Add content from: MS-RPC Fuzzer

src/network-services-pentesting/135-pentesting-msrpc.md

@@ -89,11 +89,73 @@ It is possible to execute remote code on a machine, if the credentials of a vali
 
 The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
 
+## Automated Fuzzing of MSRPC Interfaces
+
+MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
+
+### 1. Inventory the interfaces
+
+```powershell
+# Import the module (download / git clone first)
+Import-Module .\MS-RPC-Fuzzer.psm1
+
+# Parse a single binary
+Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output
+
+# Or crawl the whole %SystemRoot%\System32 directory
+Get-RpcServerData -OutPath .\output
+```
+
+`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`.
+
+### 2. Run the fuzzer
+
+```powershell
+'.\output\rpcServerData.json' |
+    Invoke-RpcFuzzer -OutPath .\output `
+                     -MinStrLen 100  -MaxStrLen 1000 `
+                     -MinIntSize 9999 -MaxIntSize 99999
+```
+
+Relevant options:
+
+* `-MinStrLen` / `-MaxStrLen` – size range for generated strings
+* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing)
+* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths)
+
+The fuzzer implements 2 strategies:
+
+1. **Default fuzzer** – random primitive values + default instances for complex types
+2. **Sorted fuzzer**  – dependency-aware ordering (see `docs/Procedure dependency design.md`)
+
+Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files:
+
+* `allowed.json` – call succeeded and returned data
+* `denied.json`  – server responded with *Access Denied*
+* `error.json`   – any other error / crash
+
+### 3. Visualise with Neo4j
+
+```powershell
+'.\output\allowed.json' |
+    Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
+```
+
+`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where:
+
+* RPC servers, interfaces and procedures are **nodes**
+* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships**
+
+Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash.
+
+⚠️  The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot.
+
 ## References
 
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
 - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
+- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
 
 {{#include ../banners/hacktricks-training.md}}