The version of dcedump included with SPIKE 2.8 has most IFIDS described somewhat - at least as to what program they run in. One way I like to use to find out what they are is to fuzz them, and see what process uses CPU. Dave Aitel Research and Development Immunity, Inc. www.immunitysec.com > Hi, > > Recently been playing around a fair bit with Dave Aitel and Todd Sabin's > MSRPC tools to query the endpoint mapper at TCP/UDP 135 and glean IfId > details from dynamic high ports (TCP 1025, UDP 1028, et al) using Sabin's > ifids tool (http://razor.bindview.com/tools/desc/rpctools1.0-readme.html): > > D:\rpctools> ifids -p ncadg_ip_udp -e 1028 192.168.189.1 > Interfaces: 16 > 367abb81-9844-35f1-ad32-98f038001003 v2.0 > 93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0 > 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 > 65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0 > 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 > 6bffd098-a112-3610-9833-46c3f87e345a v1.0 > 8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0 > c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0 > 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0 > 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 > 300f3532-38cc-11d0-a3f0-0020af6b0add v1.2 > 6bffd098-a112-3610-9833-012892020162 v0.0 > 17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0 > 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 > 3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0 > 8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0 > > D:\rpctools> > > I have managed to work out a few of the IfId values (using fport and other > tools), as follows: > > 906b0ce0-c70b-1067-b317-00dd010662da = MSDTC > 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc = Messenger > 1ff70682-0a51-30e8-076d-740be8cee98b = MSTask > > I am just wondering if there is a complete Microsoft-published or > otherwise > list of these IfId values? This kind of information would be useful when > playing with MSRPC in blind pentesting cases.. > > Regards, > > Chris > > > Chris McNab > Technical Director > > Matta Security Limited > 18 Noel Street > London W1F 8GN > > Tel: 0870 077 1100 > Web: www.trustmatta.com > > > --------------------------------------------------------------------------- > Did you know that you have VNC running on your network? > Your hacker does. > Plug your security holes. > Download a free 15-day trial of VAM: > http://www.securityfocus.com/StillSecure-pen-test > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 10:58:15 PDT