Translated ['src/network-services-pentesting/135-pentesting-msrpc.md'] t

src/network-services-pentesting/135-pentesting-msrpc.md

@@ -18,7 +18,7 @@ Iliyanzishwa na programu ya mteja, mchakato wa MSRPC unahusisha kuita utaratibu
 
 ## **Kutambua Huduma za RPC Zilizofichuliwa**
 
-Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja binafsi. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazotambulishwa na thamani za **IFID**, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:
+Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja mmoja. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazoonyeshwa na thamani za **IFID**, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:
 ```
 D:\rpctools> rpcdump [-p port] <IP>
 **IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
@@ -46,13 +46,13 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting
 - **Description**: Kiolesura cha LSA Directory Services (DS), inayotumika kuorodhesha maeneo na uhusiano wa kuaminiana.
 - **IFID**: 12345778-1234-abcd-ef00-0123456789ac
 - **Named Pipe**: `\pipe\samr`
-- **Description**: Kiolesura cha LSA SAMR, inayotumika kufikia vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
+- **Description**: Kiolesura cha LSA SAMR, inayotumika kupata vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
 - **IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b
 - **Named Pipe**: `\pipe\atsvc`
 - **Description**: Mpangaji wa kazi, inayotumika kutekeleza amri kwa mbali.
 - **IFID**: 338cd001-2244-31f1-aaaa-900038001003
 - **Named Pipe**: `\pipe\winreg`
-- **Description**: Huduma ya rejista ya mbali, inayotumika kufikia na kubadilisha rejista ya mfumo.
+- **Description**: Huduma ya rejista ya mbali, inayotumika kupata na kubadilisha rejista ya mfumo.
 - **IFID**: 367abb81-9844-35f1-ad32-98f038001003
 - **Named Pipe**: `\pipe\svcctl`
 - **Description**: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
@@ -83,9 +83,65 @@ It is possible to execute remote code on a machine, if the credentials of a vali
 
 The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
 
-### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)
+## Automated Fuzzing of MSRPC Interfaces
 
-PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module.  Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required.
+MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
+
+### 1. Inventory the interfaces
+```powershell
+# Import the module (download / git clone first)
+Import-Module .\MS-RPC-Fuzzer.psm1
+
+# Parse a single binary
+Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output
+
+# Or crawl the whole %SystemRoot%\System32 directory
+Get-RpcServerData -OutPath .\output
+```
+`Get-RpcServerData` itachota UUID, toleo, nyuzi za uhusiano (named-pipe / TCP / HTTP) na **mifano kamili ya taratibu** kwa kila kiolesura inachokutana nayo na kuifadhi katika `rpcServerData.json`.
+
+### 2. Endesha fuzzer
+```powershell
+'.\output\rpcServerData.json' |
+Invoke-RpcFuzzer -OutPath .\output `
+-MinStrLen 100  -MaxStrLen 1000 `
+-MinIntSize 9999 -MaxIntSize 99999
+```
+Relevant options:
+
+* `-MinStrLen` / `-MaxStrLen` – ukubwa wa anuwai za nyuzi zinazozalishwa
+* `-MinIntSize` / `-MaxIntSize` – anuwai ya thamani za nambari zilizobadilishwa (inayofaa kwa majaribio ya overflow)
+* `-Sorted` – tekeleza taratibu kwa mpangilio unaoheshimu **mategemeo ya vigezo** ili matokeo ya wito mmoja yaweze kutumika kama ingizo la wito unaofuata (hii huongeza kwa kiasi kikubwa njia zinazoweza kufikiwa)
+
+The fuzzer implements 2 strategies:
+
+1. **Default fuzzer** – random primitive values + default instances for complex types
+2. **Sorted fuzzer**  – dependency-aware ordering (see `docs/Procedure dependency design.md`)
+
+Kila wito umeandikwa kwa atomiki kwenye `log.txt`; baada ya ajali **mistari ya mwisho inakuambia mara moja taratibu inayosababisha tatizo**. Matokeo ya kila wito pia yanapangwa katika faili tatu za JSON:
+
+* `allowed.json` – wito umefanikiwa na kurudisha data
+* `denied.json`  – seva ilijibu na *Access Denied*
+* `error.json`   – kosa lolote lingine / ajali
+
+### 3. Visualise with Neo4j
+```powershell
+'.\output\allowed.json' |
+Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
+```
+`Import-DataToNeo4j` inabadilisha artefacts za JSON kuwa muundo wa grafu ambapo:
+
+* Seva za RPC, interfaces na taratibu ni **vifungo**
+* Mwingiliano (`ALLOWED`, `DENIED`, `ERROR`) ni **uhusiano**
+
+Maswali ya Cypher yanaweza kutumika haraka kubaini taratibu hatari au kurudia mfuatano sahihi wa simu zilizotangulia kuanguka.
+
