Remote procedure call (RPC)

Remote procedure call (RPC) is a protocol in which a process can communicate with another process on a different host.

🐊️ Port: 111 (TCP/UDP)

RPC can be used to find on which port is a service running. This is done by the rpcbind service (a.k.a. port mapper). It takes a program number, and a version number, and respond with the port.

List RPC programs:

$ rpcinfo IP

Random Notes

RPC SMB Footprinting

footprinting attacking_common_services

If msrpc is running (often on port 135), we may be able to exploit it:

$ rpcclient -U "%" IP
$ rpcclient -U "" --password "" IP
client> srvinfo # SMB Server Information
client> netshareenumall # SMB Shares + Local Path
client> netsharegetinfo share_name # Permissions, SID, etc.
client> enumdomusers # List Users
client> queryuser <hexid>
client> querygroup <hexid>

We can also use samrdump to list users. If no users are found, we may still be able to find users by brute forcing hexadecimal IDs.

$ for i in $(seq 500 1100);do rpcclient [...] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

πŸ‘» Refer to this cheatsheet from SANS.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • buffer overflow
  • malicious port redirect