135, 593 - MSRPC

rpclient

## Find SID
➜  outdated rpcclient -U "" 10.10.11.175    
Password for [WORKGROUP\]:
rpcclient $> lookupnames Administrator
Administrator S-1-5-21-4089647348-67660539-4016542185-500 (User: 1)

## Bruteforce to find all users
➜  outdated for i in {1000..1200}; do rpcclient --command="lookupsids S-1-5-21-4089647348-67660539-4016542185-$i" 10.10.11.175 -U "" --password=; done
[... snip ...]
S-1-5-21-4089647348-67660539-4016542185-1103 OUTDATED\DnsAdmins (4)
S-1-5-21-4089647348-67660539-4016542185-1104 OUTDATED\DnsUpdateProxy (2)
S-1-5-21-4089647348-67660539-4016542185-1105 OUTDATED\CLIENT$ (1)
S-1-5-21-4089647348-67660539-4016542185-1106 OUTDATED\btables (1)
S-1-5-21-4089647348-67660539-4016542185-1107 OUTDATED\ITStaff (2)
S-1-5-21-4089647348-67660539-4016542185-1108 OUTDATED\sflowers (1)
S-1-5-21-4089647348-67660539-4016542185-1109 *unknown*\*unknown* (8)

rpcdump

$ impacket-rpcdump 10.10.11.168 > rpcdump.out
$ cat rpcdump.out| grep -i pipe        
          ncacn_np:\\DC1[\PIPE\InitShutdown]
          ncacn_np:\\DC1[\PIPE\InitShutdown]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\eventlog]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\wkssvc]
          ncacn_np:\\DC1[\pipe\tapsrv]
          ncacn_np:\\DC1[\PIPE\ROUTER]
          ncacn_np:\\DC1[\pipe\cert]

Reading on HackTricks \pipe\atsvc is listed as Notable RPC interfaces with the description "Task scheduler, used to remotely execute commands". Verifying with the IFID value we can confirm that the Task Scheduler is exposed:

$ grep -ia2 "1ff70682-0a51-30e8-076d-740be8cee98b" rpcdump.out
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\DC1[\PIPE\atsvc]