Re: [PEN-TEST] RPC enumeration

From: Ryan Permeh (ryanat_private)
Date: Fri Apr 13 2001 - 12:09:07 PDT

Next message: Steve: "Re: [PEN-TEST] Cybercop"

Previous message: Barber, Chris: "Re: [PEN-TEST] Cybercop"
In reply to: Steve Skoronski: "[PEN-TEST] RPC enumeration"
Next in thread: BrainSCAN: "[PEN-TEST] RPC enumeration/execution"
Reply: BrainSCAN: "[PEN-TEST] RPC enumeration/execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

well, this is a weird area.

nt/2k/(and i assume xp) all use RPC very heavily for most everything.

almost all(if not all) authentication is done through the LSA rpc service.
this is the domain level and share level authentication.  so yes, you can
brute passwords through this, but in effect, you can do the same thing by
scripting net use commands.

executing server side commands is completely possible via RPC(it is, after
all, a remote procedure call:).  you just need a RPC service that supports
this.  not certain off the top of my head which services do offer this
functionaliy, but with things like remote killing of processes, remote
administration of just about everything, and whatnot, running commands via
rpc is not that big a deal.

As for your third question, any rpc service that contains overflows will
most likely allow for a remote SYSTEM level shell to be popped.  not sure
which services have had theese in the past, but i have a feeling if there
haven't been many, it's mostly because of the messed up proprietary nature
of NTRPC protocol and usage.  Most of the api's directly offered via the
win32 api are very high level.  The only really decent information i have
seen on RPC/DCE is Luke Kenneth Casson Leighton's book "DCE/RPC over SMB:
Samba and Windows NT Domain Internals"(ISBN: 1578701503 ).  This is a great
book and offers a much lower level view of what is actually happening via
rpc.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Steve Skoronski" <skoronskiat_private>
To: <PEN-TESTat_private>
Sent: Thursday, April 12, 2001 2:58 PM
Subject: RPC enumeration


> Hi list!
>
>          Working on an NT box running IIS 4.0 (seems to be patched).
> Certain tell-tale ports are open (25,80,135,5800,5900) TCP.
>
>          After doing more research on NT RPC protocol, and searching
> documented vulnerabilities, I have the ability to dump the contents of the
> endpoint mapper, and can connect to this port. What could the dumped
> information be used for? Obviously other connections are displayed, but
> after scouring Vuln and mailing list archives, the only risk RPC seems to
> pose is denial of service problems.
>
>          So... my question(s):
>
>          1. Is there a way to authenticate through RPC, or potentially
> brute force for weak passwords?
>
>          2. Is there a way to execute server side commands using RPC?
>
> finally...
>
>          3. Are there any RPC vulnerabilities out there? (besides denial
of
> service)
>
>
> TIA!
>
> Steve
>

Next message: Steve: "Re: [PEN-TEST] Cybercop"
Previous message: Barber, Chris: "Re: [PEN-TEST] Cybercop"
In reply to: Steve Skoronski: "[PEN-TEST] RPC enumeration"
Next in thread: BrainSCAN: "[PEN-TEST] RPC enumeration/execution"
Reply: BrainSCAN: "[PEN-TEST] RPC enumeration/execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 09:22:13 PDT