135, 593 - Pentesting MSRPC - HackTricks
135, 593 - Pentesting MSRPC - HackTricks
Links
Basic Information
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol
that uses the client-server model in order to allow one program to request service from a
program on another computer without having to understand the details of that computer's
network. MSRPC was originally derived from open source software but has been developed
further and copyrighted by Microsoft.
Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP
and UDP port 135, via SMB with a null or authenticated session (TCP 139 and 445), and as a web
service listening on TCP port 593.
https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc 1/5
4/20/23, 1:30 PM 135, 593 - Pentesting MSRPC - HackTricks
The client stub then calls functions in the RPC client runtime library to send the request and
parameters to the server. If the server is located remotely, the runtime library specifies an
appropriate transport protocol and engine and passes the RPC to the network stack for transport
to the server.
From here: https://www.extrahop.com/resources/protocols/msrpc/
You can query the RPC locator service and individual RPC endpoints to catalog interesting
services running over TCP, UDP, HTTP, and SMB (via named pipes). Each IFID value gathered
https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc 2/5
4/20/23, 1:30 PM 135, 593 - Pentesting MSRPC - HackTricks
You can access the RPC locator service by using four protocol sequences:
use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
rpcdump.py <IP> -p 135
Note that from the mentioned options all except of tcp_dcerpc_auditor can only be
executed against msrpc in port 135.
Identifying IP addresses
This method has been used to get interface information as IPv6 address from the HTB box APT.
See here for 0xdf APT writeup, it includes an alternative method using rpcmap.py from Impacket
with stringbinding (see above).
References:
https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-
interfaces-without-any-authentication/
https://airbus-cyber-security.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-
dcom/
Port 593
The rpcdump.exe from rpctools can interact with this port.
https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc 4/5
4/20/23, 1:30 PM 135, 593 - Pentesting MSRPC - HackTricks
https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc 5/5