enumeration and MS DCERPC

Question

Enumeration, enumeration, and even more enumeration is the generic pentesting mantra, but enumeration is worthless if you can't read the results.

I came across the Windows RPC service, where metasploit returns results such as

msf auxiliary(endpoint_mapper) > run

[*] Connecting to the endpoint mapper service...
[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 TCP (49179) 192.168.41.221
[*] 2f5f6521-cb55-1059-b446-00df0bce31db v1.0 PIPE (\pipe\tapsrv) 
\\XXXXX [Unimodem LRPC Endpoint]
[*] 2f5f6521-cb55-1059-b446-00df0bce31db v1.0 LRPC (tapsrvlpc) [Unimodem 
LRPC Endpoint]
[*] 2f5f6521-cb55-1059-b446-00df0bce31db v1.0 LRPC (unimdmsvc) [Unimodem 
LRPC Endpoint]
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(LRPC-d08ef1fa6d632a075d)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(LRPC-d08ef1fa6d632a075d)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(LRPC-d08ef1fa6d632a075d)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(LRPC-d08ef1fa6d632a075d)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(OLEEE86D47927814F3C96D95E0A7601)
[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC 
(LRPC-bec9533644f8432732)
[*] 367abb81-9844-35f1-ad32-98f038001003 v2.0 TCP (49164) 192.168.41.221
[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC 
(LRPC-9d7905a8727cb4e919) [IPSec Policy agent endpoint]
[*] 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 TCP (49155) 192.168.41.221
...

or

msf auxiliary(management) > run

[*] UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*]      listening: 00000000
[*]      killed: 00000005
[*]      name: 00010000000000000100000000000000d3060000
[*] UUID 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
[*]      listening: 00000000
[*]      killed: 00000005
[*]      name: 00010000000000000100000000000000d3060000
...

or

msf auxiliary(tcp_dcerpc_auditor) > run

192.168.41.221 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 
135 ACCESS GRANTED 00000000000000000000000000000000000000000000000076070000
192.168.41.221 - UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA 
135 ACCESS GRANTED 
000002000c0000000c00000004000200080002000c0002001000020014000200180002001c0002002000020024000200280002002c000200300002000883afe11f5dc91191a408002b14a0fa0300000084650a0b0f9ecf11a3cf00805f68cb1b0100010026b5551d37c1c546ab79638f2a68e86901000000e6730ce6f988cf119af10020af6e72f402000000c4fefc9960521b10bbcb00aa0021347a00000000609ee7b9523dce11aaa100006901293f000002001e242f412ac1ce11abff0020af6e7a17000002003601000000000000c0000000000000460000000072eef3c67eced111b71e00c04fc3111a01000000b84a9f4d1c7dcf11861e0020af6e7c5700000000a001000000000000c000000000000046000000007f0bfe64f59e5345a7db9a19757775540100000000000000

However, I have no idea what to do with this information. Sample #1 seems to be kind of useful, but anyway: How would this information help an attacker to plan his next move? What is metasploit telling me here?

atdre · Accepted Answer · 2015-08-13T22:07:33.360

Based on the MSRPC DCE-RPC IFIDs from the first command output you posted, the target appears potentially vulnerable to MS00-070, CVE-2000-0544, CVE-2001-0662, CVE-2002-1561, CVE-2003-0533, CVE-2003-0818, CVE-2004-0894, CVE-2005-1984 (Nessus 19406 and 19407 as well as CANVAS ms05_043 and CORE IMPACT MSRPC SPOOLSS Buffer Overflow), CVE-2005-2119, CVE-2006-0034/1184 (Nessus 21334 and CORE IMPACT MSDTC Allocation), or CVE-2007-1748. You can get cursory information about some of the IFIDs identified by using the epdump tool or deep information about each IFID by going through the Windows network services internals documentation here:

12345778-1234-abcd-ef00-0123456789ac -- References: samr, samr interface, SAM access
2f5f6521-cb55-1059-b446-00df0bce31db -- References: Unimodem LRPC Endpoint
906b0ce0-c70b-1067-b317-00dd010662da -- References: MS-DTC, IXnRemote operations, Distributed Transaction Coordinator
367abb81-9844-35f1-ad32-98f038001003 -- References: SVCCTL RPC, Services Control Manager
12345678-1234-abcd-ef00-0123456789ab -- References: winipsec and spoolss, IPSec services and Spooler service, winipsec operations, winspool operations
50abc2a4-574d-40b3-9d66-ee4fd5fba076 -- References: DnsServer, DnsServer operations
e1af8308-5d1f-11c9-91a4-08002b14a0fa -- References: epmp, RPC endpoint mapper, Portmapper, Portmapper RPC service, epmp operations
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b -- References: localepmp, localepmp operations
99fcfec4-5260-101b-bbcb-00aa0021347a -- References: IObjectExporter, IOXIDResolver, IOIXResolver operations
afa8bd80-7d8a-11c9-bef4-08002b102989 -- This is the RMI, or remote management interface that allows all of this enumeration to occur without authentication. Generally fixed in XP SP2 but the machine you are targeting behaves more like Windows 2000 or Server 2003.

