# 135, 593 - MSRPC ## rpclient ```bash ## Find SID ➜ outdated rpcclient -U "" 10.10.11.175 Password for [WORKGROUP\]: rpcclient $> lookupnames Administrator Administrator S-1-5-21-4089647348-67660539-4016542185-500 (User: 1) ## Bruteforce to find all users ➜ outdated for i in {1000..1200}; do rpcclient --command="lookupsids S-1-5-21-4089647348-67660539-4016542185-$i" 10.10.11.175 -U "" --password=; done [... snip ...] S-1-5-21-4089647348-67660539-4016542185-1103 OUTDATED\DnsAdmins (4) S-1-5-21-4089647348-67660539-4016542185-1104 OUTDATED\DnsUpdateProxy (2) S-1-5-21-4089647348-67660539-4016542185-1105 OUTDATED\CLIENT$ (1) S-1-5-21-4089647348-67660539-4016542185-1106 OUTDATED\btables (1) S-1-5-21-4089647348-67660539-4016542185-1107 OUTDATED\ITStaff (2) S-1-5-21-4089647348-67660539-4016542185-1108 OUTDATED\sflowers (1) S-1-5-21-4089647348-67660539-4016542185-1109 *unknown*\*unknown* (8) ``` ## rpcdump ```bash $ impacket-rpcdump 10.10.11.168 > rpcdump.out $ cat rpcdump.out| grep -i pipe ncacn_np:\\DC1[\PIPE\InitShutdown] ncacn_np:\\DC1[\PIPE\InitShutdown] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\eventlog] ncacn_np:\\DC1[\pipe\26bddf8e29d9b793] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\26bddf8e29d9b793] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\26bddf8e29d9b793] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\26bddf8e29d9b793] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\26bddf8e29d9b793] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\pipe\lsass] ncacn_np:\\DC1[\PIPE\atsvc] ncacn_np:\\DC1[\PIPE\atsvc] ncacn_np:\\DC1[\PIPE\atsvc] ncacn_np:\\DC1[\PIPE\atsvc] ncacn_np:\\DC1[\PIPE\atsvc] ncacn_np:\\DC1[\PIPE\wkssvc] ncacn_np:\\DC1[\pipe\tapsrv] ncacn_np:\\DC1[\PIPE\ROUTER] ncacn_np:\\DC1[\pipe\cert] ``` Reading on [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc) `\pipe\atsvc` is listed as *Notable RPC interfaces* with the description *"Task scheduler, used to remotely execute commands"*. Verifying with the IFID value we can confirm that the Task Scheduler is exposed: ```bash $ grep -ia2 "1ff70682-0a51-30e8-076d-740be8cee98b" rpcdump.out Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol Provider: taskcomp.dll UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 Bindings: ncacn_np:\\DC1[\PIPE\atsvc] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/135-593-msrpc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.