# 135, 593 - Pentesting MSRPC

{{#include ../banners/hacktricks-training.md}}

## Basic Information

Protokali ya Microsoft Remote Procedure Call (MSRPC), mfano wa mteja-server unaowezesha programu kuomba huduma kutoka kwa programu iliyoko kwenye kompyuta nyingine bila kuelewa maelezo ya mtandao, ilitokana awali na programu za chanzo wazi na baadaye kuendelezwa na kupewa hakimiliki na Microsoft.

Mchoro wa mwisho wa RPC unaweza kufikiwa kupitia bandari ya TCP na UDP 135, SMB kwenye TCP 139 na 445 (ikiwa na kikao kisicho na thamani au kilichothibitishwa), na kama huduma ya wavuti kwenye bandari ya TCP 593.
```
135/tcp   open     msrpc         Microsoft Windows RPC
```
## Jinsi MSRPC inavyofanya kazi?

Iliyanzishwa na programu ya mteja, mchakato wa MSRPC unahusisha kuita utaratibu wa stub wa ndani ambao kisha unashirikiana na maktaba ya wakati wa mteja ili kuandaa na kupeleka ombi kwa seva. Hii inajumuisha kubadilisha vigezo kuwa katika muundo wa kawaida wa Uwakilishi wa Takwimu za Mtandao. Chaguo la itifaki ya usafirishaji linatolewa na maktaba ya wakati wa ikiwa seva iko mbali, kuhakikisha kuwa RPC inatumwa kupitia safu ya mtandao.

![https://0xffsec.com/handbook/images/msrpc.png](https://0xffsec.com/handbook/images/msrpc.png)

## **Kutambua Huduma za RPC Zilizofichuliwa**

Ufunuo wa huduma za RPC kupitia TCP, UDP, HTTP, na SMB unaweza kubainishwa kwa kuuliza huduma ya mlocator ya RPC na mwisho mmoja mmoja. Zana kama rpcdump husaidia katika kutambua huduma za RPC za kipekee, zinazoonyeshwa na thamani za **IFID**, zikifunua maelezo ya huduma na viunganisho vya mawasiliano:
```
D:\rpctools> rpcdump [-p port] <IP>
**IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:<IP>[1028]
```
Upatikanaji wa huduma ya RPC locator umewezeshwa kupitia protokali maalum: ncacn_ip_tcp na ncadg_ip_udp kwa upatikanaji kupitia bandari 135, ncacn_np kwa muunganisho wa SMB, na ncacn_http kwa mawasiliano ya RPC ya mtandao. Amri zifuatazo zinaonyesha matumizi ya moduli za Metasploit kukagua na kuingiliana na huduma za MSRPC, hasa zikizingatia bandari 135:
```bash
use auxiliary/scanner/dcerpc/endpoint_mapper
use auxiliary/scanner/dcerpc/hidden
use auxiliary/scanner/dcerpc/management
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
rpcdump.py <IP> -p 135
```
All options except `tcp_dcerpc_auditor` are specifically designed for targeting MSRPC on port 135.

#### Notable RPC interfaces

- **IFID**: 12345778-1234-abcd-ef00-0123456789ab
- **Named Pipe**: `\pipe\lsarpc`
- **Description**: Kiolesura ya LSA, inayotumika kuorodhesha watumiaji.
- **IFID**: 3919286a-b10c-11d0-9ba8-00c04fd92ef5
- **Named Pipe**: `\pipe\lsarpc`
- **Description**: Kiolesura cha LSA Directory Services (DS), inayotumika kuorodhesha maeneo na uhusiano wa kuaminiana.
- **IFID**: 12345778-1234-abcd-ef00-0123456789ac
- **Named Pipe**: `\pipe\samr`
- **Description**: Kiolesura cha LSA SAMR, inayotumika kupata vipengele vya umma vya database ya SAM (mfano, majina ya watumiaji) na kujaribu nywila za watumiaji bila kujali sera ya kufunga akaunti.
- **IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b
- **Named Pipe**: `\pipe\atsvc`
- **Description**: Mpangaji wa kazi, inayotumika kutekeleza amri kwa mbali.
- **IFID**: 338cd001-2244-31f1-aaaa-900038001003
- **Named Pipe**: `\pipe\winreg`
- **Description**: Huduma ya rejista ya mbali, inayotumika kupata na kubadilisha rejista ya mfumo.
- **IFID**: 367abb81-9844-35f1-ad32-98f038001003
- **Named Pipe**: `\pipe\svcctl`
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **IFID**: 4b324fc8-1670-01d3-1278-5a47bf6ee188
- **Named Pipe**: `\pipe\srvsvc`
- **Description**: Meneja wa kudhibiti huduma na huduma za seva, inayotumika kuanzisha na kusitisha huduma kwa mbali na kutekeleza amri.
- **IFID**: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- **Named Pipe**: `\pipe\epmapper`
- **Description**: Kiolesura cha DCOM, inayotumika kwa kujaribu nywila na ukusanyaji wa taarifa kupitia WM.

