when I scan my server using nessus, one of the result is as follows:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
My doubt is whether an attacker can initiate any attack using this type of enumeration?
If there are any vulnerabilities on the services that the DCE portmapper advertises, then the attacker could use these services to exploit the machine.
Also, if there are any accounts with weak passwords setup on those services then you should be concerned.
Nessus will scan the former, assuming those ports are in scope, and the latter will come down to the security of individual accounts on the machine or its domain.
So in itself it isn't a vulnerability, however you should only expose port 135 to trusted networks. It is a bad idea to have this port exposed to the internet because it increases the attack surface, and could leave you vulnerable in the case of future weaknesses found in this service or the ones that it allows enumeration of.
Yes, using MSRPC or SMB named pipes, DCE-RPC services can be enumerated. This information can give information about the host, including information about the SAM (i.e., authentication database containing the host credentials) or Security (e.g., service and domain credentials) subsystems. The DCE-RPC IFIDs (interface identification numbers) can be used to determine which version of Windows and rough patch level of the host.
There are a dozen or so public exploits over the last 16 years that target DCE-RPC services, such as the ones enumerated at the level you are talking about. Most, or all, of these are remote-code execution exploits -- the most-dangerous kind. There is another StackExchange answer that goes over each of these and provides references for how to enumerate the deepest details, as well as determine which Windows OS and service pack -- which will then lead to finding out which exploits to use against the target host.
