[PEN-TEST] RPC enumeration

From: Steve Skoronski (skoronskiat_private)
Date: Thu Apr 12 2001 - 14:58:24 PDT

Next message: Vitaly McLain: "Re: [PEN-TEST] Web site password guessing over SSL"

Previous message: H D Moore: "Re: [PEN-TEST] Web Server to SQL Server"
Next in thread: Ryan Permeh: "Re: [PEN-TEST] RPC enumeration"
Reply: Ryan Permeh: "Re: [PEN-TEST] RPC enumeration"
Reply: Felix Huber: "Re: [PEN-TEST] RPC enumeration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list!

         Working on an NT box running IIS 4.0 (seems to be patched).
Certain tell-tale ports are open (25,80,135,5800,5900) TCP.

         After doing more research on NT RPC protocol, and searching
documented vulnerabilities, I have the ability to dump the contents of the
endpoint mapper, and can connect to this port. What could the dumped
information be used for? Obviously other connections are displayed, but
after scouring Vuln and mailing list archives, the only risk RPC seems to
pose is denial of service problems.

         So... my question(s):

         1. Is there a way to authenticate through RPC, or potentially
brute force for weak passwords?

         2. Is there a way to execute server side commands using RPC?

finally...

         3. Are there any RPC vulnerabilities out there? (besides denial of
service)


TIA!

Steve

Next message: Vitaly McLain: "Re: [PEN-TEST] Web site password guessing over SSL"
Previous message: H D Moore: "Re: [PEN-TEST] Web Server to SQL Server"
Next in thread: Ryan Permeh: "Re: [PEN-TEST] RPC enumeration"
Reply: Ryan Permeh: "Re: [PEN-TEST] RPC enumeration"
Reply: Felix Huber: "Re: [PEN-TEST] RPC enumeration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 10:07:47 PDT