Re: [PEN-TEST] RPC enumeration

From: Ryan Permeh (ryanat_private)
Date: Fri Apr 13 2001 - 12:09:07 PDT

  • Next message: Steve: "Re: [PEN-TEST] Cybercop"

    well, this is a weird area.
    
    nt/2k/(and i assume xp) all use RPC very heavily for most everything.
    
    almost all(if not all) authentication is done through the LSA rpc service.
    this is the domain level and share level authentication.  so yes, you can
    brute passwords through this, but in effect, you can do the same thing by
    scripting net use commands.
    
    executing server side commands is completely possible via RPC(it is, after
    all, a remote procedure call:).  you just need a RPC service that supports
    this.  not certain off the top of my head which services do offer this
    functionaliy, but with things like remote killing of processes, remote
    administration of just about everything, and whatnot, running commands via
    rpc is not that big a deal.
    
    As for your third question, any rpc service that contains overflows will
    most likely allow for a remote SYSTEM level shell to be popped.  not sure
    which services have had theese in the past, but i have a feeling if there
    haven't been many, it's mostly because of the messed up proprietary nature
    of NTRPC protocol and usage.  Most of the api's directly offered via the
    win32 api are very high level.  The only really decent information i have
    seen on RPC/DCE is Luke Kenneth Casson Leighton's book "DCE/RPC over SMB:
    Samba and Windows NT Domain Internals"(ISBN: 1578701503 ).  This is a great
    book and offers a much lower level view of what is actually happening via
    rpc.
    
    Signed,
    Ryan Permeh
    eEye Digital Security Team
    http://www.eEye.com/Retina -Network Security Scanner
    http://www.eEye.com/Iris -Network Traffic Analyzer
    
    ----- Original Message -----
    From: "Steve Skoronski" <skoronskiat_private>
    To: <PEN-TESTat_private>
    Sent: Thursday, April 12, 2001 2:58 PM
    Subject: RPC enumeration
    
    
    > Hi list!
    >
    >          Working on an NT box running IIS 4.0 (seems to be patched).
    > Certain tell-tale ports are open (25,80,135,5800,5900) TCP.
    >
    >          After doing more research on NT RPC protocol, and searching
    > documented vulnerabilities, I have the ability to dump the contents of the
    > endpoint mapper, and can connect to this port. What could the dumped
    > information be used for? Obviously other connections are displayed, but
    > after scouring Vuln and mailing list archives, the only risk RPC seems to
    > pose is denial of service problems.
    >
    >          So... my question(s):
    >
    >          1. Is there a way to authenticate through RPC, or potentially
    > brute force for weak passwords?
    >
    >          2. Is there a way to execute server side commands using RPC?
    >
    > finally...
    >
    >          3. Are there any RPC vulnerabilities out there? (besides denial
    of
    > service)
    >
    >
    > TIA!
    >
    > Steve
    >
    



    This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 09:22:13 PDT