maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/135-pentesting-msrpc.md'] t

Browse Source
This commit is contained in:
Translator 2025-07-16 20:09:57 +00:00
parent 77d91b58d4
commit 143b7f9b26
1 changed files with 82 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
src/network-services-pentesting/135-pentesting-msrpc.md
View File

@ -4,7 +4,7 @@
## Basic Information
Protokali ya Microsoft Remote Procedure Call (MSRPC), mfano wa mteja-server unaowezesha programu kuomba huduma kutoka kwa programu iliyoko kwenye kompyuta nyingine bila kuelewa maelezo ya mtandao, ilitokana awali na programu za chanzo wazi na baadaye ikakuzwa na kupewa hakimiliki na Microsoft.
Protokali ya Microsoft Remote Procedure Call (MSRPC), mfano wa mteja-server unaowezesha programu kuomba huduma kutoka kwa programu iliyoko kwenye kompyuta nyingine bila kuelewa maelezo ya mtandao, ilitokana awali na programu za chanzo wazi na baadaye kuendelezwa na kupewa hakimiliki na Microsoft.
Mchoro wa mwisho wa RPC unaweza kufikiwa kupitia bandari ya TCP na UDP 135, SMB kwenye TCP 139 na 445 (ikiwa na kikao kisicho na thamani au kilichothibitishwa), na kama huduma ya wavuti kwenye bandari ya TCP 593.
```
@ -12,13 +12,13 @@ Mchoro wa mwisho wa RPC unaweza kufikiwa kupitia bandari ya TCP na UDP 135, SMB
```
## Jinsi MSRPC inavyofanya kazi?
Iliyanzishwa na programu ya mteja, mchakato wa MSRPC unahusisha kuita utaratibu wa stub wa ndani ambao kisha unashirikiana na maktaba ya wakati wa mteja kuandaa na kupeleka ombi kwa seva. Hii inajumuisha kubadilisha vigezo kuwa katika muundo wa kawaida wa Uwakilishi wa Takwimu za Mtandao. Chaguo la itifaki ya usafirishaji linatolewa na maktaba ya wakati wa ikiwa seva iko mbali, kuhakikisha kuwa RPC inatumwa kupitia safu ya mtandao.
Iliyanzishwa na programu ya mteja, mchakato wa MSRPC unahusisha kuita utaratibu wa stub wa ndani ambao kisha unashirikiana na maktaba ya wakati wa mteja ili kuandaa na kupeleka ombi kwa seva. Hii inajumuisha kubadilisha vigezo kuwa katika muundo wa kawaida wa Uwakilishi wa Takwimu za Mtandao. Chaguo la itifaki ya usafirishaji linatolewa na maktaba ya wakati wa ikiwa seva iko mbali, kuhakikisha kuwa RPC inatumwa kupitia safu ya mtandao.
![https://0xffsec.com/handbook/images/msrpc.png](https://0xffsec.com/handbook/images/msrpc.png)
## **Kutambua Huduma za RPC Zilizofichuliwa**
Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja mmoja. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazoonyeshwa na thamani za **IFID**, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:
Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja binafsi. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazotambulishwa na thamani za **IFID**, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:
```
D:\rpctools> rpcdump [-p port] <IP>
**IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
@ -40,28 +40,28 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting
- **IFID**: 12345778-1234-abcd-ef00-0123456789ab
- **Named Pipe**: `\pipe\lsarpc`
- **Description**: Kiolesura cha LSA, kinachotumika kuorodhesha watumiaji.
- **Description**: Kiolesura ya LSA, inayotumika kuorodhesha watumiaji.
- **IFID**: 3919286a-b10c-11d0-9ba8-00c04fd92ef5
- **Named Pipe**: `\pipe\lsarpc`
- **Description**: Kiolesura cha LSA Directory Services (DS), kinachotumika kuorodhesha maeneo na uhusiano wa kuaminiana.
- **Description**: Kiolesura cha LSA Directory Services (DS), inayotumika kuorodhesha maeneo na uhusiano wa kuaminiana.
- **IFID**: 12345778-1234-abcd-ef00-0123456789ac
- **Named Pipe**: `\pipe\samr`
- **Description**: Kiolesura cha LSA SAMR, kinachotumika kufikia vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
- **Description**: Kiolesura cha LSA SAMR, inayotumika kufikia vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
- **IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b
- **Named Pipe**: `\pipe\atsvc`
- **Description**: Mpangaji wa kazi, unatumika kutekeleza amri kwa mbali.
- **Description**: Mpangaji wa kazi, inayotumika kutekeleza amri kwa mbali.
- **IFID**: 338cd001-2244-31f1-aaaa-900038001003
- **Named Pipe**: `\pipe\winreg`
- **Description**: Huduma ya rejista ya mbali, inatumika kufikia na kubadilisha rejista ya mfumo.
- **Description**: Huduma ya rejista ya mbali, inayotumika kufikia na kubadilisha rejista ya mfumo.