+⚠️  Fuzzer ni *destructive*: tarajia kuanguka kwa huduma na hata BSODs – daima ikimbie katika snapshot ya VM iliyotengwa.
+
+
+### Uainishaji wa Kiolesura wa Otomatiki & Uundaji wa Mteja wa Kijadi (NtObjectManager)
+
+Mtaalamu wa PowerShell **James Forshaw** alifunua sehemu nyingi za ndani za Windows RPC ndani ya moduli ya wazi–chanzo *NtObjectManager*.  Kwa kutumia hii unaweza kubadilisha DLL / EXE ya seva yoyote ya RPC kuwa **stub ya mteja iliyo na vipengele vyote** ndani ya sekunde – hakuna IDL, MIDL au unmarshal wa mkono unaohitajika.
 ```powershell
 # Install the module once
 Install-Module NtObjectManager -Force
@@ -97,7 +153,7 @@ $rpcinterfaces | Format-Table Name,Uuid,Version,Procedures
 # Inspect a single procedure (opnum 0)
 $rpcinterfaces[0].Procedures[0] | Format-List *
 ```
-Matokeo ya kawaida yanaonyesha aina za parameta kama zinavyoonekana katika **MIDL** (kwa mfano `FC_C_WSTRING`, `FC_LONG`, `FC_BIND_CONTEXT`).
+Matokeo ya kawaida yanaonyesha aina za parameta kama zinavyoonekana katika **MIDL** (kwa mfano, `FC_C_WSTRING`, `FC_LONG`, `FC_BIND_CONTEXT`).
 
 Mara tu unavyojua kiolesura unaweza **kuunda mteja wa C# tayari kwa ajili ya kukusanya**:
 ```powershell
@@ -110,7 +166,7 @@ public int EfsRpcOpenFileRaw(out Marshal.NdrContextHandle ctx, string FileName,
 // marshals parameters & calls opnum 0
 }
 ```
-Msaada wa PowerShell `Get-RpcClient` unaweza kuunda **kipengele cha mteja kinachoshirikiana** ili uweze kuita utaratibu mara moja:
+Msaada wa PowerShell `Get-RpcClient` unaweza kuunda **kituo cha mteja kinachoshirikiana** ili uweze kuita utaratibu mara moja:
 ```powershell
 $client = Get-RpcClient $rpcinterfaces[0]
 Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
@@ -123,18 +179,16 @@ $client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
 ```
 Uthibitisho (Kerberos / NTLM) na viwango vya usimbaji (`PacketIntegrity`, `PacketPrivacy`, …) vinaweza kutolewa moja kwa moja kupitia cmdlet ya `Connect-RpcClient` – bora kwa **kupita Descriptors za Usalama** zinazolinda mabomba yenye majina ya haki za juu.
 
----
-
 ### Fuzzing ya RPC Inayojulikana kwa Muktadha (MS-RPC-Fuzzer)
 
-Maarifa ya kiolesura cha kudumu ni mazuri, lakini kile unachotaka kwa kweli ni **fuzzing inayongozwa na kufunika** inayelewa *mashughulizi ya muktadha* na minyororo tata ya vigezo. Mradi wa wazi wa chanzo **MS-RPC-Fuzzer** unafanya kazi hiyo kiotomatiki:
+Maarifa ya kiolesura cha kudumu ni mazuri, lakini kile unachotaka kwa kweli ni **fuzzing inayongozwa na kufunika** inayelewa *mashughuliko ya muktadha* na minyororo tata ya vigezo. Mradi wa wazi wa **MS-RPC-Fuzzer** unafanya kazi hiyo kiotomatiki:
 
 1. Tambua kila kiolesura/utaratibu unaotolewa na binary lengwa (`Get-RpcServer`).
 2. Tengeneza wateja wa dinamik kwa kila kiolesura (`Format-RpcClient`).
-3. Badilisha vigezo vya ingizo (urefu wa nyuzi pana, anuwai za nambari, enums) huku ukiheshimu **aina ya NDR** ya awali.
-4. Fuata *mashughulizi ya muktadha* yanayorejeshwa na simu moja ili kutoa utaratibu wa kufuatilia kiotomatiki.
-5. Fanya simu za kiwango cha juu dhidi ya usafirishaji uliochaguliwa (ALPC, TCP, HTTP au bomba lenye jina).
-6. Rekodi hali za kutoka / makosa / muda wa kupita na uagizaji wa faili ya **Neo4j** ili kuonyesha uhusiano wa *kiolesura → utaratibu → parameter* na makundi ya ajali.
+3. Badilisha vigezo vya ingizo (urefu wa nyuzi pana, mipaka ya nambari, enums) huku ukiheshimu **aina ya NDR** ya awali.
+4. Fuata *mashughuliko ya muktadha* yanayorejeshwa na simu moja ili kutoa utaratibu wa kufuatilia kiotomatiki.
+5. Fanya simu zenye kiasi kikubwa dhidi ya usafirishaji uliochaguliwa (ALPC, TCP, HTTP au bomba lenye jina).
+6. Rekodi hali za kutoka / makosa / muda wa kupita na kusafirisha faili ya kuagiza **Neo4j** ili kuonyesha uhusiano wa *kiolesura → utaratibu → parameter* na makundi ya ajali.
 
 Mfano wa kukimbia (lengo la bomba lenye jina):
 ```powershell
@@ -147,17 +201,15 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 
 > ⚠️  Huduma nyingi za RPC zinafanya kazi katika michakato inayotumia **NT AUTHORITY\SYSTEM**.  Tatizo lolote la usalama wa kumbukumbu hapa kawaida hubadilishwa kuwa kupandishwa vyeo vya ndani au (wakati inafichuliwa kupitia SMB/135) *utendaji wa msimbo wa mbali*.
 
----
 
 ## References
 
 - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
 - [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
 - [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
-
-
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
 - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
+- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
 
 {{#include ../banners/hacktricks-training.md}}