Remote procedure call (RPC)
Remote procedure call (RPC) is a protocol in which a process can communicate with another process on a different host.
ποΈ Port: 111 (TCP/UDP)
RPC can be used to find on which port is a service running. This is done by the rpcbind service (a.k.a. port mapper). It takes a program number, and a version number, and respond with the port.
List RPC programs:
$ rpcinfo IP
Random Notes
RPC SMB Footprinting
If msrpc is running (often on port 135), we may be able to exploit it:
$ rpcclient -U "%" IP
$ rpcclient -U "" --password "" IP
client> srvinfo # SMB Server Information
client> netshareenumall # SMB Shares + Local Path
client> netsharegetinfo share_name # Permissions, SID, etc.
client> enumdomusers # List Users
client> queryuser <hexid>
client> querygroup <hexid>
We can also use samrdump to list users. If no users are found, we may still be able to find users by brute forcing hexadecimal IDs.
$ for i in $(seq 500 1100);do rpcclient [...] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
π» Refer to this cheatsheet from SANS.
π» To-do π»
Stuff that I found, but never read/used yet.
- buffer overflow
- malicious port redirect