well, this is a weird area. nt/2k/(and i assume xp) all use RPC very heavily for most everything. almost all(if not all) authentication is done through the LSA rpc service. this is the domain level and share level authentication. so yes, you can brute passwords through this, but in effect, you can do the same thing by scripting net use commands. executing server side commands is completely possible via RPC(it is, after all, a remote procedure call:). you just need a RPC service that supports this. not certain off the top of my head which services do offer this functionaliy, but with things like remote killing of processes, remote administration of just about everything, and whatnot, running commands via rpc is not that big a deal. As for your third question, any rpc service that contains overflows will most likely allow for a remote SYSTEM level shell to be popped. not sure which services have had theese in the past, but i have a feeling if there haven't been many, it's mostly because of the messed up proprietary nature of NTRPC protocol and usage. Most of the api's directly offered via the win32 api are very high level. The only really decent information i have seen on RPC/DCE is Luke Kenneth Casson Leighton's book "DCE/RPC over SMB: Samba and Windows NT Domain Internals"(ISBN: 1578701503 ). This is a great book and offers a much lower level view of what is actually happening via rpc. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "Steve Skoronski" <skoronskiat_private> To: <PEN-TESTat_private> Sent: Thursday, April 12, 2001 2:58 PM Subject: RPC enumeration > Hi list! > > Working on an NT box running IIS 4.0 (seems to be patched). > Certain tell-tale ports are open (25,80,135,5800,5900) TCP. > > After doing more research on NT RPC protocol, and searching > documented vulnerabilities, I have the ability to dump the contents of the > endpoint mapper, and can connect to this port. What could the dumped > information be used for? Obviously other connections are displayed, but > after scouring Vuln and mailing list archives, the only risk RPC seems to > pose is denial of service problems. > > So... my question(s): > > 1. Is there a way to authenticate through RPC, or potentially > brute force for weak passwords? > > 2. Is there a way to execute server side commands using RPC? > > finally... > > 3. Are there any RPC vulnerabilities out there? (besides denial of > service) > > > TIA! > > Steve >
This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 09:22:13 PDT