12

Can someone explain when and how often each of the Windows RPC ports are used? The "core" ones I understand are:

  • Port 135
  • Port 137
  • Port 139
  • Higher ports that are published by Port 135's "catalog"

Then I heard that Port 145 came into the mix to "make things better" with NBT/TCP but I'm not sure how this fits in with the sequence of a Windows client initiating an RPC action.

Can anyone help me fix my understanding of RPC ports once and for all?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

1 Answers1

28

This TechNet article is fantastic, I recommend you bookmark it. It lists the ports used by various Windows services and is quite thorough.

In versions of Windows earlier than Vista/2008, NetBIOS was used for the "RPC Locator" service, which managed the RPC name service database. But in Vista/2008 and beyond, the RPC Locator service is no longer necessary or useful. It's vestigial. From this point on I am only going to talk about MSRPC on Vista/2008+.

Ports 137, 138 and 139 are for NetBIOS, and are not required for the functionality of MSRPC.

All the ports used by RPC are as follows:

RPC EPM                  TCP 135 
RPC over HTTPS           TCP 593 
SMB (for named pipes)    TCP 445
Ephemeral Range, Dynamic *

Other applications, such as Remote Desktop Gateway, will use RPC over HTTP proxy and use port 443, etc.

Although the article I linked to above lists the NetBIOS ports, those are legacy and are not required for RPC, assuming you can acquire name resolution through other means (DNS,) and assuming the remote service itself is not dependent on NetBIOS.

Port 145 is bogus. It's not used for anything. Wherever you heard that it "makes things better," is wrong.

Basic MSRPC uses ports 135, and the high-numbered dynamic range. That high-numbered dynamic range is ports 1024-5000 on XP/2003 and below, and 49152-65535 on Vista/2008 and above. You can also call that port range ephemeral ports.

You can define a custom port range if you wish, like so:

reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v Ports /t REG_MULTI_SZ /f /d 8000-9000
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v UseInternetPorts /t REG_SZ /f /d Y

And/Or

netsh int ipv4 set dynamicport tcp start=8000 num=1001
netsh int ipv4 set dynamicport udp start=8000 num=1001
netsh int ipv6 set dynamicport tcp start=8000 num=1001
netsh int ipv6 set dynamicport udp start=8000 num=1001

TCP port 135 is the MSRPC endpoint mapper. You can bind to that port on a remote computer, anonymously, and either enumerate all the services (endpoints) available on that computer, or you can request what port a specific service is running on if you know what you're looking for.

Let me show you an example of querying the RPC Enpoint Mapper:

C:\>PortQry.exe -n 192.168.1.1 -e 135

Querying target system called:

 192.168.1.1

Attempting to resolve IP address to a name...    

IP address resolved to host01.labs.myotherpcisacloud.com

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:192.168.1.1[49152]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:192.168.1.1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:192.168.1.1[49159]

UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48 Remote Fw APIs
ncacn_ip_tcp:192.168.1.1[49158]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:192.168.1.1[49157]

UUID: 12345678-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:192.168.1.1[49155]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
ncacn_ip_tcp:192.168.1.1[49155]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281
ncacn_ip_tcp:192.168.1.1[49155]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978
ncacn_ip_tcp:192.168.1.1[49155]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
ncacn_ip_tcp:192.168.1.1[49155]

UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs service
ncacn_np:192.168.1.1[\\PIPE\\wkssvc]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncacn_np:192.168.1.1[\\PIPE\\W32TIME_ALT]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:192.168.1.1[\\PIPE\\atsvc]

...

Total endpoints found: 50

==== End of RPC Endpoint Mapper query response ====

You will notice that if you perform that query on the local computer, you will find many more endpoints than if you perform the query from a remote computer. That's because many RPC endpoints are not exposed remotely and are only used for local interprocess communication.

Further reading: http://technet.microsoft.com/en-us/library/cc738291(v=WS.10).aspx

And also: https://www.myotherpcisacloud.com/post/2014/02/16/verifying-rpc-network-connectivity-like-a-boss.aspx

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197