[PEN-TEST] RPC enumeration

From: Steve Skoronski (skoronskiat_private)
Date: Thu Apr 12 2001 - 14:58:24 PDT

  • Next message: Vitaly McLain: "Re: [PEN-TEST] Web site password guessing over SSL"

    Hi list!
    
             Working on an NT box running IIS 4.0 (seems to be patched).
    Certain tell-tale ports are open (25,80,135,5800,5900) TCP.
    
             After doing more research on NT RPC protocol, and searching
    documented vulnerabilities, I have the ability to dump the contents of the
    endpoint mapper, and can connect to this port. What could the dumped
    information be used for? Obviously other connections are displayed, but
    after scouring Vuln and mailing list archives, the only risk RPC seems to
    pose is denial of service problems.
    
             So... my question(s):
    
             1. Is there a way to authenticate through RPC, or potentially
    brute force for weak passwords?
    
             2. Is there a way to execute server side commands using RPC?
    
    finally...
    
             3. Are there any RPC vulnerabilities out there? (besides denial of
    service)
    
    
    TIA!
    
    Steve
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 10:07:47 PDT