If you want a pretty GUI that enumerates all of the IFIDs and explains what they are, check out this older tool from securityfriday.com called RpcScan. The download link therein didn't work, so after a bit of sleuthing, I was able to find the tool at a disreputable location -- here -- but I was able to verify the GPG signature contained in the zip file by using '--verify' on the .sig file, using '--search-keys' for the resulting keyid, editing the key to add trust, and finally verifying the signature with the associated executable. You may want to run it in a blow-away guest VM just in case.

Additionally, that first IFID shows that the SAMR is running on 192.168.41.221 via TCP port 49179 because of dynamic allocation. This can be queried using a tool such as walksam from the rpctools utilities bundle.

Read more about rpctools here -- https://web.archive.org/web/20070510223113/http://www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm

And download the zip file here -- https://web.archive.org/web/20070510223113/http://www.bindview.com/Resources/RAZOR/Files/rpctools-1.0.zip

Query the server using the following technique:

C:\> walksam -p ncacn_ip_tcp -e 49179 192.168.41.221

Also run walksam (against all SMB hosts) without the flags to get more general user information as it walks through the SAM database. TrustedSec also released a tool to perform RID cycling, which is one of the techniques performed by walksam. You can check out rid_enum.py in more depth on its GitHub page.

There are plenty of tools that relate to pivot points from the information you gathered via those metasploit-framework auxiliary modules. Some can be found here -- http://winhackingexposed.com/tools.html -- and are discussed in that book's sections on RPC and SMB Enumeration in Chapter 4. I'd also recommend Chris McNab's work as I gathered much of the information for this answer from his wise books.

The best modern equivalent for this MSRPC toolchain is the CoreSec impacket tools. There is an rpcdump.py, but you may get better use out of their ifmap.py and opmap.py tools. These will lead you towards the other tools, such as samrdump.py, lookupsid.py, and potentially even services.py or secretsdump.py. These are all speaking purely from an MSRPC DCE-RPC perspective, there may be many other pathways into this Windows machine or surrounding environment.

https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/ — atdre, May 29 '18 at 21:43
What does IFID stand for? All of your links redirect to the same page and oddly enough google isn't helping with what IFID stands for. (I consider myself an above average googler as well). They seem to just be UUID's identifying a service, but I'm curious what the acronym IFID is. — UCProgrammer, May 18 '20 at 15:37
You'll find it, maybe via archive.org. Pretty sure IFID is InterFace IDentifier. — atdre, May 18 '20 at 16:43
Thanks. Forgot about this site. And yes, interface identifier is correct. — UCProgrammer, May 18 '20 at 17:03
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd — atdre, Dec 18 '20 at 21:18

score 1 · Answer 2 · answered Jul 10 '15 at 07:23

I'm assuming that You know how RPC works. Metasploit allows enumeration of DCE-RPC services(DCOM objects) using methods listed by you and other than that is hidden. Endpoint mapper provides you the list DCOM objects or services registered with Endpoint Mapper. Why Endpoint Mapper is because of it supports dynamic bindiings to the services. The list of UUIDs(Universal Unique Identifier) which you have seen after running endpoint-mapper is mapped to the unique services. So your next step should be searching these services on internet(Google) and find if they are vulnerable(Overflows) over RPC.

The dcerpc management module obtains information from remote management interface of the dcerpc service. Since it is not getting the expected response so it is printing Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr. You can check the probe code at this /opt/metasploit/apps/pro/msf3/lib/msf/core/exploit/dcerpc_mgmt.rb location.

The last one tcp_dcerpc_auditor scans for the RPC services available over TCP.

score -3 · Answer 3 · edited Jul 06 '17 at 22:52

-3

Also run walksam (against all SMB hosts) without the flags to get more general user information as it walks through the SAM database.

TrustedSec also released a tool to perform RID cycling, which is one of the techniques performed by walksam. You can check out rid_enum.py in more depth on its GitHub page.

edited Jul 06 '17 at 22:52

schroeder

123,438
55
284
319

answered Jul 06 '17 at 20:21

user152745

3
1

enumeration and MS DCERPC

3 Answers3

Linked