### Identifying IP addresses

Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface.

This method has been used to get interface information as **IPv6** address from the HTB box _APT_. See [here](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) for 0xdf APT writeup, it includes an alternative method using rpcmap.py from [Impacket](https://github.com/SecureAuthCorp/impacket/) with _stringbinding_ (see above).

### Executing a RCE with valid credentials

It is possible to execute remote code on a machine, if the credentials of a valid user are available using [dcomexec.py](https://github.com/fortra/impacket/blob/master/examples/dcomexec.py) from impacket framework.

**Remember to try with the different objects available**

- ShellWindows
- ShellBrowserWindow
- MMC20

## Port 593

The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.

## Automated Fuzzing of MSRPC Interfaces

MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.

### 1. Inventory the interfaces
```powershell
# Import the module (download / git clone first)
Import-Module .\MS-RPC-Fuzzer.psm1

# Parse a single binary
Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output

# Or crawl the whole %SystemRoot%\System32 directory
Get-RpcServerData -OutPath .\output
```
`Get-RpcServerData` itachota UUID, toleo, nyuzi za uhusiano (named-pipe / TCP / HTTP) na **mifano kamili ya taratibu** kwa kila kiolesura inachokutana nayo na kuzihifadhi katika `rpcServerData.json`.

### 2. Endesha fuzzer
```powershell
'.\output\rpcServerData.json' |
Invoke-RpcFuzzer -OutPath .\output `
-MinStrLen 100  -MaxStrLen 1000 `
-MinIntSize 9999 -MaxIntSize 99999
```
Relevant options:

* `-MinStrLen` / `-MaxStrLen` – ukubwa wa anuwai za nyuzi zinazozalishwa
* `-MinIntSize` / `-MaxIntSize` – anuwai ya thamani za nambari zilizobadilishwa (inayofaa kwa majaribio ya overflow)
* `-Sorted` – tekeleza taratibu kwa mpangilio unaoheshimu **mategemeo ya vigezo** ili matokeo ya wito mmoja yaweze kutumika kama ingizo la wito unaofuata (hii huongeza kwa kiasi kikubwa njia zinazoweza kufikiwa)

The fuzzer implements 2 strategies:

1. **Default fuzzer** – random primitive values + default instances for complex types
2. **Sorted fuzzer**  – dependency-aware ordering (see `docs/Procedure dependency design.md`)

Kila wito umeandikwa kwa atomiki kwenye `log.txt`; baada ya ajali **mistari ya mwisho inakuambia mara moja taratibu inayosababisha tatizo**. Matokeo ya kila wito pia yanapangwa katika faili tatu za JSON:

* `allowed.json` – wito umefanikiwa na kurudisha data
* `denied.json`  – seva ilijibu na *Access Denied*
* `error.json`   – kosa lolote lingine / ajali

### 3. Visualise with Neo4j
```powershell
'.\output\allowed.json' |
Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
```
`Import-DataToNeo4j` inabadilisha artefacts za JSON kuwa muundo wa grafu ambapo:

* Seva za RPC, interfaces na taratibu ni **vifungo**
* Mwingiliano (`ALLOWED`, `DENIED`, `ERROR`) ni **uhusiano**

Maswali ya Cypher yanaweza kutumika haraka kubaini taratibu hatari au kurudia mfuatano sahihi wa simu zilizotangulia kuanguka.

⚠️  Fuzzer ni *destructive*: tarajia kuanguka kwa huduma na hata BSODs – daima ikimbie katika snapshot ya VM iliyotengwa.


