0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • rpclient
  • rpcdump

Was this helpful?

  1. Network Services
  2. Ports

135, 593 - MSRPC

rpclient

## Find SID
➜  outdated rpcclient -U "" 10.10.11.175    
Password for [WORKGROUP\]:
rpcclient $> lookupnames Administrator
Administrator S-1-5-21-4089647348-67660539-4016542185-500 (User: 1)

## Bruteforce to find all users
➜  outdated for i in {1000..1200}; do rpcclient --command="lookupsids S-1-5-21-4089647348-67660539-4016542185-$i" 10.10.11.175 -U "" --password=; done
[... snip ...]
S-1-5-21-4089647348-67660539-4016542185-1103 OUTDATED\DnsAdmins (4)
S-1-5-21-4089647348-67660539-4016542185-1104 OUTDATED\DnsUpdateProxy (2)
S-1-5-21-4089647348-67660539-4016542185-1105 OUTDATED\CLIENT$ (1)
S-1-5-21-4089647348-67660539-4016542185-1106 OUTDATED\btables (1)
S-1-5-21-4089647348-67660539-4016542185-1107 OUTDATED\ITStaff (2)
S-1-5-21-4089647348-67660539-4016542185-1108 OUTDATED\sflowers (1)
S-1-5-21-4089647348-67660539-4016542185-1109 *unknown*\*unknown* (8)

rpcdump

$ impacket-rpcdump 10.10.11.168 > rpcdump.out
$ cat rpcdump.out| grep -i pipe        
          ncacn_np:\\DC1[\PIPE\InitShutdown]
          ncacn_np:\\DC1[\PIPE\InitShutdown]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\eventlog]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\pipe\lsass]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\atsvc]
          ncacn_np:\\DC1[\PIPE\wkssvc]
          ncacn_np:\\DC1[\pipe\tapsrv]
          ncacn_np:\\DC1[\PIPE\ROUTER]
          ncacn_np:\\DC1[\pipe\cert]
$ grep -ia2 "1ff70682-0a51-30e8-076d-740be8cee98b" rpcdump.out
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\DC1[\PIPE\atsvc]

Last updated 10 months ago

Was this helpful?

Reading on \pipe\atsvc is listed as Notable RPC interfaces with the description "Task scheduler, used to remotely execute commands". Verifying with the IFID value we can confirm that the Task Scheduler is exposed:

HackTricks