135, 593 - MSRPC
rpclient
## Find SID
➜ outdated rpcclient -U "" 10.10.11.175
Password for [WORKGROUP\]:
rpcclient $> lookupnames Administrator
Administrator S-1-5-21-4089647348-67660539-4016542185-500 (User: 1)
## Bruteforce to find all users
➜ outdated for i in {1000..1200}; do rpcclient --command="lookupsids S-1-5-21-4089647348-67660539-4016542185-$i" 10.10.11.175 -U "" --password=; done
[... snip ...]
S-1-5-21-4089647348-67660539-4016542185-1103 OUTDATED\DnsAdmins (4)
S-1-5-21-4089647348-67660539-4016542185-1104 OUTDATED\DnsUpdateProxy (2)
S-1-5-21-4089647348-67660539-4016542185-1105 OUTDATED\CLIENT$ (1)
S-1-5-21-4089647348-67660539-4016542185-1106 OUTDATED\btables (1)
S-1-5-21-4089647348-67660539-4016542185-1107 OUTDATED\ITStaff (2)
S-1-5-21-4089647348-67660539-4016542185-1108 OUTDATED\sflowers (1)
S-1-5-21-4089647348-67660539-4016542185-1109 *unknown*\*unknown* (8)
rpcdump
$ impacket-rpcdump 10.10.11.168 > rpcdump.out
$ cat rpcdump.out| grep -i pipe
ncacn_np:\\DC1[\PIPE\InitShutdown]
ncacn_np:\\DC1[\PIPE\InitShutdown]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\eventlog]
ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\26bddf8e29d9b793]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\pipe\lsass]
ncacn_np:\\DC1[\PIPE\atsvc]
ncacn_np:\\DC1[\PIPE\atsvc]
ncacn_np:\\DC1[\PIPE\atsvc]
ncacn_np:\\DC1[\PIPE\atsvc]
ncacn_np:\\DC1[\PIPE\atsvc]
ncacn_np:\\DC1[\PIPE\wkssvc]
ncacn_np:\\DC1[\pipe\tapsrv]
ncacn_np:\\DC1[\PIPE\ROUTER]
ncacn_np:\\DC1[\pipe\cert]
Reading on HackTricks \pipe\atsvc
is listed as Notable RPC interfaces with the description "Task scheduler, used to remotely execute commands". Verifying with the IFID value we can confirm that the Task Scheduler is exposed:
$ grep -ia2 "1ff70682-0a51-30e8-076d-740be8cee98b" rpcdump.out
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
Bindings:
ncacn_np:\\DC1[\PIPE\atsvc]
Last updated