### Uainishaji wa Kiolesura Kiotomatiki & Uundaji wa Mteja wa Kihisia (NtObjectManager)

Mtaalamu wa PowerShell **James Forshaw** alifunua sehemu nyingi za ndani za Windows RPC ndani ya moduli ya wazi–chanzo *NtObjectManager*.  Kwa kutumia hii unaweza kubadilisha DLL / EXE ya seva yoyote ya RPC kuwa **stub ya mteja iliyo na vipengele vyote** ndani ya sekunde – hakuna IDL, MIDL au unmarshal wa mikono unahitajika.
```powershell
# Install the module once
Install-Module NtObjectManager -Force

# Parse every RPC interface exported by the target binary
$rpcinterfaces = Get-RpcServer "C:\Windows\System32\efssvc.dll"
$rpcinterfaces | Format-Table Name,Uuid,Version,Procedures

# Inspect a single procedure (opnum 0)
$rpcinterfaces[0].Procedures[0] | Format-List *
```
Matokeo ya kawaida yanaonyesha aina za parameta kama zinavyoonekana katika **MIDL** (kwa mfano `FC_C_WSTRING`, `FC_LONG`, `FC_BIND_CONTEXT`).

Mara tu unavyojua kiolesura unaweza **kuunda mteja wa C# tayari kwa ajili ya kukusanya**:
```powershell
# Reverse the MS-EFSR (EfsRpc*) interface into C#
Format-RpcClient $rpcinterfaces[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs
```
Ndani ya stub iliyozalishwa utaona mbinu kama:
```csharp
public int EfsRpcOpenFileRaw(out Marshal.NdrContextHandle ctx, string FileName, int Flags) {
// marshals parameters & calls opnum 0
}
```
Msaada wa PowerShell `Get-RpcClient` unaweza kuunda **kituo cha mteja kinachoshirikiana** ili uweze kuita utaratibu mara moja:
```powershell
$client = Get-RpcClient $rpcinterfaces[0]
Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
-AuthenticationLevel PacketPrivacy `
-AuthenticationType  WinNT  # NTLM auth

# Invoke the procedure → returns an authenticated context handle
$ctx = New-Object Marshal.NdrContextHandle
$client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
```
Uthibitisho (Kerberos / NTLM) na viwango vya usimbaji (`PacketIntegrity`, `PacketPrivacy`, …) vinaweza kutolewa moja kwa moja kupitia cmdlet ya `Connect-RpcClient` – bora kwa **kupita Descriptors za Usalama** zinazolinda mabomba yenye haki za juu.

### Fuzzing ya RPC Inayojulikana kwa Muktadha (MS-RPC-Fuzzer)

Maarifa ya kiolesura cha kudumu ni mazuri, lakini kile unachotaka kwa kweli ni **fuzzing inayongozwa na kufunika** inayelewa *mashughuliko ya muktadha* na minyororo tata ya vigezo. Mradi wa wazi wa **MS-RPC-Fuzzer** unafanya kazi hiyo kiotomatiki:

1. Tambua kila kiolesura/utaratibu unaotolewa na binary lengwa (`Get-RpcServer`).
2. Tengeneza wateja wa dinamik kwa kila kiolesura (`Format-RpcClient`).
3. Badilisha vigezo vya ingizo (urefu wa nyuzi pana, mipaka ya nambari, enums) huku ukiheshimu **aina ya NDR** ya awali.
4. Fuata *mashughuliko ya muktadha* yanayorejeshwa na simu moja ili kutoa utaratibu wa kufuatilia kiotomatiki.
5. Fanya simu zenye kiasi kikubwa dhidi ya usafirishaji uliochaguliwa (ALPC, TCP, HTTP au bomba lililotajwa).
6. Rekodi hali za kutoka / makosa / muda wa kupita na uagizie faili ya kuagiza **Neo4j** ili kuonyesha uhusiano wa *kiolesura → utaratibu → parameter* na makundi ya ajali.

Mfano wa kukimbia (lengo la bomba lililotajwa):
```powershell
Invoke-MSRPCFuzzer -Pipe "\\.\pipe\efsrpc" -Auth NTLM `
-MinLen 1  -MaxLen 0x400 `
-Iterations 100000 `
-OutDir .\results
```
A single out-of-bounds write or unexpected exception will be surfaced immediately with the exact opnum + fuzzed payload that triggered it – perfect starting point for a stable proof-of-concept exploit.

> ⚠️  Huduma nyingi za RPC zinafanya kazi katika michakato inayotumia **NT AUTHORITY\SYSTEM**.  Tatizo lolote la usalama wa kumbukumbu hapa kawaida hubadilishwa kuwa kupandishwa vyeo vya ndani au (wakati inafichuliwa kupitia SMB/135) *utendaji wa msimbo wa mbali*.


## References

- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
- [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
- [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)

{{#include ../banners/hacktricks-training.md}}