a unique identifier (UUID) to identify each service, and a network address translator (NAT) can map the UUID to a specific port number.

– MS-RPC can be vulnerable to a range of attacks, including denial of service (DoS) attacks, buffer overflows, and man-in-the-middle (MITM) attacks.

– Some common tools for testing and exploiting MS-RPC vulnerabilities include Metasploit, rpcclient, and Responder.

– In order to mitigate MS-RPC vulnerabilities, it is recommended to use firewalls to block traffic on port 135 and to ensure that all Windows systems are kept up to date with the latest security patches.

– Windows systems can also be configured to use a restricted set of services that are allowed to use MS-RPC, which can help to reduce the attack surface.

– Additionally, administrators can use network security monitoring tools to detect and block MS-RPC traffic that is not authorized or that is indicative of an attack.

Books for studies the Microsoft Remote Procedure Call (MS-RPC)

“Microsoft RPC Programming Guide” by Marco Haverkorn: This book provides a comprehensive guide to MS-RPC programming, including how to use the API, how to build distributed applications, and how to troubleshoot common problems.

“Windows NT/2000 Native API Reference” by Gary Nebbett: This book includes detailed information about the Native API, which includes the MS-RPC implementation.

“Inside Windows Debugging” by Tarik Soulami: This book covers advanced debugging techniques for Windows, including MS-RPC debugging.

“The Windows 2000 Device Driver Book: A Guide for Programmers” by Art Baker and Jerry Lozano: This book provides an overview of Windows 2000 device drivers, including how to use MS-RPC for communication between drivers.

“Windows Internals, Part 2 (6th Edition)” by Mark Russinovich, David Solomon, and Alex Ionescu: This book covers the internal workings of Windows, including MS-RPC.

“Windows Network Programming” by Richard Blum: This book provides a detailed look at Windows network programming, including MS-RPC.

“Windows NT File System Internals” by Rajeev Nagar: This book covers the Windows NT file system, including how MS-RPC is used for communication between file system components.

“Windows System Programming, Fourth Edition” by Johnson M. Hart: This book covers Windows system programming, including MS-RPC.

“Windows Forensic Analysis Toolkit, Fourth Edition: Advanced Analysis Techniques for Windows 8” by Harlan Carvey: This book covers advanced Windows forensic analysis techniques, including how to use MS-RPC for remote procedure calls during investigations.

“Programming Windows Security” by Keith Brown: This book covers Windows security programming, including how MS-RPC can be used for authentication and access control.

List of Payload for the Microsoft Remote Procedure Call (MS-RPC)

  • Remote Procedure Call (RPC) service: The payload for RPC service can include parameters such as the interface ID, operation ID, and data to be transmitted.

  • Distributed File System (DFS): The payload for DFS includes information about the file or directory being accessed, such as the path, file handle, and access permissions.

  • Print Spooler Service: The payload for print spooler service includes data about the print job, such as the job ID, printer name, and print data.

  • Active Directory: The payload for Active Directory can include requests to create, modify, or delete objects, as well as queries for information about objects and their attributes.

  • Windows Management Instrumentation (WMI): The payload for WMI includes queries and commands to retrieve or modify system information, such as hardware configuration, system performance, and event logs.

  • Remote Desktop Protocol (RDP): The payload for RDP includes data such as keyboard and mouse input, audio and video streams, and clipboard contents, which are transmitted between the client and server during remote desktop sessions.

Mitigation

  1. Keep systems updated: Ensure that all systems running MS-RPC are updated with the latest security patches from the vendor.

  2. Implement firewall rules: Use firewalls to block traffic to and from ports associated with MS-RPC that are not required for business purposes.

  3. Implement access controls: Restrict access to MS-RPC services to only those users who need it to perform their job duties.

  4. Disable unnecessary services: Disable any unnecessary MS-RPC services running on systems to reduce the attack surface.

  5. Use network segmentation: Segment networks to limit the exposure of MS-RPC services to only the systems that require them.

  6. Implement strong authentication: Use strong authentication methods such as multi-factor authentication to prevent unauthorized access to MS-RPC services.

  7. Monitor system logs: Regularly monitor system logs for any signs of suspicious activity, such as failed login attempts or unauthorized access attempts.

  8. Use intrusion detection systems: Use intrusion detection systems to detect and alert on any attempts to exploit MS-RPC vulnerabilities.

  9. Perform regular security assessments: Regularly perform security assessments to identify and remediate any vulnerabilities in the MS-RPC implementation.

Conclusion

MS-RPC is a widely used protocol for remote procedure calls in Microsoft Windows environments. While it provides a convenient way for software applications to communicate over a network, it also has a history of vulnerabilities that can be exploited by attackers. To mitigate these vulnerabilities, organizations can take steps such as keeping systems updated, implementing access controls, using network segmentation, and performing regular security assessments. By implementing these measures, organizations can reduce the risk of attacks targeting MS-RPC and help ensure the security of their systems and data.

Other Services

Ready to secure?

Let's get in touch