- **IFID**: 367abb81-9844-35f1-ad32-98f038001003
- **Named Pipe**: `\pipe\svcctl`
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, unatumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **IFID**: 4b324fc8-1670-01d3-1278-5a47bf6ee188
- **Named Pipe**: `\pipe\srvsvc`
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, unatumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **IFID**: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- **Named Pipe**: `\pipe\epmapper`
- **Description**: Kiolesura cha DCOM, kinachotumika kwa ajili ya kujaribu nywila na ukusanyaji wa taarifa kupitia WM.
- **Description**: Kiolesura cha DCOM, inayotumika kwa kujaribu nywila na ukusanyaji wa taarifa kupitia WM.
### Identifying IP addresses
@ -83,8 +83,79 @@ It is possible to execute remote code on a machine, if the credentials of a vali
The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)
PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the opensource *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds no IDL, MIDL or manual unmarshalling required.
```powershell
# Install the module once
Install-Module NtObjectManager -Force
# Parse every RPC interface exported by the target binary
$rpcinterfaces = Get-RpcServer "C:\Windows\System32\efssvc.dll"
$rpcinterfaces | Format-Table Name,Uuid,Version,Procedures
# Inspect a single procedure (opnum 0)
$rpcinterfaces[0].Procedures[0] | Format-List *
```
Matokeo ya kawaida yanaonyesha aina za parameta kama zinavyoonekana katika **MIDL** (kwa mfano `FC_C_WSTRING`, `FC_LONG`, `FC_BIND_CONTEXT`).
Mara tu unavyojua kiolesura unaweza **kuunda mteja wa C# tayari kwa ajili ya kukusanya**:
```powershell
# Reverse the MS-EFSR (EfsRpc*) interface into C#
Format-RpcClient $rpcinterfaces[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs
```
Ndani ya stub iliyozalishwa utaona mbinu kama:
```csharp
public int EfsRpcOpenFileRaw(out Marshal.NdrContextHandle ctx, string FileName, int Flags) {
// marshals parameters & calls opnum 0
}
```
Msaada wa PowerShell `Get-RpcClient` unaweza kuunda **kipengele cha mteja kinachoshirikiana** ili uweze kuita utaratibu mara moja:
```powershell
$client = Get-RpcClient $rpcinterfaces[0]
Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
-AuthenticationLevel PacketPrivacy `
-AuthenticationType WinNT # NTLM auth
# Invoke the procedure → returns an authenticated context handle
$ctx = New-Object Marshal.NdrContextHandle
$client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
```
Uthibitisho (Kerberos / NTLM) na viwango vya usimbaji (`PacketIntegrity`, `PacketPrivacy`, …) vinaweza kutolewa moja kwa moja kupitia cmdlet ya `Connect-RpcClient` bora kwa **kupita Descriptors za Usalama** zinazolinda mabomba yenye majina ya haki za juu.
---
### Fuzzing ya RPC Inayojulikana kwa Muktadha (MS-RPC-Fuzzer)
Maarifa ya kiolesura cha kudumu ni mazuri, lakini kile unachotaka kwa kweli ni **fuzzing inayongozwa na kufunika** inayelewa *mashughulizi ya muktadha* na minyororo tata ya vigezo. Mradi wa wazi wa chanzo **MS-RPC-Fuzzer** unafanya kazi hiyo kiotomatiki:
1. Tambua kila kiolesura/utaratibu unaotolewa na binary lengwa (`Get-RpcServer`).
2. Tengeneza wateja wa dinamik kwa kila kiolesura (`Format-RpcClient`).
3. Badilisha vigezo vya ingizo (urefu wa nyuzi pana, anuwai za nambari, enums) huku ukiheshimu **aina ya NDR** ya awali.
4. Fuata *mashughulizi ya muktadha* yanayorejeshwa na simu moja ili kutoa utaratibu wa kufuatilia kiotomatiki.
5. Fanya simu za kiwango cha juu dhidi ya usafirishaji uliochaguliwa (ALPC, TCP, HTTP au bomba lenye jina).
6. Rekodi hali za kutoka / makosa / muda wa kupita na uagizaji wa faili ya **Neo4j** ili kuonyesha uhusiano wa *kiolesura → utaratibu → parameter* na makundi ya ajali.
Mfano wa kukimbia (lengo la bomba lenye jina):
```powershell
Invoke-MSRPCFuzzer -Pipe "\\.\pipe\efsrpc" -Auth NTLM `
-MinLen 1 -MaxLen 0x400 `
-Iterations 100000 `
-OutDir .\results
```
A single out-of-bounds write or unexpected exception will be surfaced immediately with the exact opnum + fuzzed payload that triggered it perfect starting point for a stable proof-of-concept exploit.
> ⚠️ Huduma nyingi za RPC zinafanya kazi katika michakato inayotumia **NT AUTHORITY\SYSTEM**. Tatizo lolote la usalama wa kumbukumbu hapa kawaida hubadilishwa kuwa kupandishwa vyeo vya ndani au (wakati inafichuliwa kupitia SMB/135) *utendaji wa msimbo wa mbali*.
---
## References
- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
- [MS-RPC-Fuzzer context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
- [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)